~Vulnerability countermeasure information about web browsers expanded~
January 20, 2011
Information-technology Promotion Agency, Japan (IPA, Chairman Kazumasa Fujie) has issued a quarterly analysis report on the vulnerabilities registered to JVN iPedia, a vulnerability countermeasure information database, for the fourth quarter (October -December) of the year 2010.
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/) is endeavoring to become a comprehensive database where vulnerability countermeasure information for software products used in Japan is gathered and IT users can easily access. JVN iPedia has collected and conducted translations on the vulnerability countermeasure information made public by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.
~Vulnerability information stored in JVN iPedia now surpasses 9,600~
Among the vulnerability information registered to the Japanese version of JVN iPedia for the 4th quarter of 2010 (October 1 to December 31, 2010), those gathered from domestic developers are 6 cases (116 cumulative cases from the launch of JVN iPedia), 156 cases are from JVN (995 cumulative cases), and 438 cases from NVD (8,516 cumulative cases), bringing a quarterly total to 600 cases (9,627 cumulative cases). The number of vulnerability information stored on JVN iPedia is now over 9,600 (Table 1, Figure 1).
The Japanese version of JVN iPedia is expanding its coverage of products whose vulnerability information is to be collected and stored. During the 4th quarter of 2010 (from October 1 to December 31, 2010), it started to store the vulnerability information about a web browser Google Chrome and backup management software CA ARCserve Backup as the products popularly used by businesses and individuals. Besides, 14 vulnerability countermeasure information about DLL/EXE hijack vulnerability(*4) released by JVN are also registered.
As for the English version of JVN iPedia, 6 cases were gathered from domestic developers (116 cumulative cases) and 31 from JVN (481 cumulative cases), making a quarterly total to 37 cases (597 cumulative cases).
|Information Source||Registered Cases||Cumulative Cases|
|Japanese Version||Domestic Product Developers||6 cases||116 cases|
|JVN||156 cases||995 cases|
|NVD||438 cases||8,516 cases|
|Total||600 cases||9,627 cases|
|English Version||Domestic Product Developers||6 cases||116 cases|
|JVN||31 cases||481 cases|
|Total||37 cases||597 cases|
~A lot of vulnerability countermeasure information about web browsers added. Update now!~
As of the end of December 2010, among 9.627 vulnerability countermeasure information stored in the Japanese version of JVN iPedia, 1,204, which accounts for about 12.5 percent, are about web browsers.
Figure 2 shows the annual transitions in the severity of web browsers' vulnerabilities registered to JVN iPedia based on the date they were first made public by product developers or through other means, like the release on the security portal sites. Figure 3 shows the same but on the severity of vulnerability per web browser product.
Figure 2 suggests that the number of vulnerability reports on web browsers is increasing year by year and especially the critical vulnerabilities are on the rise. In total, 54 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 42 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 4 percent were level I ("Low", CVSS Base Score = 0.0-3.9).
As shown in Figure 3, the critical vulnerabilities are found across the products. On a product basis, 308 are about Internet Explorer, 481 are about Mozilla Firefox, 110 are about Google Chrome, 233 are about Apple Safari and 90 are about Opera.
A lot of web browser vulnerabilities are being reported. It is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches concerning the product in use without delay.
CWE (*7) is a hierarchically structured list of weakness types to help identifying software vulnerabilities. CWE enables to identify, analyze and globally compare vulnerabilities that come in a wide variety. Figure 4 illustrates the number of vulnerability countermeasure information registered during 4th quarter, sorted by their vulnerability type using CWE.
The types of vulnerabilities that have been reported a lot this quarter are CWE-119 (Buffer Errors) with 116 cases, CWE-20 (Improper Input Validation) with 62 cases. CWE-399 (Resource Management Errors) with 44 cases, CWE-264 (Permissions, Privileges, and Access Controls) with 40 cases, CWE-79 (Cross-Site Scripting) with 34.
Most of these are well-known types of vulnerabilities. Software developers should refer to the IPA guidelines that address these vulnerabilities, such as "How to Secure Your Web Site"(*8), "How to Use SQL Calls to Secure Your Web Site"(*8) and the "Secure Programming Course"(*9), to make sure to implement necessary security measures from the planning and design phase of software development.
