Research on browser weaknesses triggers attacks

Jul 30, 2008

IBM's X-Force says cyber-criminals are using public research on Web browser weaknesses to launch attacks before most users are even aware of their vulnerability. The mid-year report from the security group indicates that organized criminals are adopting new automated techniques and strategies that allow them to exploit vulnerabilities much faster than ever before.

According to the X-Force report, 94 percent of all browser-related online exploits occurred within 24 hours of a vulnerability being officially disclosed. These attacks, known-as "zero-day" exploits, are on the Internet before people even know they have a vulnerability that needs to be patched in their systems.

Many security researchers have routinely posted the code needed to exploit a weakness as part of a security advisory. According to the X-Force report, these disclosed vulnerabilities are twice as likely to trigger zero-day exploits.

"The two major themes in the first half of 2008 were acceleration and proliferation," said X-Force Operations Manager Kris Lamb. "We see a considerable acceleration in the time a vulnerability is disclosed to when it is exploited, with an accompanying proliferation of vulnerabilities overall. Without a unified process for disclosing vulnerabilities, the research industry runs the risk of actually fueling online criminal activity. There's a reason why X-Force doesn't publish exploit code for the vulnerabilities we have found, and perhaps it is time for others in our field to reconsider this practice."

The latest X-Force report also found that browser plug-ins are the newest target-of-choice. In the first six months of 2008, roughly 78 percent of web browser exploits targeted browser plug-ins.

For more security trends and predictions from IBM, including graphical representations of security statistics, please access the full report at: www.ibm.com/services/us/iss/xforce/midyearreport

Provided by IBM

Explore further: US warns shops to watch for customer data hacking

add to favorites email to friend print save as pdf

Related Stories

Feeling bad at work can be a good thing

52 minutes ago

(Phys.org) —Research by the University of Liverpool suggests that, contrary to popular opinion, it can be good to feel bad at work, whilst feeling good in the workplace can also lead to negative outcomes.

Recommended for you

US warns shops to watch for customer data hacking

7 hours ago

The US Department of Homeland Security on Friday warned businesses to watch for hackers targeting customer data with malicious computer code like that used against retail giant Target.

Fitbit to Schumer: We don't sell personal data

21 hours ago

The maker of a popular line of wearable fitness-tracking devices says it has never sold personal data to advertisers, contrary to concerns raised by U.S. Sen. Charles Schumer.

Should you be worried about paid editors on Wikipedia?

Aug 22, 2014

Whether you trust it or ignore it, Wikipedia is one of the most popular websites in the world and accessed by millions of people every day. So would you trust it any more (or even less) if you knew people ...

How much do we really know about privacy on Facebook?

Aug 22, 2014

The recent furore about the Facebook Messenger app has unearthed an interesting question: how far are we willing to allow our privacy to be pushed for our social connections? In the case of the Facebook ...

Philippines makes arrests in online extortion ring

Aug 22, 2014

Philippine police have arrested eight suspected members of an online syndicate accused of blackmailing more than 1,000 Hong Kong and Singapore residents after luring them into exposing themselves in front of webcam, an official ...

Google to help boost Greece's tourism industry

Aug 21, 2014

Internet giant Google will offer management courses to 3,000 tourism businesses on the island of Crete as part of an initiative to promote the sector in Greece, industry union Sete said on Thursday.

User comments : 0