Some Sobering Security Stats
Symantec today released its latest report on Internet security, cataloging 2,249 software vulnerabilities discovered or reported from January through June 2006 -- the most the company has ever recorded in a six-month period.
Nearly 80 percent of the vulnerabilities were considered easily exploitable and involved applications like Web browsers or software such as blogging and shopping cart programs.
Hackers often use Web application flaws to deface Internet sites -- thousands of sites are defaced each day thanks to this class of vulnerabilities. Annoying as they are, however, defacements aren't the real problem. Criminals can exploit the same Web application flaws to gain access to sensitive databases, access that can drive credit card and identity theft. Online criminals also can use Web app flaws to hijack legitimate sites and redirect visitors to sites that try to install spyware and other malicious programs.
Web application flaws can even cause a Web site to become a drone in a massive army of computers that organized criminals use to launch crippling and extortionist attacks against other Web sites. According to Symantec's stats, the first six months of 2006 brought an average of 6,110 distributed denial-of-service attacks (DDoS) each day.
That figure is a low-ball number, as Symantec only measured DDoS attacks in cases where the perpetrators faked the Internet addresses of the compromised computers doing the attacking. With millions of compromised machines on the 'Net these days available for use in DDoS attacks, spoofing the source Internet address of drone computers is really not necessary, and the practice is now a lot less common than it used to be.
Other stats of interest in the report: Microsoft's Internet Explorer was the most frequently targeted Web browser, with 47 percent of all attacks. Mozilla's Firefox and other browsers had the most number of flaws -- 47 -- (IE had 38), but IE continued to have the largest window of exposure to known security flaws.
A PDF copy of the Symantec report can be downloaded here.
The comments to this entry are closed.