Figure 5 shows the annual transitions in the severity of vulnerabilities registered to JVN iPedia based on the date they were first made public by product developers through other means, like the release on the security portal sites. The publication of vulnerability countermeasure information had continued to show an increasing tendency till 2008 and has been flat since then. A high percentage of them are serious ones.
As of December 31, 2010, 46 percent of the vulnerabilities were labeled level III ("High", CVSS Base Score = 7.0-10.0), 45 percent were labeled level ll ("Medium", CVSS Base Score = 4.0-6.9) and 9 percent were level I ("Low", CVSS Base Score = 0.0-3.9).
Considering the vast number of published vulnerabilities is being labeled with the higher severity levels, it is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches concerning the product in use without delay.
Figure 6 shows the annual transitions in the type of software products registered to JVN iPedia for having vulnerabilities, based on their respective publication dates.
Publication of vulnerability countermeasure information is increasing year by year for application software, including desktop applications such as Adobe Reader, Adobe Flash Player, Safari, Internet Explorer, Firefox, middleware products such as web servers, application servers, databases, and those like PHP and Java. Since many new applications are developed each year and they are still accompanied by old and new vulnerabilities, improving security measures concerning application software should be of especially important.
Around the year 2008, vulnerabilities in SCADA (Supervisory Control and Data Acquisition) systems used in critical infrastructures have been reported as well. 8 vulnerabilities were published in 2008, 9 in 2009 and 6 in 2010 so far, bringing a total number of reported SCADA vulnerabilities to 23.
On the recent days, the Stuxnet virus (*10) that specially targets SCADA and exploits Windows Shell Vulnerability (MS10-046) has been a hot topic. It is essential for IT users to check on vulnerability information on a daily basis, and apply updates or security patches concerning the product in use without delay.
Figure 7 shows the annual transitions in JVN iPedia registered vulnerabilities found in open source software (OSS) and non-OSS based on the date they were first made public. Since 2008, the ratio of OSS has demonstrated a decreasing trend and it is 20 percent in 2010 alone. In total, 33 percent of the vulnerabilities registered are of OSS and 67 percent are of non-OSS.
Figure 8 and 9 illustrate the breakdown of OSS and non-OSS software developers (vendors) registered on JVN iPedia, with Figure 8 representing OSS vendors and Figure 9 representing non-OSS vendors.
As shown in Figure 8, the registered OSS vendors consist of 64 domestic vendors, 24 foreign vendors with Japan office, and 226 foreign vendors without office in Japan; a cumulative total of 314 OSS vendors. Similarly, as Figure 9 represents, the total of 233 registered non-OSS vendors consist of 118 domestic vendors, 64 foreign vendors with office in Japan, and 51 foreign vendors without office in Japan.
In the case of OSS vendors, a vast amount of vulnerability countermeasure information registered is from foreign vendors without office in Japan. When using OSS, if product users do not have the proper knowledge required to update software to the latest version or to apply security patches, it is necessary to take contract agreements for support into account and/or the purchase of product support services provided by the vendor.
~DLL/EXE hijack vulnerability frequently looked up~
JVN iPedia has a hit count of 19,730,000 during January to December 2010, with the monthly average of 1.6 million.
Table 2 lists the top 20 most accessed vulnerability countermeasure information in the JVN iPedia database during the 4th quarter of 2010 (October - December). Among the top 20, 9 vulnerabilities are those especially warned by IPA with the Security Alert for DLL/EXE Loading Arbitrary Code Execution Vulnerability. These DLL/EXE hijack vulnerabilities affect a lot of software running on Microsoft Windows. 14 vulnerabilities in the top 20 are those released on JVN.
Vulnerability countermeasure information where some time has elapsed since the date they were first published, such as that on DNS and SSL, is still getting a lot of attention.
Among the widely used software, Lhaplus is ranked 1st and 5th, and Flash Player is ranked 9th, getting a lot of user attention. IPA offers a free tool MyJVN Version Checker (*11) that enables the IT users to easily check if the popular software like those mentioned above installed in their PC are the latest version. Use the tools like MyJVN Version Checker wisely, and keep the software up-to-date and vulnerability-free.
