Netstat -vat by Sean Michael Kerner (bio )

A command line view of IT

« IBM Sun acquisition: Good for Unix and Linux. Bad for HP | Sean Michael Kerner Blog | Red Hat Certified Engineer program turns 10. Certs matter. »

Cenzic: IE tops browser vuln list with Firefox second

By Sean Michael Kerner on March 18, 2009 1:45 PM

From the 'beware the web' files:

With RSA coming, it's that time of year again when security trend reports start popping up. Today, application security vendor Cenzic published their Q3-Q4 trends report which has some interesting findings.

Overall the number of vulnerabilities continues to rise led by web based vulnerabilities -- and oh yeah, Microsoft's IE had more issues, but Mozilla Firefox isn't all that far behind.

Cenzic reported that IE accounted for 43 percent of all reported web browser vulnerabilities in the second half of 2008. Mozilla's Firefox followed closely at 39 percent while Apple Safari was pegged at 10 percent and Opera was only 9 percent. Cenzic's findings are a little different than those of research vendor Secunia who reported earlier this month that Firefox had more vulnerabilities (though they were patched quicker).

In terms of the totality of reported vulnerabilities, Cenzic reported that in the second half of 2008, there was a 10 percent increase totaling 2,835 reported vulnerabilities. Of those 80 percent were web application related.

The trend toward web application vulnerabilities is no surprise to me (and shouldn't be to anyone) as this is something that has been happening for awhile. Hackers want to get at the largest number of people and the easiest way to do that is by way of a web application. In fact, Cenzic itself has been saying that web vulnerabilities are rising since at least July of 2007.

Web applications by definition, require remote access which is often where I see vulnerabilities cropping up. Whether it's by way of SQL injection (from a remote database), Cross Site Scripting (or Cross Site Request Forgery) -- the simple fact is that the attack surface of a web app is typically wider than a regular desktop app.

Digging deeper into Cenzic's report, there is an interesting breakdown on vulnerability prevalence by type. Information Leaks and Exposures were found on 83 percent of sites that Cenzic's ClicktoSecure security service was run against. "Transactions during ordinary use of a Web application can reveal sensitive information belonging to other users,"Cenzic states in its report."It may also be possible to generate application errors by supplying various malformed character sequences, which can contain sensitive information. HTML comments are another example of an information leak, as these comments may assist an attacker in gathering information about the application or its architecture."
Cross Site Scripting issues were found on 71 percent of sites, while Authorization related flaws were found on 41 percent.

SQL Injection attacks surprisingly (to me) were found on only 21 percent of sites surveyed. Given the high impact that a SQL injection attack can have though, I suppose it's not the volume of vulnerable sites that actually matters in that case.

Overall, this is just yet another proof point study for enterprises to ensure that the web application solutions they use are validated and tested for security vulnerabilities.

Permalink | Comments (0) | TrackBacks (0) | Share