Nov. 13, 2015
IT Security Center
The vulnerability countermeasure information database JVN iPedia (http://jvndb.jvn.jp/en/) is endeavoring to become a comprehensive database where vulnerability countermeasure information about software used in Japan is aggregated for IT users to easily access the information. JVN iPedia collects and/or translates the vulnerability countermeasure information published by 1) domestic software developers, 2) JVN (*1), a vulnerability information portal site run by IPA and JPCERT/CC, and 3) NVD (*2), a vulnerability information database run by NIST (*3). JVN iPedia has continued to make the vulnerability information available to the public since April 25, 2007.
~ Total of 56,475 vulnerability information stored in JVN iPedia ~
The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 3rd quarter of 2015 (July 1 to September 30, 2015) is shown in the table below. As of the end of September 2015, the total number of vulnerabilities stored in JVN iPedia is 56,475 (See Table 1-1, Figure 1-1).
As for the English version, the total of 1,281 vulnerabilities is available as shown in the lower half of the table.
|Information Source||Registered Cases||Cumulative Cases|
|Japanese Version||Domestic Product Developers||0 cases||168 cases|
|JVN||326 cases||5,722 cases|
|NVD||1,435 cases||50,585 cases|
|Total||1,761 cases||56,475 cases|
|English Version||Domestic Product Developers||0 cases||168 cases|
|JVN||53 cases||1,113 cases|
|Total||53 cases||1,281 cases|
~ 95 Adobe Flash Player vulnerabilities reported during 3Q, exceeding the previous year’s total, 76, in just three months ~
Figure 1-2-1 shows the number of Adobe Flash Player vulnerabilities registered to JVN iPedia in the last two years, from October 2013 to September 2015, by quarter. The number of Adobe Flash Player vulnerabilities disclosed through JVN iPedia during this quarter is 95, which means it exceeded the previous year’s total, 76, in just three months. Looking at the total number by year, it already reaches 190 so far this year, which is two and half times more than the previous year.
In early July of 2015, several Adobe Flash Player vulnerabilities, including zero days, were disclosed as a result of the data breach of an Italian firm that sells spy software to the governments all over the world (*4). After their disclosure, targeted attacks exploiting those vulnerabilities were observed.
Figure 1-2-2 shows the severity of Adobe Flash Player vulnerabilities registered this quarter (left) and that of all vulnerabilities registered to JVN iPedia (right) for comparison. Among the 3rd quarter’s 95 vulnerabilities, 89.5 percent were the severest “level III (High)”. Comparing to the rate of the “level III (High)” among all vulnerabilities, 40.1 percent, it is more than double.
When a web page is accessed, if Adobe Flash Player contents are contained in the page, usually they are automatically executed. For that, Internet users are likely watching web contents like videos without realizing they are using Adobe Flash Player. Because they are unaware of it, they do not apply security fixes for Adobe Flash Players, surf the Internet with a vulnerable Adobe Flash Player, and their device gets infected with malware. This could be one of the reasons that Adobe Flash Player vulnerabilities are hacker favorites.
Adobe Flash Player users need to keep it up to date, and If they do not use it, they had better disable it in the browser settings or uninstall it.
~ Vehicle software vulnerability was disclosed with CVE and registered to JVN iPedia for the first time ~
A news story of vehicle software vulnerability that allowed an attacker to remotely hijack a vehicle made headlines in July 2015 (*5). The security researchers demonstrated that by exploiting vulnerability in the Uconnect software (*6) loaded on certain vehicles of Fiat Chrysler Automobiles (FCA), they could take control over the vehicles - for example, manipulate the steering wheel and shut down the engine. To respond to this vulnerability, FCA was pushed to issue a missive recall.
Like other NVD-based vulnerabilities, this vulnerability was translated into Japanese and published on JVN iPedia (*7), which made it the first vehicle software vulnerability registered to JVN iPedia.
Since the recent trend promotes embedding computer software into various devices to achieve a variety of services, it is anticipated that vulnerability not only in vehicles but also in a wide variety of devices would be reported and registered to JVN iPedia.
Users and system administrators of those devices should do vulnerability management – for example, keep eyes on vulnerability disclosure, and apply fixed and updates as soon as possible when they are released.
Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the 3rd quarter of 2015, sorted by the CWE vulnerability types.
