How Secure Are Your Software Applications – Not Very, It Seems

Most of us, I expect, are familiar with the expression – If you fail to plan, then you plan to fail. If you accept the findings of Veracode’s second edition of their State of Software Security Volume 2, which reports unfavorable on the security reliability of more than half of the 2,922 web applications tested, you might  wonder if application developers are familiar with this expression.

This report, coupled with the Qualys Vulnerability Report, which I receive weekly, leaves little doubt in my mind that software developers, by and large, need to focus more intently to ensure their applications are appropriately hardened against security vulnerabilities.

The following partial listing taken from the Qualys Vulnerability Report, from several weeks ago, highlights this lack of focus on this point. Frankly, I never fail to be astonished by the huge number of application vulnerabilities listed in this report. I’ve always felt, that the software industry should thank their “lucky stars”, that this report is not particularly well known outside the IT security community. It’s as if, application vulnerabilities are a dirty little secret.

Critical Vulnerabilities – Widely Deployed Software

(1) HIGH: Adobe Reader / Acrobat Font Parsing Buffer Overflow Vulnerability
(2) HIGH: Mozilla Firefox Multiple Vulnerabilities
(3) HIGH: Apple Safari Multiple Security Vulnerabilities
(4) HIGH: Google Chrome Multiple Security Vulnerabilities
(5) HIGH: Apple iOS Multiple Vulnerabilities
******************************************************************
Comprehensive List of Newly Discovered Vulnerabilities from Qualys
-  Third Party Windows Apps
10.37.1  – HP Operation Agent Privilege Escalation and Remote Code Execution Issues
10.37.2  – Tuniac “.pls” File Buffer Overflow issue
10.37.3  – Microsoft Internet Explorer CSS Handling Cross-Domain Information Disclosure
– Mac Os
10.37.4  – Apple Mac OS X Mail Parental Control White List Security Bypass Issue
– Linux
10.37.5  – Linux Kernel “keyctl_session_to_parent()” Null Pointer Dereference Denial of Service
10.37.6  – Linux Kernel “IrDA” Protocol NULL Pointer Dereference Denial of Service Issue
10.37.7  – oping Local Information Disclosure
10.37.8  – Linux Kernel “irda_bind()” Null Pointer Dereference
10.37.9  – Linux Kernel “SIOCGIWSSID” IOCTL Local Information Disclosure Issue 10.37.10 – Linux Kernel “XFS_IOC_FSGETXATTR” Information Disclosure Issue
– Novell
10.37.11 – Novell Netware SSH Remote Buffer Overflow Issue
– Cross Platform
10.37.12 – Blackboard Transact Multiple Insecure Password Handling Information Disclosure Issues
10.37.13 – Zope Unspecified Denial of Service Issue
10.37.14 – httpdx “h_readrequest()” Remote Format String
10.37.15 – Techlogica HTTP Server Remote File Disclosure
10.37.16 – Arno’s IPTABLES Firewall IPv6 Detection Remote Security Bypass
10.37.17 – Hitachi JP1/Desktop Navigation Unexpected Data Denial Of Service Issue
10.37.18 – Google Chrome Multiple Security Vulnerabilities
10.37.19 – LDAPUserFolder Emergency User Arbitrary Password Authentication Bypass Issue 10.37.20 – ffdshow “.avi” File NULL Pointer Dereference Denial Of Service Issue
10.37.21 – Squid Proxy String Processing NULL Pointer Dereference Denial of Service
10.37.22 – VLC Media Player “smb://” URI Handler “.xspf” File Buffer Overflow Issue

Veracode’s State of Software Security Volume 2, reveals what may well be the true state of the software we have come to rely on.

The following are some of the most significant findings:

More than half of all software failed to meet an acceptable level of security and 8 out of 10 web applications failed to comply with the OWASP Top 10.

Cross-site Scripting remains the most prevalent of all vulnerabilities.

Third-party applications were found to have the lowest security quality.

The security quality of applications from Banks, Insurance, and Financial Services industries was not commensurate with their business.

Equally as important – 57% of all applications were found to have unacceptable application security quality. Even more troublesome, more than 80% of internally developed and commercial web applications failed to comply with the OWASP Top 10 which is shown below.

OWASP Top

  1. Injection – Examples of injection flaws are SQL, LDAP, HTTP header injection (cookies, requests), and OS command injections.
  2. Cross Site Scripting (XSS) – Malicious scripts are executed in the victim’s browser allowing the attacker to hijack the user’s session, steal cookies, deface web sites, redirect users to malicious web sites, and remote browser control.
  3. Broken Authentication and Session Management – Flaws used against one account may be replicated against an account with higher privileges.
  4. Insecure Direct Object References – Attack occurs when an authorized user can change a parameter value that refers to a system object that they are not authorized for.
  5. Cross Site Request Forgery (CSRF) -  CSRF attacks can complete any transactions that the victim is permitted to perform such as access data, transfer funds or make purchases.
  6. Security Misconfiguration – Attacker exploits unsecured pages, default accounts, unpatched flaws or any other vulnerability that could have be addressed by proper configuration.
  7. Failure to Restrict URL Access – Links can be obtained from: hidden fields, client-side code, robots.txt, configuration files, static XML files, directory access.
  8. Unvalidated Redirects and Forwards – Unvalidated parameter allows an attacker to choose a destination page where they wish to send a victim to trick them into disclosing private information.
  9. Insecure Cryptographic Storage – The most common reason for this attack is that data that should be encrypted is stored in clear text.
  10. Insufficient Transport Layer Protection – Most commonly, this attack occurs when a site does not use SSL/TLS for pages that require authentication where an attacker can monitor network traffic to steal an authenticated user’s session cookie.

