IBM's latest Internet Security Systems X-Force report says the bad guys are exploiting security flaws faster than ever and are in many cases standing on the shoulders of the security research community. More and more of these attacks are coming within 24 hours after a vulnerability is publicly disclosed, raising the question over how much information should be released to the public when a new security bug is discovered.
More and more of these attacks are coming within 24 hours after a vulnerability is disclosed. That means security flaws are being exploited in Web browsers, computer operating systems and other programs before many people even have had time to learn there's a problem, according to IBM Corp.'s latest Internet Security Systems X-Force report.
The report, scheduled to be released Tuesday, looked at the first six months of 2008 and reflects two growing trends in Internet-based threats.
The first is that online criminals have latched on in a big way to programs that help them automatically generate attacks based on publicly available information about vulnerabilities. In the past they apparently spent more time finding such holes themselves, but no longer find that as necessary.
"The bad guys are not the ones actively finding vulnerabilities — they've shifted their business to standing on the shoulders of the security research community," Kris Lamb, operations manager for X-Force, said in an interview. "They don't have to do the hard work anymore. Their job is packaging what's been provided to them."