Mobile exploits have doubled this year as opposed to 2010 and we should particularly watch out for mobile applications that are really malware, says IBM's X-Force security research team.
Those are two warnings from the "X-Force 2011 Mid-Year Trend and Risk Report", which says that mobile application markets are a haven for malware.
Exploits of mobile operating systems will go from 18 in 2009 to about 35 by the end of 2011, the report says, as the number of vulnerabilities will go from about 65 to more than 180 over the same period.
"The first half of 2011 saw an increased level of malware activity targeting the latest generation of smart devices, as attackers are finally warming to the opportunities these devices represent," the new report says.
Distributing malware through app markets
The report uses Android devices as an example, and notes that since the operating system is open, many developers write applications to it. Some of these apps are malicious, so users should be careful which ones they choose and where they get them from. "One of the most popular and effective ways to distribute Android malware is through application markets. Besides Google's own official market, there are many unofficial third-party markets," the report says.
Another problem with mobile devices, particularly phones, is that users are at the mercy of their phone manufacturer to patch known operating system vulnerabilities. Known vulnerabilities may go unpatched, not because patches don't exist, but because they aren't provided by individual phone makers. "Many mobile phone vendors don't push out security updates for their devices," the report says.
Network defenders face a growing threat from weaknesses in software. These weaknesses are assessed via Common Vulnerability Scoring System (CVSS), with those scoring 10 out of 10 deemed critical. The percentage of critical vulnerabilities has jumped in the first halfof 2011 vs all of 2010 from 1 to 3 percent.
Vulnerabilities more concentrated among fewer vendors
That's still a small percentage, but it is triple last year. And the actual number of critical vulnerabilities so far this year is already larger than last, the report says. "Almost every one of these critical vulnerabilities is a serious remote code execution issue impacting an important enterprise class software product," the according to the report.
Vulnerabilities are getting more concentrated among fewer vendors, the study finds. In 2009, the 10 software companies with the most reported vulnerabilities accounted for a quarter of all the vulnerabilities reported. This year so far, that number has jumped to a third (34 percent). IBM X-Force didn't name the top 10. "The bottom line is that enterprise IT staff are spending just as much, if not more time installing patches this year as they have in the past," the report says.The report does point out some bright spots:
* Web application vulnerabilities dropped from 49 percent of all disclosures to 37 percent, the first decline in five years.
* Vulnerabilities ranked high and critical are at a four-year low.
* Spam and traditional phishing are declining.