Web technologies account for 78 percent of all bugsSeventy-eight percent of all the vulnerabilities identified during the first half of the year were found in web applications, browsers and servers, according to a report released Tuesday by web application security provider Cenzic.
The report was based on the published vulnerability disclosures for various commercial off-the-shelf and open-source software products. Flaws in web technologies have accounted for 70 to 80 percent of all the disclosed vulnerabilities since the beginning of 2008, according to the report. Of all vulnerabilities in web technologies discovered in the first half of 2009, 90 percent were present in web applications, eight percent in web browsers and two percent in web servers.
The most severe web application flaws discovered during the first half of the year were found in Sun, Citrix, Apache, F5 Networks, Symantec and IBM products, the report states.
Another of the most serious bugs was a code injection flaw in phpMyAdmin, a free software tool used to handle the administration of the popular open-source database, MySQL. In addition, multiple cross-site scripting and HTML-injection vulnerabilities were found in SAP cFolders, a platform that enables collaboration between companies and their business partners. The vulnerabilities in SAP cFolders could allow an attacker to steal credentials and alter how a website is rendered for the user, the report states.
Mandeep Khera, chief marketing officer at Cenzic, told SCMagazineUS.com on Monday that even when vendors issue patches for vulnerabilities, many organizations – especially small- and mid-size ones – do not immediately update.
“We see in our customer base that a lot of times, even when a patch is available, companies don't [apply] the patch even though it would have fixed the vulnerability,” he said.
Sometimes this is caused by a lack of awareness about threats to web technologies. Other times, organizations carry a false sense of security that having a network firewall or intrusion detection system will stop hackers from being able to break into web applications, Khera said.
“A lot of companies don't even know what web application security means,” Khera said.
Also, while companies are sometimes lax when it comes to applying patches, vendors can be slow to distribute fixes, according to a research report issued in February by IBM ISS. Of all the web application vulnerabilities disclosed in 2008, 74 percent had no patches available by the time of the report.
The Cenzic study also found that out of the popular web browsers, Firefox had the highest percentage of vulnerabilities during the first half of 2009, with 44 percent of all reported flaws. Safari came in second with 35 percent, followed by Internet Explorer with 15 percent and Opera with six percent.
That contrasted the last half of 2008, when Internet Explorer had the highest percentage of vulnerabilities, followed by Firefox, Safari and Opera.
During the first half of 2009, 3,100 vulnerabilities were disclosed in total, compared to 2,835 disclosed during from the second half of 2008, a roughly 10 percent increase.
Beside commercial technologies, companies' own custom-made web applications also were riddled with unpatched vulnerabilities, the study found. Ninety percent of custom applications that Cenzic analyzed during the first half of the year had holes that could lead to data exposure, Khera said.
With the explosion of internet commerce, many web applications were built quickly, “without any concept of security,” Francois Larouche, web application subject matter expert at vulnerability management vendor Qulays, told SCMagazineUS.com on Monday. But the mindset is changing.
“Now, in 2009 and almost 2010, people are starting to take web application vulnerabilities seriously.” Larouche said.