Web security firm ranks Firefox, Safari browsers as flaw prone

By Robert Westervelt, News Editor, SearchSecurity.com 13 Nov 2009 | SearchSecurity.in

Digg This!     StumbleUpon     Del.icio.us

Mozilla Firefox accounted for 44% of browser-based vulnerabilities in the first half of 2009, more than any other browser, according to a new report from Cenzic Inc.

Apple's Safari browser came in second, with 35% of all browser-based flaws, followed by Internet Explorer (15%). The Santa Clara, Calif.-based penetration testing vendor said the Safari vulnerabilities were due to issues discovered in the Apple iPhone-based browser. Cenzic said browser vulnerabilities accounted for 8% of the total Web vulnerabilities.

The browsers were ranked by the number of bugs in a study reviewing Web-based vulnerability data collected by Cenzic in the first half of 2009. The firm said that78% of the 3,100 reported vulnerabilities it identified were Web-based.

Experts caution that the number of vulnerabilities addressed by a browser maker doesn't necessarily mean a particular browser is less secure. For example, Mozilla may be more proactively reporting and repairing vulnerabilities than other browser makers.

Johnathan Nightingale, Mozilla's security and usability expert called bug counting a waste of time. Nightingale said it ignores the fact that Mozilla can get a patch out to 90% of its user base in less than five or six days, a feat unmatched by many other browser makers.

"What would certainly help make a better assessment is if everyone was open about all the bugs they fixed and if every security fix was well documented," Nightingale said. "There are vendors out there not doing that or bundling several patches together to keep the numbers low and they are going to show up well in these reports."

More important is the fact that many users have outdated third-party browser components, a favorite target of attackers, Nightingale said. Mozillla launched a tool in October that scans Firefox to detect outdated plugins.

The number of Web application vulnerabilities increased more than 10% from the second half of 2008. The flaws were contained in Web servers, applications, Web browsers. plug-ins and ActiveX controls. Information leakage, cross-site-scripting (XSS) errors and improper authentication bugs were among the biggest issues found in many Web applications, Cenzic said.

"Of the published vulnerabilities in commercial off-the-shelf applications, SQL injection, and XSS were once again the most common, which is why it is no coincidence that most of the attacks in the first half [of the year] exploited these two vulnerabilities," the Cenzic report noted.

Information leakage errors accounted for 87% of vulnerabilities discovered by Cenzic tests. Web applications that reveal sensitive user data or HTML comments left by developers could be used by hackers to gather data and attempt to penetrate a company's defenses, Cenzic said. XSS errors accounted for 73% of vulnerabilities discovered. The flaws enable an attacker to inject malicious code into the application to spoof content or hijack legitimate websites to target visitors.

SearchSecurity radio:

Authentication flaws also increased, accounting for 56% of vulnerabilities encountered by Cenzic. The errors allows users to login without supplying correct credentials. Sometimes the errors can reveal valid usernames and passwords, allowing an attacker to easily gain access to systems, Cenzic said.

The firm also cited a number of different high-profile attacks carried out by hackers exploiting common Web-based vulnerabilities. Hackers carried out XSS attacks against HSBC and Barclays banking websites in June. Turkish hackers gained access to low-level U.S. Army Web servers in May by exploiting SQL injection vulnerabilities, redirecting a website to a webpage protesting climate change.

"It's evident from some of the highly visible attacks in the last couple of years that many attacks go unnoticed for months and years before they are caught, and even those are by accident," the report noted. "We believe that for every attack that's reported, there are a hundred more that have gone unnoticed, as most companies don't know when they are being hacked."

Tags: Vulnerability and patch management,  Application and Web threat defenses,  Enterprise risk management strategies,  Threat Monitor,  Risk Management Strategies,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Vulnerability and patch management Clientless SSL VPN vulnerability and Web browser protection Cloud Security Alliance releases top cloud computing security threats RAM-scraping attacks are a rising -- but preventable -- threat Microsoft warns that IE zero-day vulnerability causes data leakage What to do with network penetration test results Network discovery and the Simple Network Management Protocol Best practices to secure wireless networks Microsoft issues advisory on Internet Explorer zero-day Another PDF attack targets Adobe zero-day vulnerability Five security themes to watch in 2010 Application and Web threat defenses Noted cryptographer on SSL, encryption and cloud computing Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection 11 application security tweaks for a secure SDLC Fraudulent mobile applications will threaten mobile banking security Mobile Reputation Security prototype from Symantec: A closer look A botnet and rootkit removal 101 Microsoft warns that IE zero-day vulnerability causes data leakage What to do with network penetration test results Network discovery and the Simple Network Management Protocol Enterprise risk management strategies Noted cryptographer on SSL, encryption and cloud computing What's a risk management strategy worth to your S&P credit rating? ISO 27001 certification: Preparation in four steps Two factor authentication gets token agnostic at Central Bank of India Considering two-factor authentication? Do cost, risk analysis PCI tokenization push promising but premature, experts say Clientless SSL VPN vulnerability and Web browser protection Information rights management helps L&T protect its knowhow Cloud Security Alliance releases top cloud computing security threats Voice data security risks on the rise, say experts

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary