ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

Security threats Toolkit

Browser flaws biggest software security risk

Tom Espiner ZDNet.co.uk

Published: 15 Sep 2006 18:00 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

The most common software flaws are now cross-site scripting (XSS) vulnerabilities, according to US Government organisation Mitre.

XSS flaws have accounted for 21.5 percent of the vulnerabilities found in 2006 so far according to Mitre statistics.

XSS vulnerabilities potentially allow attackers to access sensitive data from a web site by bypassing security in browsers using JavaScript.

SQL injection flaws, which can occur in database-backed web applications, accounted for 14 percent of vulnerabilities seen.

PHP remote file vulnerabilities accounted for 9.5 percent of the 20,000 flaws collated by Mitre, said DarkReading.com.

PHP, a web scripting language, can be vulnerable to attack if applications created using it are not carefully written. PHP implementations are often considered notoriously poorly coded, according to security vendor Sophos.

Buffer overflow vulnerabilities slipped from being the most prevalent in 2003 to accounting for 7.9 percent of holes in 2006.

However, Sophos said that it hadn't seen any noticeable shift in terms of attacks on these flaws, including buffer overflow holes. Sophos questioned how the statistics had been collated and the potential severity of the flaws, due to the limited number of people who use smaller web servers.

"There is a danger that these folks are comparing apples with oranges," said Graham Cluley, senior technology consultant with Sophos. "After all, you could find lots and lots of vulnerabilities in Fred's Internet Utility, but that wouldn't be something we would consider to be a bigger problem than just one vulnerability in a widespread technology like [Microsoft's] Internet Information Services."

Cluley said that XSS attacks are very common on less popular web servers and applications, but that the more widely used packages are less likely to have such flaws.

According to Cluley, the Mitre statistics do not indicate a shift in the type of software that attackers are targeting, merely that the proliferation of flawed applications with few users is skewing the statistics.

"The fact is that there are more small .Net, Java and PHP implementations of blogging and webhosting than there are Internet side C-based software platforms," said Cluley.

  • Email
  • Trackback
  • Clip Link
  • Print friendly Print with HP

Did you find this article useful?
211 out of 351 people found this useful


Talkback

Post a comment


Full Talkback thread

2 comments

  1. http://www.darkreading.com/document.asp?doc_id=104... Kyran
  2. Copy and paste the following line into your addres... Kyran

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:





Related Jobs

Project Manager CRM Implementations

Huxley Associates are looking for a Prince II qualified Project Manager to join a telcoms company. You must be systems implementation focused in ...

Linux Administrator Apache, MySQL, PHP, DNS, Web Servers, Brighton

Linux Systems Administrator Apache, MySQL, PHP, DNS, DR, Web Servers, Brighton 30k My client is currently recruiting for a Linux Systems ...

Group Services Director (IT) - Oracle E-Business Suite implementations

I require a Group IT Services Director for one of the country's largest construction companies based in Edinburgh / London (to be confirmed). You ...

Featured Oracle Resources

businessfirst: Ideas to help small companies retain their successful entrepreneurial spirit

Oracle ONE Magazine: Technology solutions for midsized businesses February 2008 edition

Choosing a Reliable and Powerful IT Infrastructure at a Price You Can Afford

Database Consolidation: Reducing Cost and Complexity

Ensuring Data Protection for Growing Business

Oracle for medium and emerging businesses: protect, strengthen and enhance your organisation

Oracle partner network solutions catalogue

See All White Papers

Sentry Posts Blog

Mobile Linux Better For Mobile Busines...

Mobile Linux Better For Mobile Business Apps? Author: Eric Everson, MyMobiSafe.com As mobile Linux is carving it’s footprint on the future of mobile application development, the... More

Post a comment

DWP downplays security breach

The Department for Work and Pensions (DWP) has admitted that some of its staff have been forwarding passwords with password protected material. An email that was leaked on the 'Dizzy... More

Post a comment

How many headshots does one chairperso...

We got a strange request last week from the head of PR from Russian security experts Kaspersky. It seems although the company was very happy with the interview we recently carried with... More

Post a comment

Featured Talkback

On the contrary, if vendors were forced to stand behind their products it should increase innovation. It would force more, and better , testing before hitting the sales floor, resulting in fewer updates and less downtime for the consumer. At present the EULA removes responsibility from the vendor, and moves it to the user, which is a step backward. Make the vendor responsibility for their code.

By: ator1940

Read full story:
RSA: Vendor liability may stifle innovation