Web Sites Rife with Unpatched Vulnerabilities
Although the overall number of vulnerabilities being discovered in software
appears to be leveling off or even dropping, two recent reports on Web security
say that the overwhelming majority of Web sites studied still have unpatched
vulnerabilities that could expose visitors to malicious code.
"It's part of a trend that has been going on since 2006," Tom Stracener, senior
security analyst at Cenzic's Intelligent Analysis Lab, said of the focus on
Web vulnerabilities. "There is a tremendous focus on it in the research community."
According to a trend report for the second quarter of 2008 released this week
by Cenzic, seven of 10 Web applications analyzed engaged in unsafe communications
practices that could lead to exposure of sensitive information during transactions.
Cross-site scripting is the most common injection flaw, with 60 percent of sites
analyzed being vulnerable to the attacks. About 20 percent had SQL injection
Meanwhile, WhiteHat Security reported similar findings. The company released
its fifth Web site Security Statistics Report this week, also covering the second
quarter of the year. It reported that cross-site request forgery vulnerabilities
are present in about 75 percent of Web sites.
"On a positive note, 66 percent of all vulnerabilities identified have
been remediated, underscoring the value of a consistent Web site vulnerability
management program," WhiteHat reported. But it also reported that 82 percent
of sites have at least one security issue, with 61 percent having issues rated
as high, critical or urgent under the Payment Card Industry Data Security Standard.
Cenzic reported that although the overall number of vulnerabilities reported
in the second quarter was down slightly, the number of Web vulnerabilities remained
nearly constant. The Web accounted for about 73 percent of all vulnerabilities
reported in the second quarter, up from 70 percent the previous quarter.
"It should be noted, however, that the frequency with which security
issues are reported does not reflect the frequency of their distribution in
the wild," the report said. "For example, cross-site scripting comprised
roughly 23 percent of the total application vulnerability volume, yet this vulnerability
is very common in proprietary Web applications."
Interactive Web formats that emphasize user-generated content, often placed
under the broad title "Web 2.0," are becoming an increasingly important
area of interest for researchers and hackers. Cenzic reported an increasing
focus on client-side Web-enabled tools, such as ActiveX controls, QuickTime,
Flash players and other media players, often embedded in applications.
"Attacking client-side applications or browser plug-ins is increasingly
becoming a means for distributing malware, rootkits and backdoors," the
William Jackson is the senior writer for Government Computer News (GCN.com).