MANILA, Philippines -- Hackers are exploiting users' inability to comply promptly against announced vulnerabilities, according to an IBM security report. Ironically, IBM said security advisories seem to worsen the problem.
According to IBM's X-Force midyear report, more than 90 percent of browser-related exploits detected during the first six months of this year have occurred within 24 hours after these vulnerabilities were disclosed.
More significantly, IBM noted hackers are adopting new techniques and strategies in order to better exploit "zero-day" vulnerabilities, or simply before users are even aware they need to install patches or updates.
Also, "exploit codes" being made public further compromise IT systems. The practice of disclosing exploit code along with a security advisory has been the accepted practice for many security researchers, the report said.
"We see a considerable acceleration in the time a vulnerability is disclosed to when it is exploited, with an accompanying proliferation of vulnerabilities overall," said Kris Lamb, IBM X-Force operations manager.
"Without a unified process for disclosing vulnerabilities, the research industry runs the risk of actually fueling online criminal activity," Lamb noted.
He added: "There's a reason why X-Force doesn't publish exploit codes for the vulnerabilities we have found, and perhaps it is time for others in our field to reconsider this practice."
IBM's report also discovered that browser plug-ins are the newest target-of-choice for hackers, marking a shift from the operating system to Internet browsers.
In the first six months of 2008, nearly 80 percent of Web browser exploits are targeted browser plug-ins, the report said.