The recently released Microsoft Security Intelligence Report shows that web-based propagation vectors have surpassed traditional malware propagation vectors as the largest threats to distributed network environments. While I agree with Microsoft’s assessment of the threat landscape, I don’t think this is anything new; it is just the current state of a long-running trend. Back in 2008 I wrote that what concerned me most about vulnerable web applications is that organizations either don’t know or don’t care about this issue. Organizations were compromised and might even be hosting malware infecting their customers.
Today this ignorance has lessened as larger organizations and even credible news sources have fallen victim to this type of attack, making the damage done to brands more visible. There are even high profile court cases prosecuting those who take advantage of these vulnerabilities. So the change isn’t that web-based threats are now a larger problem, it is that we are finally starting to give them the attention they deserve. Veracode’s latest State of Security Software Report shows that what I wrote five years ago remains true: SQL injections are an endemic problem that allows attackers to control a website’s content. In the past we saw SQL injection prevalence dropping, but there has been a plateau in the prevalence of SQL injections; they still affect approximately 32% of web applications. What makes this worse is just how easy these vulnerabilities are to exploit. A simple Google search for “SQL injection hack” provides 1.74 million results, including videos with explicit instructions on how to exploit SQL injection vulnerabilities, making it possible for anyone to exploit SQL vulnerabilities. So, what we are seeing is an attack vector that remains constantly available to hackers, that is easy to exploit, and that can produce breaches with the potential to generate disastrous results for all sorts of organizations.
Even though most websites clean up after a compromise, there will always be more opportunity to exploit these types of applications. New web applications and websites are introduced daily, creating a steady stream of vulnerable websites for sophisticated criminals and “everyday hackers” to exploit. As long as companies don’t consider web-application security a part of their security strategy, we will continue to see compromised websites as the most tantalizing malware propagation vector available to attackers.
The Veracode State of Security Software Report combined with the Microsoft Security Intelligence Report presents a bleak picture of an endless stream of vulnerable web applications being compromised to feed exploits to an endless stream of broken client applications running on desktop OSes. Who should be responsible for putting a stop to this? Should there be consequences for developing and hosting a vulnerable web app that was used to stage an attack? Should there be consequences for delivering vulnerable client application? From my vantage point it looks like the ecosystem is sick and we are busy nursing the ill instead of preventing disease.