I recently came across the IBM Internet Security Systems X-Force 2008 Mid-Year Trend Statistics report, which outlines issues affecting internet security, including Web application vulnerabilities, phishing, malware and spam.

Two areas of particular interest to me were security concerns regarding Web applications, browsers and other client-side applications.

Web application vulnerabilities and exploitations have gained more attention recently as SQL injection attacks have become more common. Since 2006, 51 per cent of all vulnerabilities have been attributed to Web applications. The most common methods of attack have been cross site scripting (XSS), SQL injections, and File include vulnerabilities. XSS and SQL injections can occur when the user input from form fields is not appropriately validated. In an XSS attack, malicious code is inserted into a Web page, while in an automated SQL injection, user input succeeds in dynamically including SQL statements which a database then executes. In this way the attacker can gain access to the back-end database. The File include vulnerability, prevalent in PHP applications happens when remote source code gets executed in the local application.

Interestingly, three new vendors in the Top 10 list of vendors with the most vulnerability disclosures are Joomla!, WordPress and Drupal, all based on PHP.

While XSS has been the main security concern over the past few years, the number of automated SQL injections has escalated in the first half of 2008 to more than double the number of such attacks, during the same time last year.

Client-side exploits, traditionally aimed at operating systems are now increasingly targeting browsers, multimedia apps and document readers, such as the Adobe Reader. The amount of client-side vulnerabilities affected by public exploits has increased from 5 per cent in 2004 to nearly 30 per cent in the first half of this year. This is because, these days it takes less time for a public exploit to become available. In the first half of this year, it took just 24 hours for browser-related public exploits to be released after the official vulnerability warning in 94 percent of cases, as opposed to 79 percent in 2007.

The browser itself is not the only target of such exploits, but also the various plugins associated with it. According to the report, in the first half of 2008, 78 percent of public exploits targeted plugins, while 22 percent targeted the browser itself.

The full report can be found at — http://www-935.ibm.com/services/us/iss/xforce/midyearreport/xforce-midyear-report-2008.pdf.