Overall, the most common published exploits on Web applications continue to be SQL Injection and Cross Site Scripting (XSS) vulnerabilities, which account for 19 percent and 16 percent of all Web attacks, respectively. Attacks on several Adobe applications, including Flash, ColdFusion and Reader, led the report and earned Adobe the name "The Year’s Most Hacked Software." Among Web browsers, Mozilla Firefox had the largest percentage of Web vulnerabilities at 44 percent, however Mozilla also had the most fixes, with only 12 percent of its vulnerabilities left unpatched. Microsoft Internet Explorer, named the second most vulnerable browser with 25 percent of all browser vulnerabilities, showed 36 percent were unpatched.
"Time after time, year after year, we see SQL Injection, XSS, information leaks, and session management as the most commonly used Web attacks, and it is mind boggling to see that more than 90 percent of Web applications continue to be vulnerable," said Mandeep Khera, chief marketing officer at Cenzic. "The solutions are available. Organizations that would like to protect themselves no longer need dedicated IT staff or experts. With managed service offerings and the launch of Cenzic’s ClickToSecure Cloud application, it’s very easy to get a jump start and begin securing Web applications. We have to overcome this insanity."
Findings from Cenzic’s Q3-Q4 2009 Trends Report point to the continued growth of attacks through Web applications. Web vulnerabilities continue to make up the largest percentage of the reported vulnerability volume, with roughly 82 percent of all vulnerabilities resulting from the Web.
Cenzic Application Security Trends Report Q3-Q4 2009 Findings
The report, which illustrates trends among thousands of corporations, financial institutions and government agencies, incorporates findings from Cenzic ClickToSecure, Cenzic’s leading-edge managed security assessment (SaaS), and research from Cenzic Intelligent Analysis (CIA) Labs. Some of the key findings include:
82 percent of the total reported vulnerabilities affected Web technologies, such as Web servers, applications, Web browsers, Plugins and ActiveX, which is a significant increase from earlier in the year.
Of Web browser vulnerabilities Firefox had the largest percentage, at 44 percent but the browser also had the best patch ratio. Internet Explorer vulnerabilities came in at 25 percent.
Adobe, Sun and HP continue to be among the Top 10 vendors having the most severe vulnerabilities for the second half of 2009.
To download a PDF version of the Q3-Q4 2009 Trend Report, please visit:
For a hard copy of the full report you can also visit Cenzic at the RSA Conference in San Francisco from March 1st through March 5th, at booth 2624. [March 2, 2010]
Send this IT news to a friend