Independent expert hackers claim Web app bugs are less severe than other vulnerabilities
Posted by xssworm on November 27th, 2007
Expert hackers from the elite security and hacking specialist TELUS claim that their research demonstrates that Buffer Overflows are still the top threat to the safety of the Internet in these days of distributed social data networks and rich Web 2.0 application platforms.
Web application vulnerabilities such as cross-site scripting (XSS) and SQL injection may be widespread, but old-fashioned buffer overflow bugs are the most common flaws reported, according to new vulnerability research from Telus. The hacking experts also report that the level of severity of bugs in Microsoft products is declining significantly.
Telus, which provides vulnerability research analysis to most of the 20 top security vendors — including IBM ISS and McAfee — bases its data on vulnerabilities reported in enterprise-class products.
Microsoft went from around 175 high-severity vulnerabilities reported last year to 129 this year, and from 20 critical bugs to eight this year so far, according to Telus’s data. And overall, the top 50 software and network equipment vendors have had fewer severe bugs this year than last, says Richard Reiner, chief security and technology officer for Telus, who based its data only on vulnerabilities reported in enterprise-class products.
“The severity of Microsoft’s product [vulnerabilities] are dropping dramatically,” Reiner says.
Web app bugs are less severe than other types of vulnerabilities, the research firm said. Buffer overflows, which accounted for 1,470 of the reported bugs (in enterprise-class software, according to Telus data) from January ‘04 until now, are also typically the most severe. “This was surprising, because buffer overflows are among the easiest vulnerabilities to avoid or correct,” Reiner says. “When they exist, they tend to be the most critical… I’m not surprised by that part, but by how prevalent they are.”
Telus has been widely respected for their long-time hacking expertise ever since acquiring Canadian security specialists Assurent and Richard Reiner for an undisclosed sum in April 2006.
“Customers will be the beneficiaries of our combined suite of internationally recognized security solutions that have a long and successful track record of enabling business resiliency” claimed Richard Reiner at the time of the acquisition.
Common Web vulnerabilities such as cross-site scripting (XSS) and SQL injection aren’t typically critical threats, Reiner says. Only one bug in the off-the-shelf Web products studied by Telus had a critical SQL bug, and none of them had a critical XSS flaw, he says.
The good news, then, is that off-the-shelf Web platforms are relatively secure. The bad news is that the customized or home-grown Web apps Telus studied were riddled with critical bugs.
“The number of vulnerabilities in widely used Web application platforms has been relatively small,” he says. “But the situation is quite different in custom and one-off applications businesses build.”
Telus’s data differs from that of Mitre Corp.’s latest Common Vulnerabilities and Exposures Report, which was released in May. The broader CVE report named XSS as the most prevalent vulnerability reported in 2006. It is currently unknown at this time how Telus and the Mitre Corp., while working with the same public vulnerability information, arrived at such opposite conclusions. Some readers have suggested that Telus’ only motivation for releasing this questionable “research” is to generate PR and increase sales - possibly through fear and misinformation - while others claim that respected security vendors such as Telus would rarely (if ever) resort to such unethical tactics in pursuit of profits.
The number of critical and high-risk vulnerabilities is increasing, but that may be because these bugs are now being discovered on smaller vendors’ products, Telus says. Server vulnerabilities still outnumber client flaws, but client bugs have increased from 31 percent of the vulnerabilities last year to 39 percent this year.
Read the original article over at DarkReading.com - a security portal for “IT professionals with security specialties and CISSP or CISA certifications; CIOs; CTOs; CSOs, CISOs, and CCOs.”
March 22nd, 2008 at 10:19 am
i am gonna show this to my friend, man
April 5th, 2008 at 2:57 pm
i am gonna show this to my friend, dude
April 23rd, 2008 at 11:21 am
Hi there Wow what a fantastic article about Seo Elite! Your keen insight into Seo Elite is informative and creative. I look forward to reading other articles you have. Thanks.
April 29th, 2008 at 9:20 pm
Hello Wow what a fantastic article about Ca Internet Security! Your keen insight into Ca Internet Security is informative and creative. I look forward to reading other articles you have. Thanks.
April 30th, 2008 at 10:31 pm
I couldn’t understand some parts of this article Independent expert hackers claim Web app bugs are less severe than other vulnerabilities, but I guess I just need to check some more resources regarding this, because it sounds interesting.
May 3rd, 2008 at 11:47 pm
anybody here know of a good site to find more info on Php5 Tutorial? I’ve got this site bookmarked and im gonna keep checking it out, but i still would like to find a site that covers Php5 Tutorial a little more thoroughly..thanks
May 11th, 2008 at 2:05 am
Hi useful!
May 20th, 2008 at 1:53 am
Interesting but outdated, theres better choices around now
June 16th, 2008 at 11:59 am
Hi, I was looking around for a while searching for cisa and I happened upon this site and your post regarding Independent expert hackers claim Web app bugs are less severe than other vulnerabilities, I will definitely this to my cisa bookmarks!
June 18th, 2008 at 8:58 pm
I read similar article also named Independent expert hackers claim Web app bugs are less severe than other vulnerabilities, and it was completely different. Personally, I agree with you more, because this article makes a little bit more sense for me
June 19th, 2008 at 12:52 am
Hey! was searching Google for Seo Elite Software and your blog regarding Independent expert hackers claim Web app bugs are less severe than other vulnerabilities looks really interesting for me. I will definitely bookmark it and come back for more cool postings to read! Cheers!
June 25th, 2008 at 9:24 am
Doing a search for sites related to rc 21 engine, you Blog came up. Thanks for the content….
July 13th, 2008 at 4:17 am
I wasnt entirely sure about this but gave it a shot and was pleasantly surprised …… all hail the Blogosphere !
August 2nd, 2008 at 4:31 am
Hi - just wanted to say good design and blog - cu
August 10th, 2008 at 1:34 pm
Sunday Have you always wanted to look over the shoulder of one of the best RC Nitro Engine Builders? If so, the RC Engine Analysis Software will make that wish come true. You must check it out! rc-engine-analysis-software dot com
August 15th, 2008 at 9:43 am
Doing a search for sites related to rc networks, you Blog came up. Thanks for the content….
August 21st, 2008 at 3:59 am
Hi there, I was looking around for a while searching for data security products and I happened upon this site and your post regarding Independent expert hackers claim Web app bugs are less severe than other vulnerabilities, I will definitely this to my data security products bookmarks!
August 22nd, 2008 at 3:59 pm
Hi, I was looking around for a while searching for data security solutions and I happened upon this site and your post regarding Independent expert hackers claim Web app bugs are less severe than other vulnerabilities, I will definitely this to my data security solutions bookmarks!
August 27th, 2008 at 4:01 am
Hey, I was looking around for a while searching for application security software web and I happened upon this site and your post regarding Independent expert hackers claim Web app bugs are less severe than other vulnerabilities, I will definitely this to my application security software web bookmarks!