software vulnerability

TippingPoint announced it will give vendors six months to fix bugs before it goes public with information on software vulnerabilities. The company that sells Intrusion Prevention Systems acquired by HP this year has rewarded security researchers for information about vulnerabilities via its long-running Zero Day Initiative (ZDI) program. It uses this information to apply rules blocking exploits to its IPS technology, historically putting no particular pressure on vendors to develop patches.

A security vulnerability in older versions of Windows operating system is being investigated by the Microsoft team according to the company’s Jerry Bryant. The flaw allows attackers to execute malicious code on end user machines.

The vulnerability under probe combines scripts based on Microsoft's Visual Basic language with Windows help files for Internet Explorer. Attacker hosting a malicious website can remotely run arbitrary code by convincing the user to press the computer's F1 key in response to a popup window.

IBM's annual X-Force Trend and Risk Report revealed that the number of software vulnerabilities dropped in 2009 with the number of flaws in document readers and multimedia applications up 50%.

X-Force research and development team deals with the vulnerability disclosures and collects other data on Web-based attacks. Thus, last year the team recorded 6,601 new vulnerabilities, a 11% drop from the previous year.