When it comes to software vulnerabilities, 2008 will go down as a seminal year. It turned out to be a year when the types of applications targeted by attackers shifted, and we witnessed a significant rise in both the number of vulnerabilities discovered and the number of vulnerabilities found in web applications.
Consider this: Though there was an overall 15 percent rise in vulnerabilities discovered last year, 60 percent of those uncovered were web application flaws. The biggest jump in that class of vulnerabilities was seen in SQL-injection flaws, which doubled year over year. And while desktop and client-side software still is targeted heavily, Microsoft Office’s Excel spreadsheet application had the most number of critical vulnerabilities within that productivity suite. In addition, 11 percent of web vulnerabilities were cross-site scripting flaws, while all other web related vulnerabilities accounted for 26 percent of the total.
One of the most important trends last year was a surge in critical server vulnerabilities that don’t require user intervention to exploit, such as CVE 2008-1447, which described a weakness in the DNS protocol that made it possible to conduct DNS cache poisoning attacks. In this type of attack, name servers can be made to send users to an incorrect, even malicious, host web site, e-mail server, and redirect other types of traffic to systems under the attacker’s control. Another example is CVE 2008-4250, the Microsoft Server Service Vulnerability. This vulnerability made it possible for remote, unauthenticated attackers to execute code of their choice with system privileges on vulnerable systems. And the New Year started with a remote, unauthenticated denial-of-service and code execution vulnerably in Microsoft’s first bulletin of the year, MS09-001. That vulnerability affected all supported versions of Windows.
What do these trends bode for the year ahead? Most likely much more of the same: The number of vulnerabilities discovered is likely to increase, as will the attention that security researchers pay to client-side applications, especially with the beta-released Windows 7.
Also, because of the phenomenal success of software-as-a-service and rich internet applications, web-based software is likely to be targeted much more than in years past.
For instance, consider how powerful new platforms, such as Microsoft Silverlight and Adobe Flash, have grown. Flash, for example, actually is a powerful object-oriented language, not just a scripting language.
With this power comes complexity, and attackers will find more ways to exploit Flash applications. Last year, an exploit was widely circulated that targeted the Adobe Flash Player, and infected more than 20,000 Web pages. The hackers used the exploit to insert a trojan designed to steal user passwords. You can bet more of these types of attacks that target rich internet content will surface.
Though no one knows for sure what will happen this year, it’s clear that web application vulnerabilities must be part of your risk management program, with special attention paid to all web-facing applications and services.