Click here to receive your FREE subscription to Campus Technology

Home > Study: The Year's Top-10 Web Application Vulnerabilities

News

Study: The Year's Top-10 Web Application Vulnerabilities

3/3/2008

By David Nagel

Said the report, "These technologies are often combined to enable rich-media Internet applications, enhanced user interactivity, and syndication, all core elements of the application design principles that are associated with Web 2.0. The vulnerability count includes vulnerabilities in any application that implements one or more of the listed technologies. Research into the vulnerability types above showed general declines in all areas with the exception of flash technology, which increased from one disclosed vulnerability during the first half of 2007, to more than 20 vulnerabilities disclosed in the second half of 2007."

The numbers, however, are not all-inclusive.

Mandeep Khera, Cenzic's vice president of marketing, told us, "The numbers are low because these are known, reported, and published vulnerabilities. There are potentially a lot more in the internal applications using Web 2.0 applications. Also, there are probably a lot more in commercial apps that haven't been found or reported due to limited expertise in skills, tools, and knowledge around these technologies."

The Top Open Source and Commercial Application Vulnerabilities
The report did not focus primarily on Web 2.0. Instead, it looked at vulnerabilities across the whole spectrum of commercial and open source applications. Of these, the most severe in the fourth quarter of 2007 included (in order):

  1. Open SSL Off-By-One Overflow
  2. Java Web Start Bugs
  3. Adobe Acrobat URI Handling Bug
  4. IBM Lotus Notes Buffer Overflow
  5. RealPlayer Input Validation Flaw
  6. IBM WebSphere Application Server Input Validation Hole
  7. IBM WebSphere Input Validation Hole
  8. PHP Buffer Overflows, Filtering Bypass and Configuration Bypass Bugs
  9. Apache Input Validation Hole
  10. Adobe Flash Player Bugs

Further information about each of these can be found in the report, available in PDF form here.

Cenzic said of the applications studied, 70 percent "engaged in insecure communication practices that could potentially lead to the exposure of sensitive or confidential user information during transactions." And 60 percent were affected by the most common injection flaw, cross-site scripting.

There are, of course, implications for home-grown Web applications as well.

"...These findings, do not take into account the thousands of vulnerabilities that are created while programming in-house or proprietary applications," the company said. This can be a significant problem for education, where, as a recent informal Web poll showed, the majority of institutions do develop Web applications in house.

"A vast majority of applications are proprietary and created in-house or outsourced to India, Russia, China, and former [Soviet Bloc] countries," Cenzic's Khera told us.



Recommended Reading
  • Sun, Stanford Working To Archive History

    In May in San Francisco, experts from leading universities, libraries, and research institutions around the world met as part of an ongoing effort to address a pressing issue: archiving the world's history, right up to today.

  • The Quilt Coalition Rolls Out XO Communications for High-Capacity Network Services

    The Quilt, a coalition of 28 regional network organizations, has added XO Communications Services to its authorized vendor list. The Quilt represents 200 universities and thousands of other educational institutions across the United States. With this new relationship, Quilt members can purchase XO's high-speed IP transit and network transport services at competitive rates.

  • Wimba Classroom 5.2 Expands Classroom Capture Support, Adds MP3 Downloads

    At the NECC 2008 conference in Texas this week, Wimba launched a new version of Wimba Classroom, the virtual classroom component of the company's Collaboration Suite. The new 5.2 release expands options for classroom capture and adds a variety of other functional and ease of use features.

  • Automation Chimera: Education Is Not Management

    The lure of automating workflow online so human intervention is minimized is continually reinforced in the minds of higher education administrators by examples of automated campus systems such as financials, student information systems, and other enterprise systems. But what's good for management is not always good for learning.

  • Cognos Releases BI Software for Linux-based IBM System z Mainframe

    Cognos, which IBM acquired in January, has released an update to its business intelligence software that will run on the Linux operating system on IBM System z mainframes. IBM Cognos 8 BI was being developed by the two companies prior to the acquisition, but assimilation of Cognos into IBM accelerated development.

  • Facebook and Collegiality: A Serendipitous Social Niche

    Facebook is a way to greet a colleague as if she or he is on your own campus: a wave at a distance, a hello at the corner burrito place, a honk as you both leave the campus parking lot. Informal collegiality has been extended over the miles.

Related Articles

send e-mail link to articleEmail this article

print this articlePrintable Format