Web browsers: which ones are most vulnerable?

Cenzic, a provider of risk management solutions, has revealed the most prominent types of Web application vulnerabilities for the first half of 2009 in their latest report.

Of the 3,100 hacking vulnerabilities identified, Web-based exploits and attacks comprised 78%. This is a slight decrease from 80% in Q3-Q4 2008, but above the 71%-73% levels for Q1-Q2 2008.

Of the Web vulnerabilities, 90% were related to code in commercial Web applications. Web browsers comprised 8% and Web servers 2%.

Amongst the four most popular technologies – Internet Explorer, Firefox, Opera and Safari – Firefox had 44% of all browser vulnerabilities. Safari is exposed to 34% of browser vulnerabilities, with the increased number due to flaws in the iPhone Safari browser. Internet Explorer sits at 15%, and Opera at 6%.

Some key findings from the report include:

1. Of the various classes of vulnerabilities, SQL Injection and Cross Site Scripting (XSS) vulnerabilities continued to dominate with 25% and 17% respectively.
2. Authorization and Authentication vulnerabilities were higher at about 14 % of total Web vulnerabilities. Directory Traversal and Buffer Error exploits combined made up 20%.
3. Code Injection is at 7%, Information Leak at 4%, and Cross-Site Request Forgery at 3%.
4. Sun Java, PHP, and Apache continue to be among the top 10 vendors having the most severe vulnerabilities for the first half of 2009.

Security blind spot

“The fact that hackers can have direct access to your data using such common outlets is staggering,” said Mandeep Khera, chief marketing officer at Cenzic.

“The worst part is that once they get in, it’s a free for all. Nothing is safe because there is no such thing as a minor data breach. The average data breach can cost more than US$500,000 [±R 3.7-million] which can also put a business’ livelihood and reputation on the line.”

“The most surprising thing that we discovered is that in spite of the fact that vulnerabilities are so easily identifiable, and there are now low cost turn-key SaaS solutions available, businesses are not focused on securing their Web applications.”

“They are a serious and potentially lethal blind spot for businesses. With the holiday shopping season approaching, all we can say is consumer beware,” Khera concluded.

Web browser security discussion

Don't miss the latest news

• Add MyBroadband as a preferred source in Google Search
• Follow MyBroadband on Google News