The type of the vulnerabilities reported most in the 3rd quarter is CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) with 349 cases, followed by CWE-79 (Cross-Site Scripting) with 165 cases, CWE-20 (Improper Input Validation) with 159 cases and CWE-200 (Information Exposure) with 152 cases. The most reported vulnerability title often goes to CWE-79, and it is quite rare that CWE-119 seizes the top spot as in this quarter. CWE-119 may allow an attacker to access important data and modify them by executing malicious code on an affected server or PC. As for this quarter’s 349 cases registered as CWE-119, vulnerabilities in browsers (e.g. Microsoft Internet Explorer, Apple Safari and Mozilla Firefox) and operating systems (e.g. Microsoft’s and Apple’s) account for more than 50 percent.
Software developers need to make sure to implement necessary security measures from the planning and design phase of software development to mitigate vulnerability. IPA provides tools and guidelines, such as “How to Secure Your Website” (*8) for website developers and operators to create a secure website, “AppGoat” (*9) to help learn and understand vulnerability through practice and exercise, and “AnCoLe” (*10) for Android application developers to learn about and scan vulnerabilities in their applications.
Figure 2-2 shows the annual change in the severity of vulnerabilities registered to JVN iPedia based on the date they were first published.
As of the end of September 2015, 40.1 percent of all vulnerabilities registered since the launch of JVN iPedia are level III (“High”, CVSS Base Score = 7.0-10.0), 52.7 percent are level ll (“Medium”, CVSS Base Score = 4.0-6.9), and 7.2 percent are level I (“Low”, CVSS Base Score = 0.0-3.9).
This means the severity of 93 percent of the known vulnerabilities is level II or higher, which are critical enough to cause a service outage. To avoid threats imposed by the known vulnerabilities, it is essential for users to update software to the latest version or apply security patches as soon as possible when they become available.
Figure 2-3 shows the annual change in the type of software reported with vulnerability. Application vulnerabilities have been published most and account for 84.9 percent of the total.
Since 2007, vulnerability in industrial control systems (ICS) used in critical infrastructure has started to be added to JVN iPedia. As of 2015/3Q, the total of 708 ICS vulnerabilities has been registered. (Figure 2-4)
Table 2-4 lists the top 20 software whose vulnerabilities were most registered during the 3rd quarter (July to September) of 2015. As shown below, the 1st and 3rd are Apple operating systems, and the 11th and from 13th to 18th are Microsoft operating systems, making operating systems account for about 50 percent. Moreover, the 2nd, 4th, 9th, 10th and 12th are browsers like Microsoft Internet Explorer and Google Chrome, making operating systems and browsers account for 70 percent of the total.
JVN iPedia stores vulnerability information on a variety of software, including the top 20 software. IPA hopes developers and users will make use of JVN iPedia to efficiently check vulnerability information about the software they are using and take action timely(*11).
|Rank||Category||Product Name (Vendor)|| Number of|
|2||Browser||Microsoft Internet Explorer (Microsoft)||152|
|3||OS||Apple Mac OS X (Apple)||134|
|4||Browser||Google Chrome (Google)||128|
|5||Media Player||Adobe Flash Player (Adobe Systems)||95|
|6||Development Environment||Adobe Air SDK & Compiler (Adobe Systems)||92|
|6||Development Environment||Adobe Air SDK (Adobe Systems)||92|
|6||Execution Environment||Adobe Air (Adobe Systems)||92|
|9||Browser||Mozilla Firefox (Mozilla Foundation)||72|
|10||Browser||Microsoft Edge (Microsoft)||65|
|11||OS||Microsoft Windows Server 2012 (Microsoft)||59|
|12||Browser||Mozilla Firefox ESR (Mozilla Foundation)||57|
|13||OS||Microsoft Windows 8.1 (Microsoft)||56|
|14||OS||Microsoft Windows Server 2008 (Microsoft)||55|
|15||OS||Microsoft Windows 8 (Microsoft)||54|
|16||OS||Microsoft Windows RT (Microsoft)||52|
|17||OS||Microsoft Windows 7 (Microsoft)||51|
|18||OS||Microsoft Windows Vista (Microsoft)||49|
|19||PDF Viewer||Adobe Reader (Adobe Systems)||45|
|19||PDF Viewer/Editor||Adobe Acrobat (Adobe Systems)||45|
Table 3-1 lists the top 20 most accessed vulnerability information in JVN iPedia during the 3rd quarter of 2015 (July – September). The top is vulnerability in PHP, a script language widely used in Japan. The 2nd and 3rd are vulnerability in Yodobashi. Many people viewed them likely because it is an official smartphone application of a major consumer electronics retailer in Japan.
