For years buffer overflow has been the favorite target of online attackers, but no more: Cross-site scripting is now the biggest culprit
That's the scoop from Mitre Corp., which later this week will release its latest findings about the flaws behind publicly-disclosed vulnerabilities.
The number two favorite flaw is SQL injection, says Robert Martin, lead for compatibility and outreach at Mitre, who first discussed the new data at yesterday's Cyber Security Executive Conference in New York. The number of buffer overflow flaws exploited dropped to number three in 2005 and number four so far this year, according to Mitre.
Martin says he was surprised to find that cross-site scripting has become the main flaw that attackers exploit in software. "We hadn't heard anything about this shift."
Mitre has recorded about 20,000 common vulnerability and exposures (CVE) -- the designation given to all publicly reported vulnerabilities -- with around 150 coming in per week. The statistics were based on samples of these CVEs, he says.
For 2006, 21.5 percent of the CVEs were XSS; 14 percent SQL injection; 9.5 percent php "includes" and 7.9 buffer overflow. Last year was the first time XSS jumped ahead of buffer overflows, with 16 percent; SQL injection accounted for 12.9 percent; and buffer overflows accounted for 9.8 percent.
Why the shift? "Attackers go with what they know," says Matt Fisher, senior security engineer with SPI Dynamics. "Cross-site scripting and SQL injection are the easiest to attack."
Since buffer overflows are a C language phenomenon, the new data suggests that more vulnerabilities being reported lately are for non-C-based software platforms, notes Mitre's Martin. That means .NET, Java, and PHP are probably getting hit more, he says.
SQL injection is hard to defend against, too, he notes. "The database is where the good stuff is... it's an attractive target, so a lot of people are hammering on it," he says. Mitre's numbers are based only on publicly reported flaws -- there are likely more out there, he says.
Jeremiah Grossman, CTO for White Hat Security, says cross-site scripting has been mostly downplayed, with phishing getting the most attention.
Knowing which weaknesses attackers are exploiting can help enterprises in their software platform purchases, as well as their purchases of vulnerability assessment tools, security experts say.
"The selection of [more secure] Web platforms means a lot," Grossman says. You should also do software scans and vulnerability assessments regularly, he says.
Meanwhile, Mitre is also heading up a Department of Homeland Security effort to create a Common Weakness Enumeration (CWE) dictionary, which will establish "standard" definitions of a specific flaw and its variants. Just calling a flaw "XSS" doesn't mean it's the same variant (there are eight of them so far) of an XSS exploit as the one your software vendor protects itself against, for instance.
"From a defensive point of view, there's not just one type of thing you have to be looking through code for," he says. "That's where CWE comes in -- to make sure there's agreement on what" type of XSS or other flaw is in a software package, Martin says.
The information can also help organizations in their security audits. "It helps you prioritize your [remediation] resources and lets your security audit get more detailed," he says.
The CWE data could also help enterprises get more details about vulnerability assessment tools. "You'll be able to ask what specific CWE their tools scan for," Martin says.
The CWE will also provide more details in the public CVE vulnerability reports. "In a perfect world, every researcher will know the CWE dictionary," Martin says. This knowledge will help researchers report more details about the roots of a newfound vulnerability, he says.
Kelly Jackson Higgins, Senior Editor, Dark Reading