Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/9/2019
07:55 PM
Robert Lemos
Robert Lemos
News
50%
50%

Web Vulnerabilities Up, IoT Flaws Down

The number of flaws found in WordPress and its associated plugins have tripled since 2017, while Internet of Things vulnerabilities dropped significantly, according to data collected by Imperva.

The total number of vulnerabilities in Web applications reported by researchers jumped to 17,142 in 2018, climbing more than 21% compared to the previous year and driven in part by the large number of flaws found in Web applications and application programming interfaces. 

Popular content management system (CMS) WordPress had the most reported vulnerabilities, with 542. WordPress has a large ecosystem that includes more than 54,000 plug-ins: those same third-party plugins accounted for almost all—98%—of the Web security issues found by researchers last year, according to Web security firm Imperva, which published its findings in a report this week.  

That popularity and extensibility makes WordPress popular with Web developers but also with online attackers, says Nadav Avital, research manager for threat analytics at Imperva.

"These make WordPress a lucrative asset that many hackers set their eyes upon—any security hole they may be able to find and exploit can lead to a mass infection," he says.

On the Rise

According to the National Vulnerability Database, the number of publicly disclosed overall vulnerabilities (not just in Web apps) jumped significantly in 2017, jumping more than 127% to 14,649 disclosed issues, after more than a decade of varying between 5,000 and 8,000 annual reports. Increases in the development of online applications, the use of open-source components, and more rigorous security testing are all likely contributing factors for the increase.

"It is somewhat expected that the overall number of vulnerabilities rises year after year," Imperva's Avital says. "Each year there are more products—new and legacy—to check and more sophisticated tools to check them with."

According to the NVD, the number of overall reported vulnerabilities continued to climb in 2018, increasing nearly 13% to more than 16,500. Other organizations tracking more specific classes of security flaws have seen similar increases: the number of vulnerabilities in open-source components, for example, has increased 51% to more than 3,200 documented issues, according to software-security firm WhiteSource Software.

"We definitely see a lot of growth in terms of the number of vulnerabilities associated with modern applications," said David Habusha, vice president of products at WhiteSource. "The attackers are focused on front-end facing Web servers, content management platforms, and Internet of Things."

While WordPress accounted for more than 500 vulnerabilities, another content management system, Drupal, had two of the most attacked vulnerabilities, Imperva found. 

In terms of vulnerability classes, however, issues that allow commands to be run via another application—often referred to as injection attacks—accounted for 3,294 flaws, according to the report. Remote command execution accounted for the largest portion of vulnerabilities, with 1,980. 

IoT Vulns Dropped

While Web applications appear to be increasingly targeted, another major focus of vulnerability research—the Internet of Things—appeared to fare pretty well in 2018, according to the Imperva report. The number of vulnerabilities found in IoT devices and software fell to its lowest level in three years. 

The increasing interest in in developing security standards and best practices has likely prompted vendors to invest more in security, Imperva's Avital says.

"While fewer vulnerabilities were found in IoT products, it does not mean that IoT is safe from cyberattackers," he says. "While new IoT products may be more secure, many IoT vendors still don't push security updates and if they did, it isn't clear how to update or if they can even be deployed as some devices cannot be taken offline."

Companies need to automate both their scanning for vulnerabilities and use agile develop methodologies to fix security issues as early in the software-development cycle as possible, says Dan Cornell, chief technology officer for the Denim Group, a software-security firm.

"I think we are still at the saturation point, where organizations have a much greater focus on the detection of vulnerabilities over the remediation od vulnerabilities," Cornell says. "People are still doing a lot of testing, but they still are not fixing enough." 

To fix vulnerabilities and reduce the number of issues that actually make it in production, code-checking software can help developers take a greater role in securing the software as it is written.

Related Content:

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/10/2019 | 9:26:26 AM
On Wordpress
This is a sinkhole of a web page provider - almost all of our internet page issues come from Webpress sponsored sites and I really think it should be avoided whenever possible if not just abolished entirely.  There is no trust in their controls and/or features.  Assume if you sponsor through this one, your data will be hacked in short order. 
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21981
PUBLISHED: 2021-04-19
VMware NSX-T contains a privilege escalation vulnerability due to an issue with RBAC (Role based access control) role assignment. Successful exploitation of this issue may allow attackers with local guest user account to assign privileges higher than their own permission level.
CVE-2021-20989
PUBLISHED: 2021-04-19
Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using DNS spoofing attack and a device initiated remote port-forward channel can be us...
CVE-2021-20990
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode.
CVE-2021-20991
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.540 and older an authenticated user can run commands as root user using a command injection vulnerability.
CVE-2021-20992
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices in all versions provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens and passwords.