Slashdot Mirror

← Back to Stories (view on slashdot.org)

Serious Web Vulnerabilities Dropped In 2011

Posted by Soulskill on from the who-will-step-up-to-take-credit dept.

wiredmikey writes "It's refreshing to see a security report from a security vendor that isn't all doom-and-gloom and loaded with FUD. Web Application Security firm WhiteHat Security released a report this week (PDF) showing that the number of major vulnerabilities has fallen dramatically. Based on the raw data gathered from scans of over 7,000 sites, there were only 79 substantial vulnerabilities discovered on average in 2011. To compare, there were 230 vulnerabilities on average discovered in 2010, 480 in 2009, 795 in 2008, and 1,111 in 2007. As for the types of flaws discovered, Cross-Site Scripting (XSS) remained the number one problem, followed by Information Leakage, Content Spoofing, Insufficient Authorization, and Cross-Site Request Forgery (CSRF) flaws. SQL Injection, an oft-mentioned attack vector online – was eighth on the top ten."

34 comments

  1. First... by Anonymous Coward · · Score: 0, Offtopic

    The one time I have a chance at first post, and I have nothing interesting to say. :(

    1. Re:First... by lattyware · · Score: 1

      Did you consider not saying anything then?

      --
      -- Lattyware (www.lattyware.co.uk)
    2. Re:First... by Anonymous Coward · · Score: 0

      Even a fool, when he holdeth his peace, is counted wise: and he that shutteth his lips is esteemed a man of understanding. Proverbs 17:28
      Sometimes the Bible gets it right

    3. Re:First... by AliasMarlowe · · Score: 2

      Well, he could have mentioned the interesting fact that the linked SecurityWeek article claims "As for the industry comparison, baking finished on top with an average of 17 vulnerabilities, while retail remained on the bottom with 121."
      Always knew you could trust a baker...
      Bankers were probably lumped in with retail and the other bottom-feeders.

      --
      Those who can make you believe absurdities can make you commit atrocities. - Voltaire
    4. Re:First... by Anonymous Coward · · Score: 0

      As long as you're still vulnerable, does it really help that much to have fewer vulnerabilities?

      Should someone walking across the freeway feel better if there are only 79 models of cars instead of 230? Someone trying to hit him will use what's available.

      Now about that announced MS car....

      That Mac attack of earlier this year smelled funny. I don't believe it didn't install on systems with Skype, certain MS products etc because of compatibility. I think the players involved ALREADY had doors in through those products so no install was needed. Don't believe it was just for clicks either.

  2. I thought FUD was the whole point of security. by Anonymous Coward · · Score: 0

    Always assume it's not safe enough or at least acknowledge that's the amount of security you're willing to pay for. Am I wrong?

    Perhaps security firms are the kind of firms that are *supposed* to give you bad news.

    The Secretary of Defense doesn't walk into the Oval Office and says: "It seems it's all well and good for now, you can go play with Bo for the rest of the day, Mr. President."

  3. Conclusion by girlintraining · · Score: 2

    "It's refreshing to see a security report from a security vendor that isn't all doom-and-gloom and loaded with FUD."

    They're doing it wrong. Don't assume that if you can't see it, it isn't there.

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:Conclusion by Anonymous Coward · · Score: 1

      Exactly.
      Read this article for more on that: http://www.schneier.com/blog/archives/2012/06/the_vulnerabili.html
      And this EFF essay: https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales-should-be-key-point-cybersecurity-debate

      Bottom line:
      "We've always expected the NSA, and those like them, to keep the vulnerabilities they discover secret. We have been counting on the public community to find and publicize vulnerabilities, forcing vendors to fix them. With the rise of these new pressures to keep zero-day exploits secret, and to sell them for exploitation, there will be even less incentive on software vendors to ensure the security of their products.
      As the incentive for hackers to keep their vulnerabilities secret grows, the incentive for vendors to build secure software shrinks. As a recent EFF essay put it, this is "security for the 1%." And it makes the rest of us less safe."

  4. They'll be back. by bAdministrator · · Score: 1

    Give me address there.

  5. I'm sorry - could you repeat that? by 93+Escort+Wagon · · Score: 1

    there were only 79 substantial vulnerabilities discovered on average in 2011.

    It's one data point, isn't it? What exactly are they averaging here?

