Web Sites Rife with Unpatched Vulnerabilities

Although the overall number of vulnerabilities being discovered in software appears to be leveling off or even dropping, two recent reports on Web security say that the overwhelming majority of Web sites studied still have unpatched vulnerabilities that could expose visitors to malicious code.

"It's part of a trend that has been going on since 2006," Tom Stracener, senior security analyst at Cenzic's Intelligent Analysis Lab, said of the focus on Web vulnerabilities. "There is a tremendous focus on it in the research community."

According to a trend report for the second quarter of 2008 released this week by Cenzic, seven of 10 Web applications analyzed engaged in unsafe communications practices that could lead to exposure of sensitive information during transactions. Cross-site scripting is the most common injection flaw, with 60 percent of sites analyzed being vulnerable to the attacks. About 20 percent had SQL injection applications.

Meanwhile, WhiteHat Security reported similar findings. The company released its fifth Web site Security Statistics Report this week, also covering the second quarter of the year. It reported that cross-site request forgery vulnerabilities are present in about 75 percent of Web sites.

"On a positive note, 66 percent of all vulnerabilities identified have been remediated, underscoring the value of a consistent Web site vulnerability management program," WhiteHat reported. But it also reported that 82 percent of sites have at least one security issue, with 61 percent having issues rated as high, critical or urgent under the Payment Card Industry Data Security Standard.

Cenzic reported that although the overall number of vulnerabilities reported in the second quarter was down slightly, the number of Web vulnerabilities remained nearly constant. The Web accounted for about 73 percent of all vulnerabilities reported in the second quarter, up from 70 percent the previous quarter.

"It should be noted, however, that the frequency with which security issues are reported does not reflect the frequency of their distribution in the wild," the report said. "For example, cross-site scripting comprised roughly 23 percent of the total application vulnerability volume, yet this vulnerability is very common in proprietary Web applications."

Interactive Web formats that emphasize user-generated content, often placed under the broad title "Web 2.0," are becoming an increasingly important area of interest for researchers and hackers. Cenzic reported an increasing focus on client-side Web-enabled tools, such as ActiveX controls, QuickTime, Flash players and other media players, often embedded in applications.

"Attacking client-side applications or browser plug-ins is increasingly becoming a means for distributing malware, rootkits and backdoors," the report said.

About the Author

William Jackson is the senior writer for Government Computer News (