Software exploits aimed at known security vulnerabilities dropped in 2011 to their lowest level for half a decade, a surprisingly upbeat report from IBM’s X-Force division has found.
The company’s 2011 Trend and Risk Report offers a huge amount of detail on security trends during the year but it is the lower level of total publically-disclosed vulnerabilities and the attacks on them that is most intriguing.
Vulnerabilities dropped to around 7,000 for the year, considerably down on 2010, although consistent with a recent cycle that has seen these fall back only to rise the following year.
Crucially, however, the total number of exploits in 2011 was only 778 (11 percent of total), down from 1,280 (14.7 percent) the year before. There are fewer public vulnerabilities to attack and a lower number of these are being exploited.
IBM X-Force attributes this improvement to the seeping through of better security at the software development level, plus specific architectural improvements such as application sandboxing and swifter patching. Criminals are having to work harder to find and exploit new vulnerabilities.
“We have seen a growing number of situations this year where critical vulnerabilities that have been exploited in laboratory environments have not been targeted in the field,” the report said.
“We’ve rarely been able to say that before, and it may mean that we are at the cusp of a new era in computer security."
Areas of vulnerability remain, principally media players and browser add-ons, it said, with mobile security probably the next area of expansion as criminals slowly change focus with the market.
“In 2011 we’ve seen surprisingly good progress in the fight against computer crime through the IT industry’s efforts to improve the quality of software,” said IBM X-Force’s Tom Cross.
One less positive development to offset all this good news – 2011 saw a record volume of data and network breaches, especially very large ones.