IBM security report, joomla, drupal
In its biannual report released Feb. 2, 2009, IBM's X-Force research group pointed out significant security threat trends as we enter 2009, and paid particular attention to vulnerabilities found in PHP web content management systems such as Joomla!, Drupal, TYPO3 and WordPress.

The report is pretty. It has over a hundred pages. It has lots of nifty charts and graphs. But let's take a closer look at the what the net impact is.

Damn FUD, but It's Getting Worse

We hate Threat Level Orange neo-facist scare tactic type messages as much as the next person, but facts are worth knowing. Vulnerabilities are getting more numerous. We are getting less safe on the Internets. There, we said it.

According to a recent article, 70 Percent of Top Sites Distribute or Link to Malware. According to the IBM report, 2008 was the first year where they saw more than 7,000 vulnerabilities reported, a 13.5% increase over 2007. In the 10 years of tracking this business, fully 19% of all vulnerabilities were reported in 2008. 

Now, let's clarify what they are tracking. A vulnerability -- in IBM's eyes -- is "any computer-related vulnerability, exposure, or configuration setting that may result in a weakening or breakdown of the confidentiality, integrity, or accessibility of the computing system".

Threat severities were classified using the Common Vulnerability Scoring System (CVSS),an industry standard for rating vulnerabilities (see for details).

SQL Injection a Huge Problem

In our popular article, How They Hack Your Website: Overview of Common Techniques, we talked a fair bit about SQL injection threats, what they are and how they are commonly executed.

IBM's research team highlights the ongoing threat of SQL injection attacts stating that 54.9% of disclosed vulnerabilities where found in web applications and that attackers continue to target web app vulnerabilities, especially via SQL injection, often to plant malware on unsuspecting website users.

The 2 leading categories of web application vulnerabilities were cross-site scripting (XSS) and SQL injection. And in 2008 it was SQL injection that displaced XSS as the leading type of issue. SQL injection weaknesses were up an impressive 134% over reported issues in 2007.

The report asserts that XSS vulnerabilities are less valuable to the attacker and perhaps therefore less dangerous than SQL injection.

Although cross-site scripting issues are also easy to discover, they are not as valuable to an attacker. They usually result in cookie theft, which provides the attacker with access to a victim’s account on the vulnerable Website. SQL injection, on the other hand, is often used to redirect the visitors from the vulnerable Website to the attacker’s Website where remote code execution exploits can be launched against the victim’s browser.

Who's Dirty? Most Used = Most Vulnerable

The report cites disclosed vulnerabilities in the year, which means the projects’ leaders were aware of and disclosed them. The chart of vendors indicates Microsoft acquires the top spot followed by Apple, Sun and the Joomla project. What stands out here is the correlation between sheer volume of use and the number of vulnerabilities disclosed.

That's not an earth shattering observation, but it does bear keeping in mind. It is also useful as a perspective, as we note that a project like Joomla has out-paced IBM, Oracle and Mozilla in the number of vulnerabilities.

Here are the top 10 disclosers, in order:

  1. Microsoft
  2. Apple
  3. Sun
  4. Joomla!
  5. IBM
  6. Oracle
  7. Mozilla
  8. Drupal
  9. Cisco
  10. TYPO3

Notably for our niche is that the Wordpress blogging platform dropped off the top ten list for 2008. In the mid-year 2008 report Joomla!, WordPress and Drupal were all in the Top 10. Web content management systems written in PHP are clearly an ongoing -- and by IBM's metrics, a growing -- security concern.

Broadly used application foundational components PHP, MySQL and PostgreSQL were mentioned prominently as technologies vulnerable to attack. This is not surprising, since they form the backbone of so many  popular web content management, web publishing and other web application projects. Mozilla Foundation's disclosures jumped sharply with over 70% of them coming in the second half of 2008.

The semi-sweet irony here is that in some ways, joining the Top 10 list is a sign of success.

Weaknesses Admitted But (Often) Not Fixed

As many as half of the vulnerabilities discovered in 2008 went un-patched by vendors, according to IBM. The report states that "at the end of 2008, 53 percent of all vulnerabilities disclosed during the year had no vendor-supplied patches available to remedy the vulnerability."

This statement is eye catching. And is cause for concern.

On top of this, apparently 44% of the vulnerabilities from 2007 and 46% from 2006 are still unresolved by the vendors in question. On the upside, vendors in the Top 10 baddies list did better in this regard, with only 19% of their vulnerabilities left oozing versus 61% of their less visible peers.

It's the Economics, Stupid

IBM asserts that there's a problem with the way threats are currently assessed. They say that the in-place Common Vulnerability Scoring System (CVSS) primarily focuses on the technical aspects of a vulnerability, including ease of exploitation and potential damage it can cause. The problem here, according to big blue's team is that CVSS doesn’t recognize that the prime incentive for the contemporary offenders is economic.

No kidding. This is why they say SQL injection issues are on the rise -- they are cheaper to execute and can often touch a large, high-value audience.

The Key Take Aways

Here are some things to keep in mind:

  • Vulnerabilities are up, and will continue on that trajectory. Web apps are most vulnerable with SQL injection and WSS being the biggest problems.
  • The software most used with the most lines of code will report the most vulnerabilities. This doesn't mean it's worse, often these are the most tested products proffered by the most responsive vendors.
  • Watch that Top 10 list -- there are products in there that are not wildly popular, it's a red flag.
  • PHP web content management systems are particularly vulnerable, choose carefully, patch regularly.
  • CVSS assessment  and analysis may not be the most effective tool for deciding your priorities. Careful economic analysis of probable hot spots could lead to better resource allocation.

If you've still got wind in your security sails, the entire report is here (PDF).