Hundreds of Web Exploits Publicly Available to Hackers, Safari and Adobe Flash Top Most Vulnerable List, Danger on the Web Continues to Grow
Las Vegas – Black Hat 2010 – July 28, 2010 – Cenzic Inc., the leading provider of Web application security solutions, today released its report detailing statistics on the vulnerability trends for Web applications for Q1 and Q2 2010. Perhaps the most startling of the findings is that of the reported 4,019 Web related vulnerabilities discovered, 60 percent have no known fix. In addition, 45 percent of vulnerabilities have publicly available exploit code, and nearly 1,000 Web related vulnerabilities with publicly available exploits, have no known solution, leaving users in extreme danger of hacker attacks. Once more, some of the most insecure Web applications cited in the report are from well-known companies including Apple, Adobe and Microsoft.
Another key finding in Cenzic’s Trends Report compared to the same period last year, is a shift in the security of common Web browsers. Vulnerabilities in Apple’s Safari more than tripled from 25 in the second half of 2009, to 83 in the first half of 2010. Google Chrome also experienced a significant increase in the number of vulnerabilities, which rose from 25 to 69. However, both Microsoft Internet Explorer and Mozilla Firefox showed security improvements. Internet Explorer had 40 vulnerabilities compared to 44 in the second half of 2009 and Firefox had 59 compared to 77 in the second half of 2009. One notable difference is that all browsers did a great job in patching their vulnerabilities quickly.
“In the hands of hackers, information is power. Because of the amount of publicly available information on these exploits, even the most inexperienced hacker is a Google search away from learning about vulnerability and exploiting it –for money, fame or political reasons, in a matter of minutes,” said Mandeep Khera, chief marketing officer at Cenzic. “Companies need to take the initiative when it comes to dealing with these persistent threats to truly safeguard their sites, but unfortunately, most fall short. It’s a lottery of the wrong kind. With an unprotected Web infrastructure, you will get hacked, it’s just a question of when.”
The Cenzic Application Security Trends Report emphasizes the Top 10 Web application vulnerabilities from published reports in Q1-Q2 2010, illustrating trends among thousands of corporations, financial institutions and government agencies. The top 10 vulnerabilities for the first half of 2010 included familiar names such as Oracle, Cisco, Microsoft, Safari and Adobe Flash, where most Web applications were found to have vulnerabilities related to Cross-Site Scripting or information leaks and exposures.
The most common published vulnerabilities on Web applications detailed in the report continue to be Cross Site Scripting (XSS) and SQL Injection vulnerabilities, which account for 28 percent and 20 percent of all Web attacks, respectively. Among proprietary Web applications developed by companies in-house and assessed using Cenzic’s managed service offering, Information Leak vulnerabilities were the most prevalent with 49 percent of applications tested at risk, followed by Authorization and Authentication at 21 percent. Once again, Cenzic observed that over 90 percent of all the proprietary applications assessed were vulnerable in some way.
To download a PDF version of the Q1-Q2 2010 Trend Report, please visit http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2010.pdf. Or for a hard copy of the full report you can also visit Cenzic at Black Hat 2010 in Las Vegas, at booth 38.
About Cenzic
Cenzic, a trusted provider of software and SaaS security products, helps organizations secure their websites against hacker attacks. Cenzic focuses on Web Application Security, automating the process of identifying security defects at the Web application level where more than 75 percent of hacker attacks occur. Our dynamic, black box Web application testing is built on a non-signature-based technology that finds more “real” vulnerabilities as well as provides vulnerability management, risk management, and compliance for regulations and industry standards such as PCI. Cenzic solutions help secure the websites of numerous Fortune 1000 companies, all major security companies, leading government agencies and universities, and hundreds of SMB companies -- overall helping to secure trillions of dollars of e-commerce transactions. The Cenzic solution suite fits the needs of companies across all industries, from a cloud solution (Cenzic ClickToSecure Cloud™), to testing remotely via our managed service (Cenzic ClickToSecure® Managed), to a full enterprise software product (Cenzic Hailstorm® Enterprise ARC™) for managing security risks across the entire company.
