There was an average of 220 security vulnerabilities a month between July and December 2003, of which an average of 99 were of “high severity”, and 70% of which were easy to exploit, according to Symantec’s latest Internet Security Threat Report.
The findings of the report highlight growing concerns among IT users that implementing every software patch released is becoming an impossible task.
Richard Archdeacon, technical services director at Symantec, said, “As the time between disclosure and exploitation of vulnerabilities continues to shrink, ‘zero-day threats’ that target vulnerabilities before they are known, are imminent.
“Patch management continues to be critical, but companies are struggling to manage it themselves.”
And the problem is likely to get worse before it gets better, Archdeacon warned. “Attackers require no specialised knowledge to gain unauthorised access to a network when vulnerabilities are easy to exploit.”
Threats to privacy and confidentiality were the most rapidly increasing threats during the six-month period, the security software supplier said, with a 148% growth in volume of malicious code submissions.
So-called “blended threats” like Blaster, Welchiaa and Sobig.F - which combine the characteristics of viruses, worms, Trojan horses, malicious code with existing vulnerabilities to spread an attack - made up 54% of the top ten submissions for the last six months of 2003, the research revealed.
Almost one third of all attacking systems targeted the vulnerability exploited by the Blaster worm and its successors, it said. And, although many of the worms appeared in August, there are a sufficient number of unpatched systems remain to sustain them, Symantec warned.
Internet Security Threat Report July-Dec 2003: Main points
Blended threats increasingly target backdoors left by other attackers and worms
Financial services, healthcare and power and energy sectors were the hardest hit by severe cyber attacks
2,636 new vulnerabilities – an average of 220 new per month
70% of new vulnerabilities are easily exploited requiring no exploit code providing opportunity for attackers to gain access to critical systems more easily