When it comes to software vulnerabilities, 2008 will go down as a seminal year. It turned out to be a year when the types of applications targeted by attackers shifted, and we witnessed a significant rise in both the number of vulnerabilities discovered and the number of vulnerabilities found in web applications.
Consider this: Though there was an overall 15 percent rise in vulnerabilities discovered last year, 60 percent of those uncovered were web application flaws. The biggest jump in that class of vulnerabilities was seen in SQL-injection flaws, which doubled year over year. And while desktop and client-side software still is targeted heavily, Microsoft Office’s Excel spreadsheet application had the most number of critical vulnerabilities within that productivity suite. In addition, 11 percent of web vulnerabilities were cross-site scripting flaws, while all other web related vulnerabilities accounted for 26 percent of the total.
One of the most important trends last year was a surge in critical server vulnerabilities that don’t require user intervention to exploit, such as CVE 2008-1447, which described a weakness in the DNS protocol that made it possible to conduct DNS cache poisoning attacks. In this type of attack, name servers can be made to send users to an incorrect, even malicious, host web site, e-mail server, and redirect other types of traffic to systems under the attacker’s control.