I was reading through the Cenzic Web Application Security Trends Report for Q1/Q2 2009. Very interesting results.
Now, I define interesting a bit differently. People LOVE to throw mud at Microsoft. They think we are the only company who has vulnerabilities in their products. They say that we are terrible at security. But, facts are, we are doing better than anyone else. This is especially relevant when you consider that a vast majority of the attacks, and attackers out there are attacking our products. Yet, as the report states, it’s other people’s products that are taking top spot for vulnerabilities.
The number one vulnerability for the first half of 2009 according to the report is:
phpMyAdmin Configuration File PHP code Injection Vulnerability.
Here is the top ten from the report:
- phpMyAdmin Configuration File PHP Code Injection Vulnerability CVE-2009-1285
- SAP cFolders Cross Site Scripting And HTML Injection Vulnerabilities Bugtra1 ID – 34658
- Sun Java System Access Manager Cross-Domain Controller (CDC) Cross Site Scripting Vulnerability CVE-2009-2268
- Citrix Web Interface Unspecified Cross-Site Scripting Vulnerability Bugtraq ID – 34761
- Sun Java System Web Server Reverse Proxy Plug-in Cross-Site Scripting Vulnerability CVE-2009-1934
- Apache Tomcat Form Authentication Existing/Non-Existing Username Enumeration Weakness CVE-2009-0580
- phpMyAdmin 'setup.php' PHP Code Injection Vulnerability CVE-2009-1151
- F5 Networks FirePass SSL VPN 'password' Field Cross-Site Scripting Vulnerability CVE-2009-2119
- Multiple Symantec Products Log Viewer Multiple Script Injection Vulnerabilities CVE-2009-1428
- IBM Tivoli Identity Manager Multiple Cross Site Scripting Vulnerabilities Bugtraq ID – 35566
One of the positive trends in the report is that web application vulnerabilities seem to have dropped from H2/08 to H1/09 from 80% to 78% (yes it’s a small drop but the industry should takes it’s wins where it can get them) But our friends SQL Injection and Cross Site Scripting are still #1 and #2 respectively. When will people get the message that dynamic SQL is bad. You MUST use parameterised stored procedures. *sigh*
So now the interesting part. Get this, IE is NOT number 1 for vulnerabilities, it’s not even #2, In a 4 horse race it is #3. Not a bad place to come in third if I do say do myself. Who is #1 and #2 you might ask?!
Firefox took a commanding lead in having the most vulnerabilities with 44%. Second was Safari with 35%, IE had 15% and Opera had 6%.
Safari had over twice the number of vulnerabilities that IE had and Firefox has about 3x the number of vulnerabilities.
But the main problem is still faulty web applications. We still have to focus on secure development practices. Have a read of the report and look through the web app vulnerabilities. Then think long and hard about your own web applications. Could you be vulnerable? It wouldn’t hurt getting some expert advice and asking some questions.