Studies Find Websites Rife With Unpatched Vulnerabilities
William Jackson writes on GCN.com:
Although the overall number of vulnerabilities being discovered in software appears to be leveling off or even dropping, two recent reports on Web security say that the overwhelming majority of Web sites studied still have unpatched vulnerabilities that could expose visitors to malicious code.More here.
“It’s part of a trend that has been going on since 2006,” Tom Stracener, senor security analyst at Cenzic’s Intelligent Analysis Lab, said of the focus on Web vulnerabilities. “There is a tremendous focus on it in the research community.”
According to a trend report for the second quarter of 2008 released this week by Cenzic, seven of 10 Web applications analyzed engaged in unsafe communications practices that could lead to exposure of sensitive information during transactions. Cross-site scripting is the most common injection flaw, with 60 percent of sites analyzed being vulnerable to the attacks. About 20 percent had SQL injection applications.
Meanwhile, WhiteHat Security reported similar findings released its fifth Web site Security Statistics Report this week, also covering the second quarter of the year. It reported that cross-site request forgery vulnerabilities are present in about 75 percent of Web sites.