And of those cross-site scripting vulnerabilities, only 473 had been patched by administrators of the affected Web sites before the end of the year. Of the 6,961 site-specific vulnerabilities reported by Symantec for the first six months of 2007, only 330 have been fixed thus far.
Even in the cases where site administrators are able to fix the vulnerabilities, Huger said, they are typically slow to do so. However, during the second half of 2007, the average patch development time was 52 days, down from an average of 57 days in the first half of 2007.
Among the most commonly-exploited Web-oriented technologies were browser plug-ins, particularly those using ActiveX. Over the second half of 2007, Symantec documented 239 browser plug-in vulnerabilities, compared to 237 during the first six months of the year. During the second half of 2007, 79 percent of those vulnerabilities affected ActiveX components, compared to 89 percent in the first half.
As long as such vulnerabilities continue to make it possible for legitimate sites to get hacked, the only solution for the problem will be technological means by which sites themselves and their users can somehow authenticate each other, Huger said.
"At the end of the day, we'll never be able to drive out all vulnerabilities, so we need software that tells us that the site we're visiting is the site we really want, or that the e-mail we receive is from a trusted source," said the expert. "The criminals have elevated their work to the level where it's nearly impossible to discern something like a targeted phishing attack merely using the human eye, and they are only going to become even more creative is using social engineering to trick people into falling for their attacks."