Browse archive

Latest news

Microsoft to pay up to 150k for vulnerabilities

(IN)SECURE Magazine issue 38 released

Collected data helped foil 50 terrorist plots, says NSA chief

65+ websites compromised to deliver malvertising

Customized spam uses cell phone users’ data against them

Facebook once again accessible via Tor

Oracle releases critical security updates for Java

Employees biggest IT threat to businesses

Google asks secret court permission to publish FISA numbers

Failed backups endanger revenue and productivity

How to detect hidden administrator apps on Android

CyanogenMod founder aims to thwart data-grabbing apps

Hacking charge stations for electric cars

Vulnerabilities in common web applications escalate

Posted on 31 March 2011.

A new Cenzic report reveals widespread Web application vulnerabilities, with 2,155 discovered - a third of which have both no known solution and an exploit code publicly available.

The report also revealed aggressive campaigns by Web browser makers including Google, Microsoft, and Mozilla to improve the security of their Web navigation products.

Among the published Web vulnerabilities in Commercial Off The Shelf (COTS) software, Cross Site Scripting (XSS) and SQL injection dominated, accounting for 54 percent of the total number of Web vulnerabilities in the second half of 2010.

“With all the publicity, education, and known attacks that have exploited XSS and SQL vulnerabilities, it is astounding that companies still haven’t plugged these threats,” said Mandeep Khera, CMO at Cenzic.

“Cybercriminals are well aware of these weaknesses, and worse still, with the amount of exploit codes publicly available, even a hacker with modicum of talent has ability to cause tremendous damage. With an average security breach costing companies millions of dollars, lack of precaution is a daily risk that must be taken seriously. But, to give credit where it’s due, all browser companies have done a great job in taking proactive steps toward better security. However, companies need to upgrade their Web applications to the latest version to ensure security for their customers,” he added.

Cenzic also analyzed vulnerabilities in various Web browsers, detecting many security vulnerabilities yet aggressive campaigns by manufacturers to improve their safety. Google’s Chrome browser had the most vulnerabilities detected – 89 – due to its aggressive campaign to offer cash rewards for any discovered. In the end, the company fixed 88 of these vulnerabilities quickly and efficiently.

Similarly, Mozilla Firefox had 65 vulnerabilities detected and fixed 61 in a timely manner. Apple’s Safari fixed 39 of 41, Internet Explorer fixed 26 of 32, and Opera 27 of 29 vulnerabilities.

The second half of 2010 gave rise to many high profile Web application related attacks on corporations, universities, and government agencies as well, including a data breach at Ohio State University which affected 760,000 people, Anonymous Hackers’ Wikileaks Infowar against credit card companies, the Iranian Cyber Army’s web attacks against popular satellite channel Farsil and technology blog Techcrunch, and more.