For years, security vendors have been in an arms race with hackers. As the rate of discovery of new vulnerabilities continued to grow, attackers have enjoyed an ever-expanding menu of security flaws to exploit. But last year, something happened: The number of new vulnerability reports actually declined.
According to HP’s new Top Cyber Security Risks Report for 2011, there was a 19.5 percent decrease in the number of new publicly reported vulnerabilities over the course of last year.
But don’t start celebrating just yet, because attack volume still continues to increase. Attack data from HP TippingPoint shows approximately 475 million attacks in 2010 vs. 531 million in 2011 — an 11 percent increase.
So while the number of publicly reported vulnerabilities is down, the overall security risks have not actually declined. That’s according to Jennifer Lake, security product marketing manager at HP DVLabs, who told eSecurity Planet that a deeper analysis of the new vulnerabilities that were disclosed in 2011 shows that the proportion of high-severity vulnerabilities has actually increased. In 2011, high-severity vulnerabilities (those with a CVSS score of between 8 and 10) jumped by 24 percent. CVSS (Common Vulnerability Scoring System) vulnerabilities with an 8 to 10 score are items that are exploitable remotely and represent high immediate risk.
HP also found that many attackers are also still going after old (unpatched) vulnerabilities. Many attackers are now using exploit toolkits such as Blackhole which are packaged to include known vulnerabilities. That’s another reason why there isn’t as much of a need for attackers to find new vulnerabilities, because the old ones are still effective against so many systems.
“The old vulnerabilities should be well detected, but they are still successful,” said Jason Jones, advanced security intelligence engineer at HP DVLabs. “One of the things that makes them very successful is the obfuscation techniques.”
Additionally, Jones cited unpatched systems and a lack of user awareness as two key factors affecting the high frequency of attacks against known vulnerabilities. Attack data also showed that the frequency of SQL injection attacks increased during the year, even though that’s a well-known attack vector.
Jones noted that HP’s report did not include granularity on what specific databases were the most attacked. He added that HP TippingPoint’s database protections are database agnostic.
Looking to the future, Jones says he expects that the exploit toolkits will be a trend that will continue in 2012. He also expects the toolkits to add more recent vulnerabilities as users slowly patch their system and older vulnerabilities become less exploitable.
Java exploits have been generally very reliable for attackers due to a low patch rate, Jones said. For example, one recent exploit took advantage of a Java vulnerability for which a patch was available at the end of 2011 — yet Blackhole included the exploit in its toolkit even after the patch was made available. Jones noted that the Java vulnerabilities tend to have approximately an 80 percent success rate for infection. In contrast, with other technologies, the older vulnerability success rate is only approximately 13 percent.
Java is at the root of the recent Apple Mac OS X Flashback malware and has also been identified by multiple vendors as being the most vulnerable browser plug-in.