Are Bug Disclosures Helping or Hurting? - Page 2

Page 2 of 2

Popular targets

The biggest source of weakness is the ever-popular browser plug-in. IBM found that in the first six months of 2008, roughly 78 percent of Web browser exploits targeted browser plug-ins.

Another popular target is the SQL server database. SQL injection vulnerabilities jumped from 25 percent in 2007 to 41 percent of all Web server application vulnerabilities in the first half of 2008.

The problem is not in SQL or that confusing mess that SQL code can be. The problem, said Stewart, is in the Web page forms. "Some times it's easier to allow the SQL statement in the form. When you do that, you allow SQL injection statements to pass from the form field to the database," she explained.

"A lot of Web developers may not know better practices to avoid these vulnerabilities, they may see it as a cheaper way to achieve the required results."

Among some of the newer trends: spammers have dropped gimmicks like image spam or writing keywords in an almost unreadable manner (h3rb4l V1-4gra) in favor of just a link to known, reputable sites, such as blog pages. Domains like Wordpress and Blogger are trusted and get past spam filters, as opposed to the normal keywords that get caught.

Russia remains the biggest producer of spam, responsible for 11 percent of the world's spam, followed by Turkey with 8 percent and then the United States with 7.1 percent.

Online financial institutions are the top target, with 18 of the top 20 phishing targets being financial institutions. However, online gaming is coming up quick. The top four password-stealing Trojans were all aimed at gamers. Because there is a healthy market for in-game assets, accounts are frequently stolen and sold for real world cash.

IBM ISS X-Force's report is available online.