The number of new vulnerabilities publicly reported in 2011 declined by 20%, but an analysis conducted by Hewlett Packard of custom Web applications found them prone to a variety of common coding errors.
The data shows custom Web application coding errors are widespread, HP said, and attackers are targeting them in greater numbers.
HP is warning security professionals not to get a false sense of security from the overall decline in publicly reported vulnerabilities. The decline can be attributed to a variety of factors, including software security improvements and changing vulnerability disclosure trends that may be leaving a significant quantity of vulnerabilities uncounted, according to the HP 2011 Cyber Security Risks Report. The report, issued this week, offers a detailed analysis of data from the Open Source Vulnerability Database (OSVDB), the HP DVLabs' Zero Day Initiative, and HP’s Fortify Web security researchers.
While overall Web application flaws in commercially available applications has been in decline since 2006, a review of more than 359 unique custom Web applications conducted by HP Fortify paints a much different picture. Many of the custom Web applications were found rampant with common coding errors, leaving them prone to cross-site scripting and SQL injection attacks.
Web Application Flaws
Microsoft Internet Explorer, Google Chrome and Mozilla Firefox, the three most popular browsers on the market, saw a slight increase in browser vulnerabilities in 2011, but few cybercriminals are creating Web browser attacks targeting the flaws, according to IBM.
Expert Cory Scott offers pointers for using Web application security assessment tools and developing an application security assessment strategy.
Static analysis performed on the custom Web applications found more than half were vulnerable to reflected cross-site scripting, and 86% were vulnerable to injection flaws. The custom applications were also susceptible to insecure direct object reference vulnerabilities and nearly all of them were vulnerable to information leakage and improper error handling flaws. Dynamic analysis, which evaluates a program by executing data in real-time, found more than 66% were vulnerable to insecure communications vulnerabilities. “99% of hacking is information gathering, so this is not insignificant,” the report found.
The data shows custom Web application coding errors are widespread, HP said, and attackers are targeting them in greater numbers. Web application attacks grew almost 50% from 2010 to 2011. The attacks made up 13% of the total attacks observed by TippingPoint IPS customers and honeypots used to capture new exploits for trend analysis and emerging threat detection. HP found many of the attacks being driven by the Black Hole Exploit Kit, an automated attack toolkit that is known for spreading the Zeus, Cutwail, Spyeye, and Carberp botnets.
“Basic security mistakes such as information leakage and insecure communications are still being made at all organization size levels,” according to the report. “Measures should be taken to ensure information potentially important to attackers is not included in the application. Ultimately, the solution is for security to be ‘baked in’ to the development process, not brushed on.”
The report found website administrators failing to deploy patches or to support new browser security features built into Microsoft Internet Explorer 8 for preventing cross-site scripting attacks from executing.
Adobe Shockwave led the top 10 list of disclosed commercial vulnerabilities in 2011. It was followed by Apple Quicktime errors, HP Data Protector flaws and Oracle Java vulnerabilities. The information was gleaned from HP DVLabs Zero-day Initiative, which purchases vulnerability information from security researchers and provides it free of charge to affected vendors. RealNetworks RealPlayer, Adobe Reader, Microsoft Internet Explorer, Microsoft Office Novell iPrint and HP OpenView errors made up the rest of the commercially available products in the ZDI Top 10 vulnerability list.