Internet Security Systems - AlertCon(TM)

The Low and Slow threat

Posted by Dan Holden on September 17, 2007 at 12:19 PM EDT.

What is the largest threat?  Obviously a critical Microsoft vulnerability affects a great many of us as they have a gigantic market share and install base worldwide.  Every month the IT industry and the press watch Microsoft patch Tuesday with great apprehension and excitement.  Many of the bugs that are found are sexy, such as buffer overflows or anything that could allow remote code execution.  However, are these the types of vulnerabilities that most enterprises see occurring on their network most of the time?

What has an even larger install base than Microsoft's various operating systems?  Why the web browser of course.  Regardless of which OS you are running, Linux, Mac, Windows, or perhaps a PDA, you more than likely have a Web Browser installed and probably use it quite often.  So, even though vendors such as Microsoft and Oracle might have the most vulnerabilities disclosed in a given year, are these company's applications really what the majority of hackers are targeting?

What are the most common vulnerabilities that are found every day?  Bugs that affect web browsers and the servers in which they interact with. Cross site-scripting, PHP file-includes, and SQL Injection vulnerabilities are what are not only the most commonly discovered bugs today, but in years past as well.  Why is this you might ask? Well, one reason is that web applications are generally quicker to market or deploy because of the high level languages used to develop them.  Being quicker to market, whether it be an external or internal application is of course highly desirable.  But as it is in so many areas, security can many times become an afterthought.  Another reason why these bugs are found so frequently is because it is so hard to QA a web application.  Most QA organizations only test what they can see, drop downs, input fields, etc.  However, the back end of a web application doesn't necessarily have to have those drop downs or input fields in order to be interacted with. Companies such as Watchfire (recently acquired by us, IBM) and SPI Dynamics (founded by an ex X-Forcer and recently gobbled up by HP) saw these flaws and trends years ago and have been able to make a pretty penny offering scanning solutions and consulting.  Other security products such as web applications firewalls have sprung up as well to try and protect these sensitive custom applications.

How bad is it?

So just how many XSS, PHP, and SQL bugs are out there?  Data recently compiled by our X-Force database team shows that these types of threats comprise over a third of the vulnerabilities found every year.  In 2007 these types of vulnerabilities combined compromise approximately 38% of the total vulnerabilities disclosed thus far.  As Gunter has mentioned in a previous posting regarding vulnerabilities, this doesn't even begin to account for the vulnerabilities out there that haven't been or won't be publicly disclosed.

The reason this is all so important is that even low to medium bugs such as these can still bite you in the rear end.  The damage can range anywhere from a defaced webpage, to the creation of a web mine, to a gigantic loss of data from a back end database. In the case of a web based shopping cart you can really have some fun and cause financial loss for the vendor.  In the case of a blog or guestbook you can also have fun at the expense of others.

XSS, PHP, and SQL have been around for awhile now and in the case of XSS, went from being a mild nuisance to a gigantic threat because of the gullibility of so many end users.  But what are the threats of tomorrow that could affect us in similar ways?  The push to Web 2.0 has brought with it new high level programming languages to make the development of these new technologies not only faster and easier, but more powerful and feature rich.  Some of the most popular up and coming threats are found in the use of AJAX and JSON.  Both of these were covered in several talks at Blackhat this year which only further shows not only how important they are, but how seriously security needs to be taken when deploying these types of new technologies.

Web 2.0 can be fun and productive.  Collaboration with our fellow humans is happening more today than was ever possible in the history of man.  However, getting owned (pwned if you must) in any sort of manner is never fun and if you aren't paying attention to the highest percentage of vulnerabilities out there, then you just aren't paying attention.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.