Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:03 AM
Connect Directly

Buffer Overflows Are Top Threat, Report Says

Research data says buffer overflow bugs outnumber Web app vulnerabilities, and some severe Microsoft bugs are on the decline

Web application vulnerabilities such as cross-site scripting (XSS) and SQL injection may be widespread, but old-fashioned buffer overflow bugs are the most common flaws reported, according to new vulnerability research from Telus.

And in case you were wondering, Microsoft's aggressive initiative to shore up its product security appears to be paying off -- the level of severity of bugs in the software giant's products is declining significantly, according to a security research arm of telecommunications firm Telus.

Telus, which provides vulnerability research analysis to most of the 20 top security vendors -- including IBM ISS and McAfee -- bases its data on vulnerabilities reported in enterprise-class products. The company historically hasn't released that data to the public, but last week it discussed some of the findings at the SecTor security conference in Toronto.

Telus's data is based on a technical analysis of disclosed and reported vulnerabilities, the company says, from January 2004 to the present.

Microsoft went from around 175 high-severity vulnerabilities reported last year to 129 this year, and from 20 critical bugs to eight this year so far, according to Telus's data. And overall, the top 50 software and network equipment vendors have had fewer severe bugs this year than last, says Richard Reiner, chief security and technology officer for Telus. "The severity of Microsoft's product [vulnerabilities] are dropping dramatically," Reiner says.

More than 170 critical vulnerabilities have been reported so far in 2007, versus fewer than 160 last year. High-severity vulnerabilities increased from around 925 last year to nearly 1,150 this year, according to Telus.

Interestingly, most reported Web app bugs are less severe than other types of vulnerabilities, the research firm said. Buffer overflows, which accounted for 1,470 of the reported bugs from January '04 until now, are also typically the most severe. "This was surprising, because buffer overflows are among the easiest vulnerabilities to avoid or correct," Reiner says. "When they exist, they tend to be the most critical... I'm not surprised by that part, but by how prevalent they are."

File inclusion (1,148) and denial-of-service (1,049) were the next-most prevalent vulnerabilities.

Common Web vulnerabilities such as cross-site scripting (925) and SQL injection (961) aren't typically critical threats, Reiner says. Only one bug in the off-the-shelf Web products studied by Telus had a critical SQL bug, and none of them had a critical XSS flaw, he says.

The good news, then, is that off-the-shelf Web platforms are relatively secure. The bad news is that the customized or home-grown Web apps Telus studied were riddled with critical bugs: "The number of vulnerabilities in widely used Web application platforms has been relatively small," he says. "But the situation is quite different in custom and one-off applications businesses build."

In the last 200 custom Web applications Telus studied, all but one had a critical vulnerability, he says.

Telus's data differs from that of Mitre Corp.'s latest Common Vulnerabilities and Exposures Report, which was released in May. The broader CVE report named XSS as the most prevalent vulnerability reported in 2006. (See Beware of the Quiet Ones.)

The number of critical and high-risk vulnerabilities is increasing, but that may be because these bugs are now being discovered on smaller vendors' products, Telus says. Server vulnerabilities still outnumber client flaws, but client bugs have increased from 31 percent of the vulnerabilities last year to 39 percent this year.

Keyloggers and backdoor Trojans make up more than half of high-risk spyware, and the winter months -- January, October, November, and December -- are the peak time for vulnerabilities to emerge. May and June are the quietest, according to Telus's findings.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Microsoft Corp. (Nasdaq: MSFT)
  • Mitre

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 5/28/2020
    The Problem with Artificial Intelligence in Security
    Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
    10 iOS Security Tips to Lock Down Your iPhone
    Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-05-28
    An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.
    PUBLISHED: 2020-05-28
    In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1.
    PUBLISHED: 2020-05-28
    Dell Dock Firmware Update Utilities for Dell Client Consumer and Commercial docking stations contain an Arbitrary File Overwrite vulnerability. The vulnerability is limited to the Dell Dock Firmware Update Utilities during the time window while being executed by an administrator. During this time wi...
    PUBLISHED: 2020-05-28
    CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.
    PUBLISHED: 2020-05-28
    node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.