Web application vulnerabilities such as cross-site scripting (XSS) and SQL injection may be widespread, but old-fashioned buffer overflow bugs are the most common flaws reported, according to new vulnerability research from Telus.

And in case you were wondering, Microsoft's aggressive initiative to shore up its product security appears to be paying off -- the level of severity of bugs in the software giant's products is declining significantly, according to a security research arm of telecommunications firm Telus.

Telus, which provides vulnerability research analysis to most of the 20 top security vendors -- including IBM ISS and McAfee -- bases its data on vulnerabilities reported in enterprise-class products. The company historically hasn't released that data to the public, but last week it discussed some of the findings at the SecTor security conference in Toronto.

Telus's data is based on a technical analysis of disclosed and reported vulnerabilities, the company says, from January 2004 to the present.

Microsoft went from around 175 high-severity vulnerabilities reported last year to 129 this year, and from 20 critical bugs to eight this year so far, according to Telus's data. And overall, the top 50 software and network equipment vendors have had fewer severe bugs this year than last, says Richard Reiner, chief security and technology officer for Telus. "The severity of Microsoft's product [vulnerabilities] are dropping dramatically," Reiner says.

More than 170 critical vulnerabilities have been reported so far in 2007, versus fewer than 160 last year. High-severity vulnerabilities increased from around 925 last year to nearly 1,150 this year, according to Telus.

Interestingly, most reported Web app bugs are less severe than other types of vulnerabilities, the research firm said. Buffer overflows, which accounted for 1,470 of the reported bugs from January '04 until now, are also typically the most severe. "This was surprising, because buffer overflows are among the easiest vulnerabilities to avoid or correct," Reiner says. "When they exist, they tend to be the most critical... I'm not surprised by that part, but by how prevalent they are."

File inclusion (1,148) and denial-of-service (1,049) were the next-most prevalent vulnerabilities.

Common Web vulnerabilities such as cross-site scripting (925) and SQL injection (961) aren't typically critical threats, Reiner says. Only one bug in the off-the-shelf Web products studied by Telus had a critical SQL bug, and none of them had a critical XSS flaw, he says.

The good news, then, is that off-the-shelf Web platforms are relatively secure. The bad news is that the customized or home-grown Web apps Telus studied were riddled with critical bugs: "The number of vulnerabilities in widely used Web application platforms has been relatively small," he says. "But the situation is quite different in custom and one-off applications businesses build."

In the last 200 custom Web applications Telus studied, all but one had a critical vulnerability, he says.

Telus's data differs from that of Mitre Corp.'s latest Common Vulnerabilities and Exposures Report, which was released in May. The broader CVE report named XSS as the most prevalent vulnerability reported in 2006. (See Beware of the Quiet Ones.)

The number of critical and high-risk vulnerabilities is increasing, but that may be because these bugs are now being discovered on smaller vendors' products, Telus says. Server vulnerabilities still outnumber client flaws, but client bugs have increased from 31 percent of the vulnerabilities last year to 39 percent this year.

Keyloggers and backdoor Trojans make up more than half of high-risk spyware, and the winter months -- January, October, November, and December -- are the peak time for vulnerabilities to emerge. May and June are the quietest, according to Telus's findings.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.