— Vulnerabilities affecting Web server applications are climbing and so are the attacks, both evidenced by newcomers to the most vulnerable vendor list and this year’s automated SQL injection attacks.
— Although standard Web browsers are becoming more secure, attackers continue to rely on automated toolkits, obfuscation, and the prevalence of unpatched browsers and plug-ins to successfully gain hold of new endpoint victims.
— In the first half of 2008, 94 percent of public exploits affecting Web browserrelated vulnerabilities were released on the same day as the disclosure.
· Independent researchers are almost twice as likely to have exploit code published on the same day as their vulnerability disclosure in comparison to research organizations.
· Although virtual machine breakout vulnerabilities tend to get a lot of attention from the press, they are rare and predominantly target x86 platforms and Type II (virtualization solutions that require a host operating system).
· “Complex” spam (spam that uses images, PDFs, or complex text/HTML) is on the decline and a simpler type of spam is taking its place.
· This simpler spam relies on Web links and short text messages inside spam e-mails, which may be more difficult for some antispam technologies to detect.
· For the first half of 2008, a password stealer family that targets online games is in first place on the top ten malware list, and, in the password stealer category, gamerelated malware takes 50 percent of the top ten spots overall.
http://www-935.ibm.com/services/us/iss/xforce/midyearreport/xforce-midyear-report-2008.pdf