The Web Attack Surface Is Getting Bigger

There's no doubt that attack trends have shifted over the years. Intruders are focusing more prominently on the Web as an inroad to servers and desktop systems. Over the past couple of months, I've written a few times about Web-related attacks.

In "Online Fraud Continues to Escalate," February 20 (at the URL below), I mentioned one particular set of statistics that really grabbed my attention. According to a report from Cyveillence, of all the phishing pages discovered in first quarter 2007, 34 percent were hosted on compromised existing Web sites. By fourth quarter 2007, that number rose to 51 percent. In "Web Security Scanning Is Paramount," March 19 (at the second URL below), I pointed out some supporting information as reported by Dancho Danchev, who revealed that thousands of Web pages at numerous high profile sites were infected with IFRAME tags that could potentially inject malicious code into a Web user's computer.

http://windowsitpro.com/Windows/article/articleid/98332/online-fraud-continues-to-escalate.html

http://windowsitpro.com/article/articleid/98663/web-security-scanning-is-paramount.html

Last week, Symantec released a new Internet Security Threat Report (at the URL below) that reveals a few more eye-opening statistics regarding Web security. In the report, the company points out that of all the vulnerabilities it documented in first half 2007, 61 percent affected server-side Web applications. In second half 2007, 58 percent affected Web applications. Clearly, Web servers are a huge attack surface.

http://www.symantec.com/business/theme.jsp?themeid=threatreport

Also in the report, Symantec points out that, "During the last six months of 2007, 11,253 site-specific cross-site scripting [XSS] vulnerabilities were documented [by the XSSed project], compared to 6,961 between February and June." Cross-site scripting often leads to session hijacking, which lets an attacker perform actions posing as the affected user. If you haven't visited the XSSed Web site (first URL below), you might consider doing so. It offers a lot of information about affected sites and has a number of RSS feeds that you can use to become aware of new XSS security problems. While you're at it, you might want to have a look at XSSing.com (second URL below).

http://www.xssed.com

http://www.xssing.com

Browsers have their own share of problems. Symantec's report shows that in 2007, there were 122 documented vulnerabilities in Mozilla Firefox, 57 in Microsoft Internet Explorer (IE), 47 in Apple Safari, and 19 in Opera. And that's not counting those in add-ons and plug-ins, which also pose significant security problems. According to the report, in 2007, ActiveX controls had 400 vulnerabilities, the popular Apple QuickTime plug-in had 37, Java had 17, Mozilla extensions had 4, Adobe Acrobat had 3, and Adobe Flash Player had 11. (A major update for Flash was released last week; learn more at the URL below.)

http://windowsitpro.com/article/articleid/98843/flash-player-contains-several-vulnerabilities.html

Obviously, Web browsers also provide a huge attack surface. Here's a case in point that demonstrates the danger level: You recall that in late March, the CanSecWest conference hosted its second annual PWN2OWN contest that pitted attackers against Mac OS X, Windows Vista, and Ubuntu Linux over a period of three days. OS X was the first to be cracked, and as you might suspect, the crack was accomplished by using a vulnerability in Safari. Later, Vista fell victim too. Again, browser technology was at fault. By using a combination of JavaScript and a Flash Player vulnerability, the attacker was able to break into the OS, even with SP1 installed.

Even the latest protections and updates are bound to have chinks in their armor. And, here we are on the brink of the software-as-a-service (SaaS) explosion, plenty of which will become entirely Web based. Which of course means that the attack surface will become even bigger.

We can easily predict that summary reports for 2008 and 2009 will most likely be even worse than for 2007. Meanwhile, as a security administrator, you've got your work cut out for you with both Web servers and Web clients.