    --
    #DeleteChrome
    1. Re:I'm sorry - could you repeat that? by Anonymous Coward · · Score: 0

      "79 vulnerabilities per website". As was implied by [...]from scans of over 7,000 sites[...]".

      I didn't expect you to read the report, but at least the summary... please...

    2. Re:I'm sorry - could you repeat that? by 93+Escort+Wagon · · Score: 1

      TL;DR

      --
      #DeleteChrome
  6. Its the web developers! by Anonymous Coward · · Score: 0

    See? You get what you pay for.
    Most of those vulnerabilities are due to implementation and lack of good QA, not your hosting/ops/protocols fault.

  7. Similar statistics for CVE data by Anonymous Coward · · Score: 1

    Vulnerability statistics for all CVE data are available here : http://www.cvedetails.com/vulnerabilities-by-types.php
    Statistics for all CVE data are also similar to White Hat report.

  8. Unfortunately... by fuzzyfuzzyfungus · · Score: 2

    Unfortunately, 'Mark Zuckerberg', 'The Nation State', and 'Google' remain on the list of outstanding serious web vulnerabilities, leading some to wonder whether it would be necessary to introduce a system weighting the seriousness of vulnerabilities as well as merely enumerating them...

  9. The End is nigh! by Pf0tzenpfritz · · Score: 2

    a security report from a security vendor that isn't all doom-and-gloom and loaded with FUD?!

    OMG, what next? A calf with two heads? We're doomed!.

    --
    Oh, the beautiful gloss of greality!
  10. Yeah, well.. by Anonymous Coward · · Score: 0

    Time are tough at Adobe, you know. They can't afford to devote as many programmers to putting in as many vulnerabilities into Flash as they used to.

  11. One thing will never change. by bmo · · Score: 1

    The most serious web vulnerability sits in the chair.

    --
    BMO

    1. Re:One thing will never change. by gweihir · · Score: 2

      Indeed. And fixing it can take up to 45 years...

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:One thing will never change. by bmo · · Score: 1

      >And fixing it can take up to 45 years...

      I think you may be too optimistic.

      --
      BMO

    3. Re:One thing will never change. by Billly+Gates · · Score: 1

      That is a false perception.

      The story describes XSS and flash vulnerabilities. Not people who click "DOWNLOAD HERE". Almost all Windows users who have said they do not run AV software and are clean are infected heavily. Mainly it is just a bad ad that uses flash to root the system as even Slashdot had one a few months ago that I reported to them.

      Worse are the idiots who feel XP is superior and run their account as a full administrator

      Most users know better today but I have had my system hosed with a flash ad before and used flashblock and no longer use Adobe Reader as a result.

      --
      http://saveie6.com/
    4. Re:One thing will never change. by gweihir · · Score: 1

      Possibly...

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    5. Re:One thing will never change. by dkleinsc · · Score: 1

      And more importantly, there tends to be a confusion between the part in the chair and the part approximately 30 inches above it.

      --
      I am officially gone from /. Long live http://www.soylentnews.com/
    6. Re:One thing will never change. by bmo · · Score: 1

      >Mainly it is just a bad ad that uses flash to root the system

      Oh I know all too well. We had that on Investor Village once.

      >That (user error is the biggest part of malware propagation) is a false perception.

      The user is not always to blame and drive-by installs exist. There is a caveat to this: the vast majority of web based malware comes from pages designed to trick the user into downloading and installing something - social engineering.

      We can call this the "dumb user problem" since there are no other words to describe the phenomenon - users having no clue when encountering or even identifying malicious sites, a problem that has existed since the web got popular.

      I posted a rant on here about how Microsoft goes out of their way to groom programmers, but then does absolutely nothing in the way of user education in even the most basic safe computering. Not even a quickstart 3-fold pamphlet in the boxed set of Windows or bundled with a new system. That, I lay squarely at the feet of Microsoft.

      And I got excoriated for it by people saying "they won't read it anyway." Well, the fact is that Microsoft doesn't even try.

