Apple Tops IBM’s List of Vendors with Most Vulnerabilities

IBM has released its August X-Force report informing that the number of disclosed vulnerabilities during the first half of 2010 increased by a substantial 36%, compared to the previous year.

IBM X-Force analyzed and documented some 4,396 new vulnerabilities in the first half of 2010, attributing four percent of the disclosures to Apple, which put the Cupertino-based electronics maker at the top of the list.

Tracking the Mac maker was Microsoft at no. 2 on the list. The third position was occupied by Adobe Systems, mostly because of issues relating to Adobe Reader and Flash Player, eWeek reports.

"The continued prevalence of the Gumblar—the exploit tool kit/group—is still helping to secure top positions for Adobe products, but PDF and Flash exploits are extremely popular in many other exploit tool kits as well," an IBM spokesperson said.

"An interesting change from the second half of 2009 is that ActiveX has dropped off the top-five list, at least for now … Judging by what we have observed thus far in 2010, it is safe to assume that 2010 will be dominated by PDF exploitation," the spokesperson added.

"The leap in vulnerability disclosures relates to organizations taking a greater interest in exploitable software bugs as well as attackers continuing to develop their own infrastructure," said Tom Cross, manager of IBM's X-Force Advanced Research Team.

"An area that both whitehat and blackhat security researchers are focusing on is automated vulnerability discovery through approaches such as fuzzing,” Cross noted.

“Predicting disclosure increases into the future is going to be tricky for this reason and we may see the occasional plateau or decrease," he added.

Also noteworthy is that IBM found that attackers heavily rely on JavaScript obfuscation to hide malware, according to eWeek. A 52 percent increase of such attacks was detected by the technology company since 2009.

"Attackers have been using JavaScript to obfuscate Web browser attacks for a few years, but X-Force believes that the topic comes up infrequently, yet it continues to be a problem," Cross said.

"With attackers continuing to innovate with JavaScript obfuscation, it is forcing security vendors to innovate [in the areas of] intelligent components and solutions too."