Click here to receive your FREE subscription to Campus Technology
Article
Study: The Year's Top-10 Web Application Vulnerabilities
3/4/2008
Said the report, "These technologies are often combined to enable rich-media Internet applications, enhanced user interactivity, and syndication, all core elements of the application design principles that are associated with Web 2.0. The vulnerability count includes vulnerabilities in any application that implements one or more of the listed technologies. Research into the vulnerability types above showed general declines in all areas with the exception of flash technology, which increased from one disclosed vulnerability during the first half of 2007, to more than 20 vulnerabilities disclosed in the second half of 2007."
The numbers, however, are not all-inclusive.
Mandeep Khera, Cenzic's vice president of marketing, told us, "The numbers are low because these are known, reported, and published vulnerabilities. There are potentially a lot more in the internal applications using Web 2.0 applications. Also, there are probably a lot more in commercial apps that haven't been found or reported due to limited expertise in skills, tools, and knowledge around these technologies."
The Top Open Source and Commercial Application Vulnerabilities
The report did not focus primarily on Web 2.0. Instead, it looked at vulnerabilities across the whole spectrum of commercial and open source applications. Of these, the most severe in the fourth quarter of 2007 included (in order):
- Open SSL Off-By-One Overflow
- Java Web Start Bugs
- Adobe Acrobat URI Handling Bug
- IBM Lotus Notes Buffer Overflow
- RealPlayer Input Validation Flaw
- IBM WebSphere Application Server Input Validation Hole
- IBM WebSphere Input Validation Hole
- PHP Buffer Overflows, Filtering Bypass and Configuration Bypass Bugs
- Apache Input Validation Hole
- Adobe Flash Player Bugs
Further information about each of these can be found in the report, available in PDF form here.
Cenzic said of the applications studied, 70 percent "engaged in insecure communication practices that could potentially lead to the exposure of sensitive or confidential user information during transactions." And 60 percent were affected by the most common injection flaw, cross-site scripting.
There are, of course, implications for home-grown Web applications as well.
"...These findings, do not take into account the thousands of vulnerabilities that are created while programming in-house or proprietary applications," the company said. This can be a significant problem for education, where, as a recent informal Web poll showed, the majority of institutions do develop Web applications in house.
"A vast majority of applications are proprietary and created in-house or outsourced to India, Russia, China, and former [Soviet Bloc] countries," Cenzic's Khera told us.
Recommended Reading
- Fixed-Mobile Convergence: Dartmouth Beefs Up Cell Coverage, Cuts Costs
Problems with cell phone coverage aren't uncommon on college campuses. There are two main reasons: The beefy structure of historic buildings can block cellular reception within walls, and, on more remote campuses outside cities, signal coverage can be light.
- Thompson Rivers U Deploys Unified Digital Campus for ERP
Thompson Rivers University (TRU) in British Columbia has selected SunGard Higher Education's Banner Unified Digital Campus (UDC) to integrate its ERP systems.
- DV Kitchen Web Video Publishing System Released
DVcreators.net has released DV Kitchen, a new video encoding and publishing application for Mac OS X designed specifically for creating materials to be posted on the Web.
- NEC Debuts 4 Education Projectors
NEC this week debuted four new projectors targeted toward education applications, along with a new MultiSync LCD display. The new NP-series projectors are entry-level models started at $899 but are designed to provide high light output, support for closed captioning, and built-in networking capabilities.
- Security Researchers Uncover Spring Framework Vulnerability
Software frameworks are enjoying enormous popularity these days among a range of developers. It's popularity well earned; frameworks provide powerful tools for building more flexible and less error-prone applications. They generally enhance developer productivity with out-of-the-box functionality. And they can free developers to focus on features instead of common coding tasks.
- 3PAR Server Arrays Integrate Fat-to-Thin Processing
Utility storage provider 3PAR has announced the release of the 3PAR InServ T400 and T800 Storage Servers. The new hardware is built on the company's third-generation InSpire architecture, featuring the 3PAR Gen3 ASIC with integrated fat-to-thin processing.
