May. 15, 2014
IT Security Center
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/) is endeavoring to become a comprehensive database where vulnerability countermeasure information for software used in Japan is aggregated and IT users can easily access the information. JVN iPedia has collected and/or translated the vulnerability countermeasure information published by (1) domestic software developers, (2) JVN(*1), a vulnerability information portal site, and (3) NVD(*2), a vulnerability information database run by NIST(*3). JVN iPedia has continued to make these information available to the public since April 25, 2007.
~Vulnerability information stored in JVN iPedia is now over 45,000~
The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 1st quarter of 2014 (January 1 to March 31, 2014) is shown in the table below. The total number of vulnerabilities stored in JVN iPedia is now over 45,000 (See Table 1-1, Figure 1-1)(*4).
As for the English version, the total of 1,022 vulnerabilities are available as shown in the lower half of the table.
|Information Source||Registered Cases||Cumulative Cases|
|Japanese Version||Domestic Product Developers||3 cases||156 cases|
|JVN||264 cases||3,135 cases|
|NVD||1,523 cases||41,870 cases|
|Total||1,790 cases||45,161 cases|
|English Version||Domestic Product Developers||3 cases||156 cases|
|JVN||32 cases||866 cases|
|Total||35 cases||1,022 cases|
~85 Percent of which are critical vulnerabilities. Users are strongly encouraged to update to a newer OS~
On April 8, 2014, support for Microsoft Windows XP, Office 2003 and Internet Explorer (IE) 6 has officially ended. Since vulnerability in these three end-of-support products will be no longer fixed even if a new one is found, the computers using them will always be exposed to security risks.
Figure 1-2-1 shows the number of the vulnerabilities in Microsoft products registered to JVN iPedia during the 1st quarter of 2014 - the last quarter these three end-of-support products werel under vendor support. Among the total of 72 vulnerabilities, 20 are of these three end-of-support products, which accounts for 28 percent. To be more specific, IE accounts for 17 percent, Windows XP for 7 percent and Office 2003 for 4 percent.
Some of the IE vulnerabilities allow an attacker to redirect a user to a malicious web page and infect the user’s PC with malware to steal data and/or remote control it. In fact, attacks targeting these vulnerabilities had already been observed at the time of the release of an update(*5).
Figure 1-2-2 shows the CVSS(*6)severity of the 20 vulnerabilities in the aforementioned end-of-support products reported in 1Q, and Figure 1-2-3 shows that of the vulnerabilities in all software products.85 percent of the vulnerabilities in three end-of-life products are the severity level III. Compared to all software products, the rate is quite higher.The result seems to suggest that to improve product security, Microsoft enforces strict vulnerability inspection by its own standards and methods giving priority to find critical vulnerabilities.
Figure 1-2-4 shows the CWE(*7)types of the three end-of-support products presented in Figure 1-2-1. As you can see, CWE-119 (buffer errors) is outstandingly high (84 percent). If this vulnerability is exploited, an attacker could execute malicious programs on the target system and take over its control.
Even to the last minute, critical vulnerabilities in those three end-of-support products have kept coming up. Once support ends, since the vendor no longer provides vulnerability information, users cannot resolve or mitigate security risks properly and the risk of malware infection and security breach become higher. Thus, users should stop using end-of-support products and migrate to a successor Windows OS or alternative OS that does have vendor support.
Figure 2-1 illustrates the number of vulnerability countermeasure information registered during the 1st quarter of 2014, sorted by their vulnerability type using CWE.
The type of the vulnerability that has been reported most during this quarter is CWE-79 (Cross-Site Scripting) with 262 cases, followed by CWE-119 (Buffer Errors) with 191 cases, CWE-264 (Permissions, Privileges and Access Controls) with 187 cases and CWE-20 (Improper Input Validation) with 152 cases.
Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides the tools and guidelines, such as “Secure Programming Course”(*8) to promote secure programming and “AppGoat”(*9) to help learn and understand vulnerability.
Figure 2-2 shows the annual change in the severity of vulnerabilities registered to JVN iPedia based on the date they were first published.
