Vendors patch security vulnerabilities within 3 weeks
High-Tech Bridge Security Research Lab released its statistics on web application security for the first half of 2013. The statistics is based on HTB Security Advisories that are released on a weekly basis and cover 73 vulnerabilities in open source web applications which names are quoted at least 50’000 times in Google.
In Q1 and Q2 of 2013 Cross-Site Scripting (XSS) was the most common vulnerability in web applications, SQL Injection took the second place, and Cross-Site Request Forgery the third one.
During this period, 65% of discovered vulnerabilities had medium risk, 20% had high risk. 95% of vendors released security patches before public disclosure of vulnerabilities. On average, vendors released security patches within 3 weeks after they were notified about discovered vulnerabilities.
Marsel Nizamutdinov, High-Tech Bridge Chief Research Officer, explains the latest trends in web security: “Today our security researchers have to work hard to find vulnerabilities in well-known web applications. First of all, code of such web applications has been developed for many years and is quite mature today. It does not contain many security flaws, simply because security researchers found almost everything during the past years.
“New functionality brings new vulnerabilities, however the code, quite often consisting of millions of lines, is quite difficult to analyze because of its complicated structure. In comparison to 2003, when almost each PHP application was vulnerable to PHP include or SQL injection attacks, today there are much less critical vulnerabilities in web applications.
“As our statistics shows, the most prevalent vulnerability is XSS, which many web developers still fail to avoid. However, it doesn’t mean that critical vulnerabilities have disappeared – they just became more complicated to find and more sophisticated to exploit. Good example is our recent advisory for OpenX online ads platform that describes two PHP File Inclusion vulnerabilities, which permit execution of arbitrary PHP code on vulnerable system. However, these vulnerabilities can be exploited only by logged-in administrators (an attacker must initially perform XSS attack to steal administrator’s credentials, using XSS vulnerabilities that are also described in the advisory), or via CSRF vector to which the application was prone as well. This makes attack process a bit longer, but it doesn’t make vulnerabilities less dangerous.”
Marsel Nizamutdinov also gives some details about collaboration with vendors during the first six months of 2013: “3/4 of vendors replied within several days after notification about vulnerability. We even had a vendor who not just replied, but fixed discovered XSS vulnerability within several hours after notification, but this is rather an exception than a rule.
“We also had an example of a very slow vendor with our security advisory for Xaraya CMS (HTB23156): after dozens of attempts to get security patch from the vendor, we decided to release security patch ourselves and disclose the advisory. We did so, as main objective of our security advisories is to protect the end-users. Responsible disclosure is something that our industry misses quite often these days.”