IBM’s X-Force Report Praises Sun for Fast Fixes

IBM on Wednesday released the “X-Force 2009 Mid-Year Trend and Risk Report,” an analysis of the various threats and vulnerabilities online. Among the numerous findings, it noted that Sun Microsystems is better at disclosing and patching operating system vulnerabilities than any other vendor.

Sun disclosed more vulnerabilities in its own operating system in the first half of 2009 than any other vendor, including Microsoft, which was the best in disclosures last year. All told, Solaris vulnerabilities comprised 26 percent of the total number of OS vulnerabilities disclosed in the first half of 2009, the IBM (NYSE: IBM) report said.

“For the vast number of disclosures Sun makes, they have an impressive patch rate (only four percent left unpatched). So what these statistics really mean is that Sun has most likely implemented a more mature vulnerability discovery and reporting framework for their software,” the report said.

Sun’s low rate of unpatched vulnerabilities is far better than the industry average of 49 percent, and also compares favorably with Apple (18 percent) and Microsoft (17 percent). While Apple (NASDAQ: AAPL) and Microsoft (NASDAQ: MSFT) placed second and third on this list, online content management system Joomla! led in unpatched vulnerabilities, failing to patch fully 80 percent of those it disclosed.

Microsoft had the most vulnerabilities deemed “critical” or “high,” according to the Common Vulnerability Scoring System (CVSS), with 39 percent of the total.

The dangerous Web

While enterprise IT managers may feel they have a handle on OS exploits, the report warned that nobody is safe on the Internet.

“The trends highlighted by the report seem to indicate that the Internet has finally taken on the characteristics of the Wild West where no one is to be trusted,” said IBM X-Force Director Kris Lamb.

“There is no such thing as safe browsing today and it is no longer the case that only the red light district sites are responsible for malware. We’ve reached a tipping point where every Web site should be viewed as suspicious and every user is at risk. The threat convergence of the Web ecosystem is creating a perfect storm of criminal activity.”

Sites are particularly vulnerable to SQL injection attacks. “In 2008, SQL injection hit a high point not only in terms of vulnerability disclosures, but also in terms of exploitation,” the report said.

The report said that information-stealing Trojans are growing fast, and that Trojans account for 55 percent of all malware.

Furthermore, Adobe’s .PDF format, prevalent in the enterprise, has been subject to a significant quantity of flaws, the report said.

News Around the Web