Cenzic’s web application security report for the first half of the year blames WebKit problems and phone software bugs for Safari and Chrome flaws. WebKit is a layout engine designed to allow web browsers to render web pages.
WebKit provides a set of classes to display web content in windows, and implements browser features. It was originally created as a fork of KHTML as the layout engine for Apple’s Safari, but is now portable to many other computing platforms and is used in Google’s Chrome Browser.
The “Cenzic Q1,Q2 2010 Trends Report” (http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2010.pdf) saw a reduction in web application related vulnerabilities as a percentage of total reported vulnerabilities in commercial products. Web vulnerabilities were at about 66% of total reported vulnerabilities of 4,019 that included web, network and other infrastructure vulnerabilities. The good news is that this is a positive trend compared to second half of 2009 when Web related vulnerabilities comprised 82 percent of total vulnerabilities. However the bad news is that in absolute terms there were 2,645 Web vulnerabilities, almost identical to the previous period.
More concerning, according to Cenzic (which provides software and SaaS solutions), is that 60% of these vulnerabilities still have no known fix available. Even more troubling, about 45% of the web vulnerabilities have an exploit code publicly available which means any hacker can easily look it up and use it to attack Websites that have not patched these vulnerabilities. And, making it worse, almost 1,000 Web related vulnerabilities that had no known solution had a public exploit available.
“As in the previous periods, we also looked at vulnerabilities in various browsers,” writes Cenzic. “Both Internet Explorer and Mozilla Firefox showed improvements in reported vulnerabilities. IE had 40 vulnerabilities compared to 44 in the second half of 2009 and Firefox went down to 59 compared to 77 in the previous six months. What was unexpected was the dramatic increase in vulnerabilities in Apple’s Safari that soared from 25 in the previous period to 83 in this period and Google Chrome which jumped to 69 from 25 in the second half of 2009. Opera also saw an increase but continue to have the least number of vulnerabilities among browsers. The spike in Safari and Chrome vulnerabilities can be attributed to vulnerabilities in the rendering engine shared by both called WebKit as well as iPhone and Droid related vulnerabilities. We want to acknowledge the tremendous work that all browsers have done in fixing these vulnerabilities quickly. Patching ranged from 78% to 92% depending on the browser.”