The full report in PDF format is available here.

So how do you ensure that your software installations are relatively secure? Unfortunately, there’s no perfect answer – but you can reduce your overall exposure by installing the free  Secunia Personal Software Inspector, (PSI).

PSI constantly monitors your system for insecure software installations, notifies you when an insecure application is installed, and even provides you with detailed instructions for updating the application when available.

Installing this small free application will definitely assist you in identifying possible security leaks.

image

Quick facts:

The Secunia PSI is free for private use.

Downloaded over 800,000 times

Allows you to secure your PC – Patch your applications – Be proactive

Scans for Insecure and End-of-Life applications

Verifies that all Microsoft patches are applied

Tracks your patch-performance week by week

Direct and easy access to security patches.

Detects more than 300,000 unique application versions

Provides a detailed report of missing security related updates

Provides a tabbed report which indicates programs that are no longer supported – programs with all known patches – insecure programs, etc.

Provides a Toolbox offering a set of links which helps you assess a problem and how you can resolve it.

System Requirements: Windows 2000, XP 32/64bit, Vista 32/64bit, and Win 7

Download at: Download.com

Bonus: Do it in the Cloud – The Secunia Online Software Inspector, (OSI), is a fast way to scan your PC for the most common programs and vulnerabilities; checking if your PC has a minimum security baseline against known patched vulnerabilities.

Link: Secunia Online Software Inspector

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

About these ads

14 Comments

Filed under Windows Tips and Tools

14 responses to “How Secure Are Your Software Applications – Not Very, It Seems

  1. Murphy

    Hi,
    Good article .
    I use Secunia PSI .
    Best regards !

  2. Daena

    I installed it and it found some updates on my system. Good to have it, thanks for sharing!

  3. Fred

    Bill is your email now secure, I recall you stated at one time it had been hacked.
    Is this Secunia in 2 versions, one as something like MBAM that is installed then checks and another that is cloud, which requires highspeed connection?
    Would you suggest that the updates from Mozilla and so forth for security is enough for those who are, unsophisticated on the computer paradigm?
    I’ve learned in the 4 months I’ve been reading here that there is NO security, all we can do attempt to be updated and not silly when clicking on links. I would wager that MOST people have no idea of what is going on, whether with computer security or life in general.

    “Possibly related posts: (automatically generated)”
    “Free AppRemover 2.2″
    I had no luck with Revo trying to uninstall AOL considering the level of knowledge that might imply, LOL, is AppRemover something I could sucessfully use?

    PS I do enjoy the quotes you choose for Tech Thoughts

    • Hi Fred,

      Yes – unlike most users who have been hacked, I was able to regain control immediately. I have since changed procedures to ensure (hopefully), that this never happens again.

      Yes, Secunia is available in 2 versions – sort of. The “cloud” version is very limited, and not really a replacement for the installed version since it acts as an on demand scanner only. In other words, it is not resident on your machine proactively protecting you. The installed version, if you’re worried about bandwidth, can be run once a week or so, and then turned off through the icon in the taskbar. To tell you the truth, that’s how I run PSI – once a week, manually.

      Application updates, particularly Browser updates can be critically important. So yes, keeping Mozilla updated and, “not being silly when clicking on links”, as you say, can reduce the threat of a malware infection very substantially.

      AppRemover 2.2 will not help in the removal of AOL since this is an application designed to uninstall security applications – which are notoriously difficult to remove. Unfortunately, AOL also has the same “difficult to remove” reputation. If Revo Uninstaller failed to remove this (I’m sorry to hear that), then the best that I can suggest is – checkout this AOL help page – *Can’t uninstall AOL software* at – http://help.aol.com/help/microsites/microsite.do?cmd=displayKCPopup&docType=kc&externalId=218893

      Glad you like the quotes, BTW. :)

      Good to hear from you.

      Bill

  4. Mal

    Hey Bill,

    Scary stuff indeed. It doesn’t surprise me though. I’ve been using Secunia for a long time now, and like you, run it once or twice a week. Everyone should have it, if they care about their security.

    Cheers

    • Hey Mal,

      I can’t think of another industry sector, that could get away with selling a fundamentally flawed consumer product like the software industry so often does. Any product that has the potential of being the proximate cause of a consumer been subjected to financial loss through fraud, needs to be regulated. The days of haphazard software development, with little regard paid to the risk to which the user is exposed to in an era of unrelenting cyber crime, need to come to an end. If the software industry can’t, or won’t, self regulate, then Governments,as they do with most consumer products, need to step in.

      I think the results of the Veracode analysis are an absolute disgrace. What’s the point in teaching users to be cautious, and sensible, when the very structure they rely on amounts to little more than vaporware, I wonder?

      Best,

      Bill

  5. Even if we leave aside these vulnerabilities, I come across users who are so lazy and ignorant about the security portion of the computer or online world that a hacker wont even need those vulnerabilities to hack their system or accounts.

    Until people start learning things, the scenario will remain same. Even on a fully updated system, users fall in trap of hackers.

  6. Pingback: Geek Squeaks’ of the Week (#79) « What's On My PC

  7. Pingback: Software Development | call center software

  8. Pingback: authentication failed перевод « Эхо блогосферы

  9. Pingback: EA Based On Mathematics