Cenzic Lists Top 10 Hacking Vulnerabilities in 2010
Cenzic, a provider of software, managed service, and cloud security products, has published a report on hacker trends in the first half of 2010, identifying what it calls the Top 10 vulnerabilities “based on severity levels and impact of an exploit.”
The company said it analyzed all reported vulnerabilities from various sources including MITRE, NVD, OSVDB, Security Focus, and Security Tracker, as well as other third-party databases for Web application security issues reported during the first half of the year.
“We looked at the total vulnerabilities and vulnerabilities specifically associated with Web technologies,” the company said. “For this period, roughly 66 percent of all vulnerabilities pertained to Web applications and related technologies, which is lower than the last two periods, albeit still very high.”
Cenzic said the numbers represent the published vulnerabilities of various commercial off-the-shelf software as well as open-source software.
”These include a lot of the big players including Oracle, Microsoft, Cisco, Adobe, and Apple, and a few small ones,” said Mandeep Khera, Cenzic chief marketing officer. “We have also highlighted some of the interesting web-level attacks that took place in the first half of 2010. Most of the attacks continue to be either financially or politically motivated. Most organizations being hacked have no clue that they are actually being hacked. For every attack that is reported, there are hundreds of attacks that are not being reported. Billions of dollars’ worth of damage is being caused by hackers every year through website attacks. The trend is not likely to slow down. And, the worst is yet to come.”
That said, Cenzic classified the following Web application vulnerabilities as the most severe so far in 2010. The company said these are not listed in any specific order:
1. Oracle Java Deployment Toolkit Java Web Start Argument Injection Arbitrary Program Execution. An unspecified vulnerability in the Java Development Toolkit component in Oracle Java SE and Java for Business JDK and JPE 6 Update 10 through 19 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2010-0886
2. TANDBERG Video Communication Server Admin Web Console secure.php Crafted HTTP. The administrative web console on the TANDBERG Video Communication Server (VCS) before X4.3 uses predictable session cookies in (1) tandberg/web/lib/secure.php and (2) tandberg/web/user/lib/secure.php, which makes it easier for remote attackers to bypass authentication and execute arbitrary code by loading a custom software update via a crafted “Cookie:tandberg_login=” HTTP header. CVE-2009-4509; CWE-94.
3. Cisco Digital Media Player Unspecified Remote Display Content Injection. Unspecified vulnerability on the Cisco Digital Media Player before 5.2 allows remote attackers to hijack the source of (1) video or (2) data for a display via unknown vectors, related to a “content injection” issue, aka Bug ID CSCtc46024. CVE-2010-0573
4. Microsoft IE Dynamic OBJECT Tag Cross-domain Arbitrary File Access. Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, 7, and 8 does not prevent rendering on non-HTML local files as HTML documents, which allows remote attackers to bypass intended access restrictions to read arbitrary files via vectors involving JavaScript exploit code that constructs a reference to a file://127.0.0.1 URL, aka the dynamic OBJECT tag vulnerability, as demonstrated by obtaining the data from an index.dat file, a variant of CVE-2009-1140 and related to CVE-2008-1448. An attack would involve malicious web content navigating a victim’s browser to a UNC path referencing index.dat on the local filesystem. Script planted within index.dat would then be able to read data from other local files on the machine. The attacker could then access files in predictable paths assuming the files were not locked for read or otherwise inaccessible. Allows remote attackers to bypass the Same Origin Policy. CVE-2010-0255; CWE-264
5. Linksys WAP54Gv3 firmware 3.04.03 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) data2 and (2) data3 parameters to (a) Debug_command_page.asp and (b) debug.cgi. CVE-2010-0255; CWE-264
6. Joomanager Component for Joomla! index.php catid Parameter SQL Injection. Joomanager Component for Joomla! contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the “index.php” script not properly sanitizing user-supplied input to the “catid” parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. CVE-2010-2622; CWE-89
7. Newsfeeds Component for Joomla! contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the “index.php” script not properly sanitizing user-supplied input to the “feedid” parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. CVE-2010-1739; CWE-89
8. Stack-based buffer overflow in the WebDAV implementation in webservd in Sun Java System Web Server (aka SJWS) 7.0 Update 7 allows remote attackers to cause a denial of services (daemon crash) and possibly have unspecified other impact via a long URI in an HTTP OPTIONS request. CVE-2010-0361; CWE-119
9. Use-after-free vulnerability in Adobe Flash Player 6.0.79, as distributed in Microsoft Windows XP SP2 and SP3, allows remote attackers to execute arbitrary code by unloading a Flash object that is currently being accessed by a script, leading to memory corruption, aka a “Movie Unloading Vulnerability.” CVE-2010-0378
10. Safari on Apple iPhone OS 3.1.3 for iPod touch allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors involving document.write calls with long crafted strings. CVE-2010-1177; CWE-94
Khera noted that while more software vendors are becoming conscientious about building security into the software development lifecycle, much more progress is needed. “With over 100 million Web applications out there, and over 95 percent still vulnerable, it’s a long road ahead,” Khera said. “Most organizations still haven’t updated their applications to the available patches and with thousands of new vulnerabilities every year they’ll continue to fall behind. Of course, one segment of the population likes this scenario. Hackers know their future is secure for a while. They are constantly circling in the virtual skies waiting for the right opportunity. And, it’s not 'if' but 'when' will you get hacked. It’s a lottery of the wrong kind.”
To access the complete Cenzic Web Application Security Trends Report—Q1-Q2, 2010, go to www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2010.pdf.