As of March 31, 2014, 43 percent of all vulnerabilities registered since the launch of JVN iPedia are level III (“High”, CVSS Base Score = 7.0-10.0), 50 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9) and 7 percent were level I (“Low”, CVSS Base Score = 0.0-3.9).
This means the severity of 93 percent of the known vulnerabilities is level II or higher, which are threats critical enough to cause a service outage. To avoid threats imposed by the known vulnerabilities, it is essential for IT users to update software or apply security patches as soon as possible upon their release.
Figure 2-3 shows the annual change in the types of software applications registered to JVN iPedia for having vulnerabilities, based on their respective vulnerability release date. Application vulnerabilities are published most and account for 85 percent of the total.
Since about 2008, the vulnerabilities in Industrial Control System (ICS) used in critical infrastructures have started to be added. During this quarter, 43 ICS vulnerabilities were registered, making the total 480.
Table 2-4 lists the top 20 software products that vulnerabilities were most registered during the 1st quarter of 2014. The top 3 are IE, Google Chrome and Mozilla Firefox, suggesting browsers are frequently updated. A number of vulnerabilities are released daily, thus sometimes vulnerabilities in the products that a user is using are fixed before the user knows.
The products with a number of vulnerability records are likely updated a lot in a short time, and the user may miss one or two of them. Using the list below as a clue, the user should be especially diligent about those often-updated products and make sure not to miss important vulnerability information and patches.
|#||Category||Product Name (Vendor)||# of Vulnerability Registered|
|1||Browser||Internet Explorer (Microsoft)||53|
|2||Browser||Google Chrome (Google)||45|
|3||Browser||Mozilla Firefox (Mozilla Foundation)||36|
|3||Development Environment||JDK, JRE (Oracle)||36|
|6||OS||Linux Kernel (kernel.org)||33|
|7||Other||Mozilla SeaMonkey (Mozilla Foundation)||28|
|8||OS||Apple iOS (Apple)||27|
|10||OS||Red Hat Enterprise Linux (Red Hat)||26|
|12||Network Software||Cisco Unified Communications Manager(Cisco Systems)||21|
|12||Mozilla Thunderbird (Mozilla Foundation)||21|
|14||Media Player||Apple TV (Apple)||19|
|17||eLearning System||Moodle (Moodle)||13|
|17||CMS||Plone (Plone Foundation)||13|
|19||Other||IBM Algo One (IBM)||12|
Table 3-1 lists the top 20 most accessed vulnerability countermeasure information on the JVN iPedia during the 1st quarter of 2014 (January – March). No. 1 is a NTP vulnerability exploited in DDoS attacks. Also, the vulnerabilities in server software(*10) used to build websites, such as Apache Commons FileUpload (No.2) and Apache HTTP Server (No.6, 7), were accessed a lot(*11).
Table 3-2 lists the top 5 vulnerability countermeasure information accessed among those reported by domestic product developers. The severity of top 3 vulnerabilities is level lll (High), meaning the vulnerabilities that may cause a service outage or information leak with high probability if attacked have attracted attention.
