Most Websites Continue to be Vulnerable to Security Attacks

A recent security survey published by WhiteHat Security, Inc. determined more than 90 percent of Web sites continue to have security vulnerabilities. In other news, Microsoft Corp. officials admitted to not patching known security vulnerabilities and Mozilla Corp. announced that it had fixed 10 bugs in Firefox.

Focal Points:

• WhiteHat Security recently published a report that determined 90 percent of Web sites online still have vulnerabilities that are able to be exploited by hackers. The average number of vulnerabilities per site was seven. These vulnerabilities are especially susceptible to cross-site scripting attacks, which exist in 70 percent of Web sites. Another increasing threat is the use of cross-site request forgery (CSRF), which can be used to allow illegal actions such as fraudulent wire transfers. Most CSRF attacks are currently undetected by security vendors.
• Members of Microsoft's security recently acknowledged that they are aware of bugs in its Jet Database Engine in 2005. However, officials said they did not patch these known problems because they had taken actions to block attack vectors that they knew about. The Jet Database Engine is used for data access in Microsoft Access and Visual Basic. Outlook software prevented opening files with the .mdb file extension, and Exchange servers took these files out of incoming messages. In addition, Internet Explorer had warnings displayed when users attempted to open these files. The weakness was exacerbated when researchers discovered attackers could load .mdb files by opening Microsoft Word documents.
• Officials at Mozilla recently announced that it had patched 10 known vulnerabilities in Firefox. The updates are in version 2.0.0.13. However, five of these vulnerabilities are still not fixed in the Thunderbird e-mail client. Five of these vulnerabilities were listed as critical, while the remainder was cited as presenting either moderate or low threats. Two of the problems exploited crashing flaws to the browser or JavaScript engine. Other bugs that were fixed included problems with identity management, spoofing, and cross-site scripting vulnerabilities.

Experton Group believes security policies will need to be updated to explicitly restrict employees from going to many sites that are not directly related to business. This is especially true of social networking sites such as Myspace and Facebook, due to the ease in which these sites are being compromised. At the same time, controls need to be better established to ensure patches are made as quickly as possible, and that security regression tests are done any time new security threats are discovered that have not been previously tested. IT executives should work with security personnel to develop more aggressive security testing, along with more frequent tests of employees for knowledge and adherence to corporate security policies.