The IBM X-Force 2009 Trend and Risk Report saw a marked rise in vulnerability disclosures for document readers and editors, along with multimedia applications. The year 2009 saw greater than 50% more vulnerability disclosures for these categories compared to 2008, the company noted. "Vulnerability disclosures for document readers and editors continued to soar, specifically with Portable Document Format (PDF) documents," X-Force said.
On the positive side, critical and high vulnerabilities with no patch have decreased in the past year in several key product categories, the report said. It took this as an indication that software vendors are responding more quickly to security issues by shipping patches more quickly.
Also encouraging was the decline in SQL injection vulnerabilities, which contributed to an overall 11% decrease in general vulnerabilities over the past 12 months. According to X-Force, this could mean that some of the 'low hanging' vulnerabilities that are easier to discover have been eliminated.
In keeping with prevailing trends, web application vulnerabilities are a major cause of security problems, said the report, which added that two-thirds of web application vulnerabilities have not been patched by the end of last year.
"A number of Web application vulnerabilities found by organizations has not decreased or become less of a threat," the report warned. Adding that "49% of vulnerabilities are related to web applications, with cross-site scripting disclosures surpassing SQL injection to take the top spot."
X-Force's hat-tip to PDF will no doubt be unwelcome news to Adobe, which is fighting its own security battles at the moment. The company continues to experience significant vulnerabilities in its PDF reader products, the most recent of which happened this month, and could have led to the remote execution of arbitrary code.