      --
      BMO

    7. Re:One thing will never change. by cavreader · · Score: 2

      Users are just that, "Users". They are not pedantic wannabe security gurus who think they actually know what they are doing. They just want to run their applications. Most users have better things to do with their time than sitting around nitpicking obscure security issues, most of which can only be duplicated in a controlled lab environment using specifically defined steps. Those who talk about nothing but OS security vulnerabilities never seem to realize the purpose of an OS is for running applications. Some of the best software engineers and developers in the world working for MS, Apple, Google, IBM, or independent OS vendors have still been unable to provide perfect security. The sheer number of permutations of hardware, applications, and multi-OS versions and functionality is mind staggering. Add in your average web developer, poor system administrators, and other types of application developers guarantee perfect security will never exist. Sloppy system admins are also responsible for opening security holes through their half ass configuration and server management procedures. If you really want a secure system unplug your Internet connection, and disable your external media. On the corporate side invest your time on hardened firewalls and persistent system monitoring . Security and productivity require responsible trade offs. If you want 100% exploit free OS and applications you would most likely be looking at a 10+ year development cycle before any new features and applications get released. Even antivirus solutions or source code analytic tools only look for specific signatures to identify problems but they can only provide that type of protection after the exploit has already been discovered after the OS and applications has been released for use. Engineering malware using well know applications instead of creating one-off components makes it harder to ID rouge applications and exploits because they are basically hiding in plain site. And you are also very wrong about the documentation MS provides about creating secure applications. Both developers and users can access this information freely anytime they want.

  12. How could they tell? by gelfling · · Score: 1

    Websites are so god awful and packed with 10 dozen scripts, flash, embedded garbage now they are their own viruses.

  13. Attackers protecting their explits better? by gweihir · · Score: 2

    As I see no technical reason for web-applications to be less vulnerable, my guess is that black-hats that find vulnerabilities are just more careful with them in order to be able to exploit them longer.

    The other reason I see is that the metric is wrong. It may just be that the vulnerability-types have changed and the metric used but this report has not kept up.

    Anyways, no reason to celebrate. Practical IT security is still in a very sad state and I do not see this changing anytime soon. By now I believe that the currently active developer generations have to retire and be replaced by ones with security-awareness. As this "new" generation is still not being educated, the problem will be with us at least for several decades.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  14. 9,000 bad sites appear a day by Billly+Gates · · Score: 2

    It seems the crackers are now using dirty sites and SEO to attack ignorant users to them instead of targettng legit sites and injecting them with malware for drive byes like before.

    Anyone else notice when searching for something techical in Google you will see comments which are identical in like 5 sites where 4 are just copied from the 5th? Some do not even have domain names as AV software can detect and block these. The comments are copied to make the site hit SEO numbers and have tons of ads that play videos wether you click on them or not so they can steal some money and some even inject malware.

    It is frustrating as I have to click around 2 or 3 sites to get the legitimate article I am looking for or comments that deal with an article I want to read etc.

    Just a difference in tactics.

    --
    http://saveie6.com/
    1. Re:9,000 bad sites appear a day by icebraining · · Score: 1

      I always go back and block those domains in Google. I don't know if they use that information, for ranking, but at least my own results are cleaner.

      --
      Dilbert RSS feed
    2. Re:9,000 bad sites appear a day by Billly+Gates · · Score: 1

      I clicked them before. They just throw ads that do click fraud mostly and of course have download this here to fix it! Which of course is malware.

      I didn't know you could report those domains. I should. I never click on the ones with IP addresses only. The point is the bad guys are now using this as AV software and newer versions of Windows are more protected and improved. No one uses IE 6 anymore to browse the web and most prefer Chrome now so these kinds of infections are harder as zero exploits are fixed fast.

      --
      http://saveie6.com/
    3. Re:9,000 bad sites appear a day by Anonymous Coward · · Score: 0

      Where'd you get the "9,000 bad sites appear a day" figure from?

  15. Doomed? by NotQuiteReal · · Score: 2

    A calf with two heads? Do you have any idea how awesome that brand of head cheese would be? They could probably charge double per lb.

    --
    This issue is a bit more complicated than you think.
  16. But data being reported stolen more often? by Phlow · · Score: 2

    Seems like this last year or so there have been a far larger number of companies reporting their data being compromised than in past years.

    In any case, I'd say between lulsec and anonymous, the hunt and the arrests of these asshats might just be causing them to lay low for a while.

  17. More frequent browser patching reducing problem? by MtViewGuy · · Score: 3, Interesting

    I think the vulnerabilities are dropping because the three most commonly-used browsers, Internet Explorer, Chrome and Firefox, are all being patched and/or upgraded on a fairly frequent basis for a couple of years. Besides Microsoft's once-a-month (sometimes more) patches for IE, Chrome and Firefox are now on much faster update/patch cycles, and I think that has cut down on the number of issues with browser-based malware attacks.