Connect with us

Hi, what are you looking for?


Application Security

IBM X-Force Report: Global Security Threats Reach Record Levels

IBM released its X-Force 2010 Mid-Year Trend and Risk Report today, which showed record threat levels in almost every area.

IBM released its X-Force 2010 Mid-Year Trend and Risk Report today, which showed record threat levels in almost every area.

Web vulnerabilities lead the way, representing more than half of the 4,396 publicly disclosed vulnerabilities documented by the X-Force Research & Development team in the first half of 2010. This represents a 36 percent increase over the same time period last year, with 55 percent of the disclosed vulnerabilities having no vendor-supplied patch at the end of the period.IBM X-Force Report 2010

Keep in mind that these figures don’t include custom-developed Web applications, which can also contain vulnerabilities.

On the positive side, the report noted that organizations were doing more to identify and disclose security vulnerabilities than in the past, helping to drive more open collaboration to identify and eliminate vulnerabilities before cyber criminals can exploit them.

Microsoft and Adobe’s collaboration to facilitate advanced information sharing on vulnerabilities via its Microsoft Active Protections Program (MAPP) is a good example of such progress. MAPP is a collaborative effort involving 65 global members that facilitates the sharing of product vulnerabilities with security software providers.

“This year’s X-Force report reveals that although threats are on the rise, the industry as a whole is getting much more vigilant about reporting vulnerabilities. This underscores the increased focus among our clients to continue looking for security solutions that help them better manage risk and ensure their IT infrastructure is secure by design,” said Steve Robinson, general manager, IBM Security Solutions.

The report noted that hidden attack methods grew in volume and complexity, with JavaScript being a major avenue of attack. Attackers are using sophisticated means to penetrate networks without being detected by traditional security tools. JavaScript obfuscation has been a popular technique used by all classes of cybercriminals to hide their exploits within document files and Web pages. IBM detected a 52 percent increase in obfuscated attacks during the first half of 2010 versus the same period in 2009.

PDF exploits continue to soar as attackers trick users in new ways. The widespread use of PDF-based exploits spiked during the first half of 2009, capturing three of the top five slots for browser exploits used in the wild since.

Advertisement. Scroll to continue reading.

Another Positive trend! Phishing activity declined significantly during the period, with the first half of 2010 seeing a fraction of the phishing attacks that were seen at the peak in 2009, a decline of almost 82 percent.

The decline in phishing during the period is possibly a result of Avalanche, a notorious cybercrime gang, at one time responsible for two-thirds of all phishing attacks, discontinuing its phishing endeavors in favor of using malware.

Financial institutions are still the number one phishing target, representing about 49 percent of all phishing emails, while credit cards, governmental organizations, online payment institutions and auctions represent the majority of other targets.

Looking into the future, the X-Force Research and Development team has identified some key trends to watch for in the future, including:

Cloud Computing — As an emerging technology, security concerns remain a hurdle for organizations looking to adopt cloud computing.

Virtualization – X-Force’s vulnerability data shows that 35 percent of vulnerabilities impacting server class virtualization systems affect the hypervisor, which means that an attacker with control of one virtual system may be able to manipulate other systems on the same machine.

The IBM X-Force Report comes from IBM’s X-Force team, which gathers facts from numerous intelligence sources, including its database of over 50,000 computer security vulnerabilities, millions of intrusion events monitored on tens of thousands of managed network sensors deployed on customer networks throughout the world, its global Web crawler and its international spam collectors.

To read more from the IBM X-Force Team, visit:

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...