That’s according to High-Tech Bridge Security Research Lab, which found that in the first half of the year only 20% of discovered vulnerabilities represented a high risk to users. Most known issues (65%) carry only medium risk, researchers noted.
In the first and second quarter of 2013, cross-site scripting (XSS) was the most common vulnerability in web applications. SQL injection took second place, and cross-site request forgery third.
“Today, our security researchers have to work hard to find vulnerabilities in well-known web applications,” said Marsel Nizamutdinov, High-Tech Bridge's chief research officer, in a statement. “First of all, code of such web applications has been developed for many years and is quite mature today. It does not contain many security flaws, simply because security researchers found almost everything during the past years.”
New functionality brings new vulnerabilities of course, but compared to 10 years ago the code is simply denser, and hackers are more challenged to find holes.
“Critical vulnerabilities…just became more complicated to find and more sophisticated to exploit,” he said.
One example is the OpenX online ads platform, which faced two PHP file inclusion vulnerabilities that permit execution of arbitrary PHP code on vulnerable systems.
“However, these vulnerabilities can be exploited only by logged-in administrators (an attacker must initially perform XSS attack to steal administrator’s credentials, using XSS vulnerabilities), or via CSRF vector to which the application was prone as well,” said Nizamutdinov. “This makes [the] attack process a bit longer, but it doesn’t make vulnerabilities less dangerous.”
The firm also found that developers are being quite responsible when it comes to bug-fixing. About 95% of vendors released security patches before public disclosure of vulnerabilities, and on average, vendors released security patches within three weeks after they were notified about discovered vulnerabilities.
Three-quarters of vendors actually replied within several days after notification about vulnerability.
“We even had a vendor who not just replied, but fixed discovered XSS vulnerability within several hours after notification,” said Nizamutdinov, noting that this is rather an exception than the rule.