Table 3 lists the top 5 vulnerability countermeasure information accessed among those reported by domestic product developers.
|1||JVNDB-2010-000037||Lhaplus may insecurely load dynamic libraries||2892||6.8||2010/10/12|
|2||JVNDB-2010-000038||Lhasa may insecurely load executable files||2036||6.8||2010/10/12|
|3||JVNDB-2009-002319||SSL and TLS protocols renegotiation vulnerability (in Japanese)||1147||6.4||2009/12/14|
|4||JVNDB-2010-000045||TeraPad may insecurely load dynamic libraries||1060||6.8||2010/10/21|
|5||JVNDB-2010-000039||Lhaplus may insecurely load executable files||744||6.8||2010/10/15|
|6||JVNDB-2008-001495||DNS cache poisoning vulnerability in multiple DNS products (in Japanese)||650||6.4||2008/7/23|
|7||JVNDB-2010-000047||Sleipnir and Grani may insecurely load dynamic libraries||596||6.8||2010/10/22|
|8||JVNDB-2010-000061||Movable Type vulnerable to SQL injection||565||6.8||2010/12/8|
|9||JVNDB-2010-000054||Flash Player access restriction bypass vulnerability||565||2.6||2010/11/9|
|10||JVNDB-2010-001740||Apache Tomcat Information Disclosure Vulnerabilities (in Japanese)||559||6.4||2010/7/29|
|11||JVNDB-2010-000066||AttacheCase may insecurely load executable files||546||6.8||2010/12/17|
|12||JVNDB-2010-000052||Ichitaro series vulnerable to arbitrary code execution||533||9.3||2010/11/4|
|13||JVNDB-2010-000049||Multiple Yokka provided products may insecurely load executable files||530||5.1||2010/10/22|
|14||JVNDB-2010-001174||Information disclosure vulnerability in Apache HTTP Server ap_read_request (in Japanese)||527||4.3||2010/3/23|
|15||JVNDB-2010-001229||Vulnerability in two OpenSSL functions (in Japanese)||526||10.0||2010/4/9|
|16||JVNDB-2010-002118||64-bit Linux Kernel compat_alloc_user_space Privilege Escalation Vulnerabilities (in Japanese)||525||7.2||2010/10/8|
|17||JVNDB-2010-000041||K2Editor may insecurely load executable files||514||5.1||2010/10/15|
|18||JVNDB-2010-000050||Active! mail 6 vulnerable to HTTP header injection||502||4.3||2010/10/29|
|19||JVNDB-2010-000051||GVim may insecurely load dynamic libraries||495||6.8||2010/11/1|
|20||JVNDB-2008-000084||PHP vulnerable to cross-site scripting||478||2.6||2008/12/19|
|1||JVNDB-2008-001313||JP1/Cm2/Network Node Manager Denial of Service Vulnerability||332||5.0||2008/5/9|
|2||JVNDB-2010-002077||Phishing Vulnerability in Accela BizSearch Document View Window||263||5.8||2010/10/1|
|3||JVNDB-2010-002078||Multiple Vulnerabilities in Groupmax Scheduler Server||248||9.0||2010/10/1|
|4||JVNDB-2008-001150||JP1/HIBUN Encryption/Decryption and Removable Media Control Malfunction Problems||232||3.6||2008/3/14|
|5||JVNDB-2008-001895||JP1/VERITAS NetBackup JAVA Administration GUI Privilege Escalation Vulnerability||225||6.5||2008/11/26|
Note 1) Color Code for CVSS Base Score and Severity Level
|CVSS Base Score
Severity Level = I (Low)
|CVSS Base Score
Severity Level = II (Medium)
|CVSS Base Score
Severity Level = III (High)
Note 2) Color Code for Published Date
2008 and before
|Published in 2009||Published in 2010|
(*1) Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
(*2) National Vulnerability Database. A vulnerability database operated by NIST.
(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
(*4) Security Alert for DLL/EXE Loading Arbitrary Code Execution Vulnerability
(*5) Common Vulnerability Scoring System (CVSS)
http://www.ipa.go.jp/security/vuln/SeverityCVSS2.html (in Japanese)
(*6)Transition to the New Version of Vulnerability Severity Scoring System CVSS v2.
http://www.ipa.go.jp/security/vuln/SeverityLevel2.html (in Japanese)
(*7) Refer to "CWE (Common Weakness Enumeration) Overview":
(*10) A virus that targets the nuclear plant control system. For more information, refer to an IPA technical watch report on the New Types of Attacks
http://www.ipa.go.jp/about/technicalwatch/20101217.html (in Japanese)
(*11) MyJVN Version Checker
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)