IBM study says many security vulnerabilities remain unpatched
X-Force Research, IBM's security services research and development team, has thrown up some interesting details in its report for 2008, claiming that of the vulnerabilities discovered in that year, 53 per cent went un-patched. The report for 2007 claims 44 per cent un-patched. According to X-Force, some firms don't bother to deal with vulnerabilities dating from the previous year. However things were apparently better where the market leaders were concerned: the ten leading firms left only 19 per cent of their vulnerabilities without a patch.
X-Force says most of the vulnerabilities made public affected Apple's Mac OS X, which topped the list of the most vulnerable operating systems with 14.3 per cent remaining un-patched, followed by the Linux kernel with 10.9 per cent and Solaris with 7.3 per cent. Windows operating systems, from XP to Server 2008 were between 4.1 and 5.5 per cent.
Microsoft still leads the list of software producers with the greatest number of known vulnerabilities, while the Joomla, Drupal and Typo3 content management systems showed up on the list for the first time. This confirms the growing tendency for web applications to be the weak point, for that's where 55 per cent of all announced vulnerabilities now appear. Again, 74 per cent of these web application vulnerabilities are without patches.
The favourite exploits for browsers attacked vulnerabilities in Microsoft's MDAC RDS ActiveX Control, RealPlayer IERPCtl ActiveX Control, MS WebViewFolderIcon ActiveX Control, and Apple QuickTime. Besides these, an increase in attacks on Adobe plug-ins was also noted. The complete report can be downloaded from the X-Force pages.