Half of security vulnerabilities going unpatched

More than half of the security vulnerabilities disclosed during 2008 had no patches available from the vendor by the end of the year, according to a report released on Monday by IBM's X-Force research group.

Meanwhile, 46 per cent of vulnerabilities from 2006 and 44 per cent from 2007 still had no patch by the end of 2008, the 2008 X-Force Trend and Risk report said. X-Force documented a record number of 7,406 new vulnerabilities last year.

Overall, Microsoft is the vendor that tops the list in percentage of vulnerabilities disclosed, the report said. The Macintosh and base Linux kernel operating systems have dominated the top spots for vulnerabilities by operating system over the past three years, the report said. There were no breakdowns by vendor or operating system for unpatched vulnerabilities.

Most of the spam last year appeared to come from Russia (12 per cent), followed by the US (9.6 per cent), and Turkey (7.8 per cent), although the spam senders could be located in a different location, the report says.

China unseated the US as the country hosting the largest number of malicious websites for the first time last year.

Meanwhile, 46 per cent of all malware attacks last year were Trojans targeting people playing online games and doing online banking, and 90 per cent of phishing attacks targeted financial institutions, according to the report.

Two main trends attackers used last year were SQL injection attacks, in which a small malicious script is inserted into a database that feeds information to the website, and malicious URLs hosting exploits.

Original article: IBM report: Vulnerabilities still going unpatched from CNET News.com