|1||JVNDB-2013-005768||Denial-of-service (DoS) vulnerability in the monlist feature in ntp_request.c in ntpd in NTP||5.0||2014/1/7|
|2||JVNDB-2014-000017||Apache Commons FileUpload vulnerable to denial-of-service (DoS)||5.0||2014/2/10|
|3||JVNDB-2013-000111||Android OS vulnerable to arbitrary Java method execution||6.8||2013/12/17|
|4||JVNDB-2014-001409||Internet Explorer use-after-free vulnerability||9.3||2014/2/17|
|5||JVNDB-2014-001243||Apple iTunes vulnerable to content spoofing||5.8||2014/1/27|
|6||JVNDB-2012-001258||HTTPOnly Cookies Information Disclosure Vulnerability in protocol.c in Apache HTTP Server||4.3||2012/2/1|
|7||JVNDB-2013-002948||Arbitrary command execution vulnerability in mod_rewite module in Apache HTTP Server||5.1||2013/6/12|
|8||JVNDB-2014-000006||EC-CUBE vulnerable to information disclosure||5.0||2014/1/22|
|9||JVNDB-2014-000011||Sanshiro Series vulnerable to arbitrary code execution||9.3||2014/1/28|
|10||JVNDB-2012-000075||Sleipnir Mobile for Android vulnerable to arbitrary Java method execution||5.8||2012/8/8|
|11||JVNDB-2011-002305||SSL and TLS allow chosen plaintext attack in CBC modes||4.3||2011/10/4|
|12||JVNDB-2014-001301||Buffer overflow vulnerability in Oracle MySQL and client/mysql.cc in MariaDB||7.5||2014/2/4|
|13||JVNDB-2013-000119||Juniper ScreenOS vulnerable to denial-of-service (DoS)||7.8||2013/12/13|
|14||JVNDB-2014-001305||ZTE ZXV10 W300 hard-corded credentials vulnerability||9.3||2014/2/5|
|15||JVNDB-2013-000123||VMware ESX and ESXi may allow access to arbitrary files||2.1||2013/12/24|
|16||JVNDB-2013-005585||Arbitrary code execution vulnerability in the asn1_time_to_time_t function in ext/openssl/openssl.c in PHP||7.5||2013/12/18|
|17||JVNDB-2013-000016||Kingsoft Writer vulnerable to buffer overflow||6.8||2013/3/1|
|18||JVNDB-2013-005745||Vulnerabilities in DTLS Retransmission Implementation in OpenSSL||5.8||2014/1/6|
|19||JVNDB-2014-000027||sp mode mail issue when accessing attachments in incoming mail||2.6||2014/3/18|
|20||JVNDB-2014-000029||sp mode mail vulnerability where Java methods may be executed||6.8||2014/3/18|
|1||JVNDB-2014-001203||A Problem of CPU Consumption in Host Data Collector bundled with Hitachi Device Manager Software||7.8||2014/1/21|
|2||JVNDB-2014-001594||JP1/File Transmission Server / FTP vulnerable to access control violation||8.5||2014/3/11|
|3||JVNDB-2013-005262||xBuffer Overflow Vulnerability in the log function of Interstage HTTP Server||10.0||2013/11/27|
|4||JVNDB-2013-005669||Xml eXternal Entity Vulnerability in Hitachi Cosminexus||2.6||2013/12/25|
|5||JVNDB-2014-001593||JP1/Integrated Management - Service Support vulnerable to cross-site scripting||4.3||2014/3/11|
Note 1) Color Code for CVSS Base Score and Severity Level
|CVSS Base Score
Severity Level = I (Low)
|CVSS Base Score
Severity Level = II (Medium)
|CVSS Base Score
Severity Level = III (High)
Note 2) Color Code for Published Date
|Published in 2012 and before||Published in 2013||Published in 2014|
(*1) Japan Vulnerability Notes. A portal for vulnerability countermeasure information providing information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
(*2) National Vulnerability Database. A vulnerability database operated by NIST.
(*3) National Institute of Standards and Technology. A U.S federal agency that develops and promotes measurement, standards and technology.
(*5) Security Alert: Microsoft Security Bulletin (February 2014)
Security Alert: Microsoft Security Bulletin (March 2014)
(*6)Common Vulnerability Scoring System (CVSS)
http://www.ipa.go.jp/security/vuln/CVSS.html (in Japanese)
Based on a CVSS Base Score, it is evaluated in three levels. The higher the number, the higher the severity.
- Level III: A threat that could take complete remote control over the targeted system or lead to disclosure of a major part of information.
- Level II: A threat that could lead to disclosure of part of information or to denial of service.
- Level I: A situation where conditions required to execute an attack are complicated or the severity of a threat falls under the Level II but very unlikely to happen
(*7) Common Weakness Enumeration.
http://www.ipa.go.jp/security/vuln/CWE.html (in Japanese)
(*9) Hands-on vulnerability learning and experiencing tool “AppGoat”
http://www.ipa.go.jp/security/vuln/appgoat/index.html (in Japanese)
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)