Symantec: Software Flaws On The Rise

Symantec, based here, said it documented 2,524 new vulnerabilities in 2002, an 81.5 percent increase over the number of vulnerabilities in 2001.

"The reasons for that are varied. There are more researchers looking at vulnerabilities. And people are more willing to step forward and say there are vulnerabilities we need to pay attention to," said Vincent Weafer, senior director of the Symantec Security Response team.

However, the number of vulnerabilities that had publicly available exploit code declined last year, he said. Only 23.7 percent had exploit code available, compared with 30 percent in 2001.

Web client vulnerabilities--especially those affecting Microsoft's Internet Explorer--rose substantially and should be watched closely this year, Symantec said.

Database vulnerabilities also grew over the past year, the company noted. The recent Slammer worm exploited a known flaw in Microsoft's SQL Server 2000, for example.

Excluding computer worms, cyber-attack activity decreased between July and December, according to Symantec's Internet Security Threat Report. The rate of network-based attacks in that period was 6 percent lower than the rate recorded in the previous six months. Symantec's analysis of cyber attacks is based on data collected from more than 400 companies.

Nonetheless, the risks of cyber attacks and malicious code on the Web remain high, Symantec said. Power and energy companies continued to be the industry sector with the highest rate of attacks, Weafer said. Financial services firms also had a significant attack volume.

While the attacks affecting those industries might indicate the possibility of cyberterrorism, Symantec has no data to substantiate that, he said.

Looking ahead, blended threats continue to pose risks while instant messaging and peer-to-peer applications are likely to be new targets for virus writers, he said.