Serious Web Vulnerabilities Dropped In 2011 34
wiredmikey writes "It's refreshing to see a security report from a security vendor that isn't all doom-and-gloom and loaded with FUD. Web Application Security firm WhiteHat Security released a report this week (PDF) showing that the number of major vulnerabilities has fallen dramatically. Based on the raw data gathered from scans of over 7,000 sites, there were only 79 substantial vulnerabilities discovered on average in 2011. To compare, there were 230 vulnerabilities on average discovered in 2010, 480 in 2009, 795 in 2008, and 1,111 in 2007. As for the types of flaws discovered, Cross-Site Scripting (XSS) remained the number one problem, followed by Information Leakage, Content Spoofing, Insufficient Authorization, and Cross-Site Request Forgery (CSRF) flaws. SQL Injection, an oft-mentioned attack vector online – was eighth on the top ten."
Re: (Score:2)
Re: (Score:3)
Well, he could have mentioned the interesting fact that the linked SecurityWeek article claims "As for the industry comparison, baking finished on top with an average of 17 vulnerabilities, while retail remained on the bottom with 121."
Always knew you could trust a baker...
Bankers were probably lumped in with retail and the other bottom-feeders.
Conclusion (Score:2)
"It's refreshing to see a security report from a security vendor that isn't all doom-and-gloom and loaded with FUD."
They're doing it wrong. Don't assume that if you can't see it, it isn't there.
Re: (Score:1)
Exactly.
Read this article for more on that: http://www.schneier.com/blog/archives/2012/06/the_vulnerabili.html
And this EFF essay: https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales-should-be-key-point-cybersecurity-debate
Bottom line:
"We've always expected the NSA, and those like them, to keep the vulnerabilities they discover secret. We have been counting on the public community to find and publicize vulnerabilities, forcing vendors to fix them. With the rise of these new pressures to keep zero-da
They'll be back. (Score:1)
Give me address there.
I'm sorry - could you repeat that? (Score:2)
there were only 79 substantial vulnerabilities discovered on average in 2011.
It's one data point, isn't it? What exactly are they averaging here?
Re: (Score:2)
TL;DR
Similar statistics for CVE data (Score:1)
Vulnerability statistics for all CVE data are available here : http://www.cvedetails.com/vulnerabilities-by-types.php
Statistics for all CVE data are also similar to White Hat report.
Unfortunately... (Score:3)
The End is nigh! (Score:3)
OMG, what next? A calf with two heads? We're doomed!.
Doomed? (Score:3)
One thing will never change. (Score:2)
The most serious web vulnerability sits in the chair.
--
BMO
Re: (Score:3)
Indeed. And fixing it can take up to 45 years...
Re: (Score:2)
>And fixing it can take up to 45 years...
I think you may be too optimistic.
--
BMO
Re: (Score:2)
Possibly...
Re: (Score:1)
That is a false perception.
The story describes XSS and flash vulnerabilities. Not people who click "DOWNLOAD HERE". Almost all Windows users who have said they do not run AV software and are clean are infected heavily. Mainly it is just a bad ad that uses flash to root the system as even Slashdot had one a few months ago that I reported to them.
Worse are the idiots who feel XP is superior and run their account as a full administrator
Most users know better today but I have had my system hosed with a flash ad
Re: (Score:2)
>Mainly it is just a bad ad that uses flash to root the system
Oh I know all too well. We had that on Investor Village once.
>That (user error is the biggest part of malware propagation) is a false perception.
The user is not always to blame and drive-by installs exist. There is a caveat to this: the vast majority of web based malware comes from pages designed to trick the user into downloading and installing something - social engineering.
We can call this the "dumb user problem" since there are no oth
Re: (Score:3)
Users are just that, "Users". They are not pedantic wannabe security gurus who think they actually know what they are doing. They just want to run their applications. Most users have better things to do with their time than sitting around nitpicking obscure security issues, most of which can only be duplicated in a controlled lab environment using specifically defined steps. Those who talk about nothing but OS security vulnerabilities never seem to realize the purpose of an OS is for running applications.
Re: (Score:2)
And more importantly, there tends to be a confusion between the part in the chair and the part approximately 30 inches above it.
How could they tell? (Score:2)
Websites are so god awful and packed with 10 dozen scripts, flash, embedded garbage now they are their own viruses.
Attackers protecting their explits better? (Score:3)
As I see no technical reason for web-applications to be less vulnerable, my guess is that black-hats that find vulnerabilities are just more careful with them in order to be able to exploit them longer.
The other reason I see is that the metric is wrong. It may just be that the vulnerability-types have changed and the metric used but this report has not kept up.
Anyways, no reason to celebrate. Practical IT security is still in a very sad state and I do not see this changing anytime soon. By now I believe that the currently active developer generations have to retire and be replaced by ones with security-awareness. As this "new" generation is still not being educated, the problem will be with us at least for several decades.
9,000 bad sites appear a day (Score:2)
It seems the crackers are now using dirty sites and SEO to attack ignorant users to them instead of targettng legit sites and injecting them with malware for drive byes like before.
Anyone else notice when searching for something techical in Google you will see comments which are identical in like 5 sites where 4 are just copied from the 5th? Some do not even have domain names as AV software can detect and block these. The comments are copied to make the site hit SEO numbers and have tons of ads that play vi
Re: (Score:2)
I always go back and block those domains in Google. I don't know if they use that information, for ranking, but at least my own results are cleaner.
Re: (Score:1)
I clicked them before. They just throw ads that do click fraud mostly and of course have download this here to fix it! Which of course is malware.
I didn't know you could report those domains. I should. I never click on the ones with IP addresses only. The point is the bad guys are now using this as AV software and newer versions of Windows are more protected and improved. No one uses IE 6 anymore to browse the web and most prefer Chrome now so these kinds of infections are harder as zero exploits are fixed
But data being reported stolen more often? (Score:2)
Seems like this last year or so there have been a far larger number of companies reporting their data being compromised than in past years.
In any case, I'd say between lulsec and anonymous, the hunt and the arrests of these asshats might just be causing them to lay low for a while.
More frequent browser patching reducing problem? (Score:4, Interesting)
I think the vulnerabilities are dropping because the three most commonly-used browsers, Internet Explorer, Chrome and Firefox, are all being patched and/or upgraded on a fairly frequent basis for a couple of years. Besides Microsoft's once-a-month (sometimes more) patches for IE, Chrome and Firefox are now on much faster update/patch cycles, and I think that has cut down on the number of issues with browser-based malware attacks.