Web Sites Rife with Unpatched Vulnerabilities

Although the overall number of vulnerabilities being discovered in software appears to be leveling off or even dropping, two recent reports on Web security say that the overwhelming majority of Web sites studied still have unpatched vulnerabilities that could expose visitors to malicious code.

"It's part of a trend that has been going on since 2006," Tom Stracener, senior security analyst at Cenzic's Intelligent Analysis Lab, said of the focus on Web vulnerabilities. "There is a tremendous focus on it in the research community."

According to a trend report for the second quarter of 2008 released this week by Cenzic, seven of 10 Web applications analyzed engaged in unsafe communications practices that could lead to exposure of sensitive information during transactions. Cross-site scripting is the most common injection flaw, with 60 percent of sites analyzed being vulnerable to the attacks. About 20 percent had SQL injection applications.

Meanwhile, WhiteHat Security reported similar findings. The company released its fifth Web site Security Statistics Report this week, also covering the second quarter of the year. It reported that cross-site request forgery vulnerabilities are present in about 75 percent of Web sites.

"On a positive note, 66 percent of all vulnerabilities identified have been remediated, underscoring the value of a consistent Web site vulnerability management program," WhiteHat reported. But it also reported that 82 percent of sites have at least one security issue, with 61 percent having issues rated as high, critical or urgent under the Payment Card Industry Data Security Standard.

Cenzic reported that although the overall number of vulnerabilities reported in the second quarter was down slightly, the number of Web vulnerabilities remained nearly constant. The Web accounted for about 73 percent of all vulnerabilities reported in the second quarter, up from 70 percent the previous quarter.

"It should be noted, however, that the frequency with which security issues are reported does not reflect the frequency of their distribution in the wild," the report said. "For example, cross-site scripting comprised roughly 23 percent of the total application vulnerability volume, yet this vulnerability is very common in proprietary Web applications."

Interactive Web formats that emphasize user-generated content, often placed under the broad title "Web 2.0," are becoming an increasingly important area of interest for researchers and hackers. Cenzic reported an increasing focus on client-side Web-enabled tools, such as ActiveX controls, QuickTime, Flash players and other media players, often embedded in applications.

"Attacking client-side applications or browser plug-ins is increasingly becoming a means for distributing malware, rootkits and backdoors," the report said.

About the Author

William Jackson is the senior writer for Government Computer News (


  • Azure Active Directory Connect Preview Adds Support for Disconnected AD Forests

    Microsoft on Thursday announced a preview of a new "Cloud Provisioning" feature for the Azure Active Directory Connect service that promises to bring together scattered Active Directory "forests."

  • Microsoft Defender ATP Gets macOS Investigation Support

    The endpoint and detection response (EDR) feature in Microsoft Defender Advanced Threat Protection (ATP) has reached the "general availability" stage for macOS devices.

  • How To Block Self-Service Purchasing in Microsoft's Power Platform

    Microsoft threw Office 365 admins a bone when it gave them the ability to block users from purchasing Power Platform tools without IT approval. Here's how to prevent total anarchy.

  • Azure DevOps Services Losing Support for Alternate Credentials

    Microsoft gave notice last week that it's going to drop Alternate Credentials support for authenticating users of its Azure DevOps Services.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.