Focusing on the vulnerability type, the 10th, 12th, 14th and 19th are cross-site scripting, the top and 4th are OS command injection, and the 11th and 18th are directory traversal. Cross-site scripting may allow an attacker to steal important data and/or modify them by executing malicious code on the user’s browser.
|1||JVNDB-2015-000101||PHP for Windows vulnerable to OS command injection||6.8||2015/7/17|
|2||JVNDB-2015-000110||Yodobashi App for Android vulnerable to arbitrary Java method execution||5.8||2015/8/7|
|3||JVNDB-2015-000111||Yodobashi App for Android fails to verify SSL server certificates||4.0||2015/8/7|
|4||JVNDB-2015-000109||yoyaku_v41 vulnerable to OS command injection||7.5||2015/7/29|
|5||JVNDB-2013-003469||Apache Struts vulnerable to remote command execution||7.5||2013/7/23|
|6||JVNDB-2015-000108||yoyaku_v41 vulnerable to authentication bypass||5.0||2015/7/29|
|7||JVNDB-2015-000107||yoyaku_v41 vulnerable to arbitrary file creation||7.5||2015/7/29|
|8||JVNDB-2015-000112||Microsoft Office discloses a file path of a local file||4.3||2015/8/12|
|9||JVNDB-2015-000106||Gazou BBS plus vulnerability in file upload processing||5.0||2015/7/28|
|10||JVNDB-2015-000103||Welcart vulnerable to cross-site scripting||2.6||2015/7/24|
|11||JVNDB-2014-000107||SLFileManager for Android vulnerable to directory traversal||4.3||2014/9/25|
|12||JVNDB-2015-000104||Research Artisan Lite vulnerable to cross-site scripting||4.3||2015/7/24|
|13||JVNDB-2015-000099||Thetis vulnerable to SQL injection||7.5||2015/7/15|
|14||JVNDB-2015-000096||Simple Oekaki BBS vulnerable to cross-site scripting||5.0||2015/7/10|
|15||JVNDB-2015-000105||Research Artisan Lite does not properly perform authentication||5.0||2015/7/24|
|16||JVNDB-2015-000097||Simple Oekaki BBS vulnerability where arbitrary files may be deleted||6.4||2015/7/10|
|17||JVNDB-2015-000092||OpenEMR vulnerable to authentication bypass||5.0||2015/6/30|
|18||JVNDB-2015-000098||acmailer vulnerable to directory traversal||4.0||2015/7/15|
|19||JVNDB-2015-000088||Ruby on Rails library Paperclip vulnerable to cross-site scripting||4.3||2015/6/18|
|20||JVNDB-2015-000090||namshi/jose fails to verify token signatures||5.0||2015/6/25|
Note 1) Color Code for CVSS Base Score and Severity Level
|CVSS Base Score = 0.0～3.9
Severity Level = I (Low)
|CVSS Base Score = 4.0～6.9
Severity Level = II (Medium)
|CVSS Base Score = 7.0～10.0
Severity Level = III (High)
Note 2) Color Code for Published Date
|Published in 2013 and before||Published in 2014||Published in 2015|
(*1) Japan Vulnerability Notes: A portal for vulnerability countermeasure information including information on vendor response to the reported vulnerabilities and security support. Operated in the collaboration of IPA and JPCERT/CC.
(*2) National Vulnerability Database: A vulnerability database operated by NIST.
(*3) National Institute of Standards and Technology: A U.S federal agency that develops and promotes measurement, standards and technology.
(*4) Hacking Team data breach reveals zero day vulnerabilities in Flash and Windows
(*5) Chrysler recalls 1.4 million vehicles to prevent hacking
(*7) Vulnerability in Uconnect used in certain Fiat Chrysler Automobiles vehicles allows an attacker to control vehicle movement
(*8) How to Secure Your Website (Rev.7-2015)
How to Secure Your Website (Rev.5-2011)
(*9) Hands-on vulnerability learning and experiencing tool “AppGoat”
(*10) Android Application Vulnerability Learning/Checking Tool “AnCoLe”
(*11) IPA Technical Watch - Daily Practice: Tips on Vulnerability Management
The guide gives tips on how to efficiently and efficiently collect and leverage vulnerability information.
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)