Most of us, I expect, are familiar with the expression – If you fail to plan, then you plan to fail. If you accept the findings of Veracode’s second edition of their State of Software Security Volume 2, which reports unfavorable on the security reliability of more than half of the 2,922 web applications tested, you might wonder if application developers are familiar with this expression.
This report, coupled with the Qualys Vulnerability Report, which I receive weekly, leaves little doubt in my mind that software developers, by and large, need to focus more intently to ensure their applications are appropriately hardened against security vulnerabilities.
The following partial listing taken from the Qualys Vulnerability Report, from several weeks ago, highlights this lack of focus on this point. Frankly, I never fail to be astonished by the huge number of application vulnerabilities listed in this report. I’ve always felt, that the software industry should thank their “lucky stars”, that this report is not particularly well known outside the IT security community. It’s as if, application vulnerabilities are a dirty little secret.
Critical Vulnerabilities – Widely Deployed Software
(1) HIGH: Adobe Reader / Acrobat Font Parsing Buffer Overflow Vulnerability
(2) HIGH: Mozilla Firefox Multiple Vulnerabilities
(3) HIGH: Apple Safari Multiple Security Vulnerabilities
(4) HIGH: Google Chrome Multiple Security Vulnerabilities
(5) HIGH: Apple iOS Multiple Vulnerabilities
Comprehensive List of Newly Discovered Vulnerabilities from Qualys
- Third Party Windows Apps
10.37.1 – HP Operation Agent Privilege Escalation and Remote Code Execution Issues
10.37.2 – Tuniac “.pls” File Buffer Overflow issue
10.37.3 – Microsoft Internet Explorer CSS Handling Cross-Domain Information Disclosure
– Mac Os
10.37.4 – Apple Mac OS X Mail Parental Control White List Security Bypass Issue
10.37.5 – Linux Kernel “keyctl_session_to_parent()” Null Pointer Dereference Denial of Service
10.37.6 – Linux Kernel “IrDA” Protocol NULL Pointer Dereference Denial of Service Issue
10.37.7 – oping Local Information Disclosure
10.37.8 – Linux Kernel “irda_bind()” Null Pointer Dereference
10.37.9 – Linux Kernel “SIOCGIWSSID” IOCTL Local Information Disclosure Issue 10.37.10 – Linux Kernel “XFS_IOC_FSGETXATTR” Information Disclosure Issue
10.37.11 – Novell Netware SSH Remote Buffer Overflow Issue
– Cross Platform
10.37.12 – Blackboard Transact Multiple Insecure Password Handling Information Disclosure Issues
10.37.13 – Zope Unspecified Denial of Service Issue
10.37.14 – httpdx “h_readrequest()” Remote Format String
10.37.15 – Techlogica HTTP Server Remote File Disclosure
10.37.16 – Arno’s IPTABLES Firewall IPv6 Detection Remote Security Bypass
10.37.17 – Hitachi JP1/Desktop Navigation Unexpected Data Denial Of Service Issue
10.37.18 – Google Chrome Multiple Security Vulnerabilities
10.37.19 – LDAPUserFolder Emergency User Arbitrary Password Authentication Bypass Issue 10.37.20 – ffdshow “.avi” File NULL Pointer Dereference Denial Of Service Issue
10.37.21 – Squid Proxy String Processing NULL Pointer Dereference Denial of Service
10.37.22 – VLC Media Player “smb://” URI Handler “.xspf” File Buffer Overflow Issue
Veracode’s State of Software Security Volume 2, reveals what may well be the true state of the software we have come to rely on.
The following are some of the most significant findings:
More than half of all software failed to meet an acceptable level of security and 8 out of 10 web applications failed to comply with the OWASP Top 10.
Cross-site Scripting remains the most prevalent of all vulnerabilities.
Third-party applications were found to have the lowest security quality.
The security quality of applications from Banks, Insurance, and Financial Services industries was not commensurate with their business.
Equally as important – 57% of all applications were found to have unacceptable application security quality. Even more troublesome, more than 80% of internally developed and commercial web applications failed to comply with the OWASP Top 10 which is shown below.
- Injection – Examples of injection flaws are SQL, LDAP, HTTP header injection (cookies, requests), and OS command injections.
- Cross Site Scripting (XSS) – Malicious scripts are executed in the victim’s browser allowing the attacker to hijack the user’s session, steal cookies, deface web sites, redirect users to malicious web sites, and remote browser control.
- Broken Authentication and Session Management – Flaws used against one account may be replicated against an account with higher privileges.
- Insecure Direct Object References – Attack occurs when an authorized user can change a parameter value that refers to a system object that they are not authorized for.
- Cross Site Request Forgery (CSRF) - CSRF attacks can complete any transactions that the victim is permitted to perform such as access data, transfer funds or make purchases.
- Security Misconfiguration – Attacker exploits unsecured pages, default accounts, unpatched flaws or any other vulnerability that could have be addressed by proper configuration.
- Failure to Restrict URL Access – Links can be obtained from: hidden fields, client-side code, robots.txt, configuration files, static XML files, directory access.
- Unvalidated Redirects and Forwards – Unvalidated parameter allows an attacker to choose a destination page where they wish to send a victim to trick them into disclosing private information.
- Insecure Cryptographic Storage – The most common reason for this attack is that data that should be encrypted is stored in clear text.
- Insufficient Transport Layer Protection – Most commonly, this attack occurs when a site does not use SSL/TLS for pages that require authentication where an attacker can monitor network traffic to steal an authenticated user’s session cookie.
The full report in PDF format is available here.
So how do you ensure that your software installations are relatively secure? Unfortunately, there’s no perfect answer – but you can reduce your overall exposure by installing the free Secunia Personal Software Inspector, (PSI).
PSI constantly monitors your system for insecure software installations, notifies you when an insecure application is installed, and even provides you with detailed instructions for updating the application when available.
Installing this small free application will definitely assist you in identifying possible security leaks.
The Secunia PSI is free for private use.
Downloaded over 800,000 times
Allows you to secure your PC – Patch your applications – Be proactive
Scans for Insecure and End-of-Life applications
Verifies that all Microsoft patches are applied
Tracks your patch-performance week by week
Direct and easy access to security patches.
Detects more than 300,000 unique application versions
Provides a detailed report of missing security related updates
Provides a tabbed report which indicates programs that are no longer supported – programs with all known patches – insecure programs, etc.
Provides a Toolbox offering a set of links which helps you assess a problem and how you can resolve it.
System Requirements: Windows 2000, XP 32/64bit, Vista 32/64bit, and Win 7
Download at: Download.com
Bonus: Do it in the Cloud – The Secunia Online Software Inspector, (OSI), is a fast way to scan your PC for the most common programs and vulnerabilities; checking if your PC has a minimum security baseline against known patched vulnerabilities.
If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.