Android Apps, Internet Explorer, Java Among the Most Vulnerable: HP

by Nathan Eddy

As the lines are blurred between mobile technology and traditional form factors, and mobile devices are often used to manipulate confidential data for both personal and business use, encryption of targeted data is increasingly important. The report found that 46 percent of Android apps improperly use encryption.

Many more vulnerabilities were discovered for Internet Explorer in 2013, and HP’s Zero Day Initiative (ZDI) recorded more than a 100 percent increase, compared with 2012 numbers. The report said this is not a gauge of the security of Internet Explorer, but rather, results from the market forces (both legitimate and illegitimate) that govern the price of vulnerabilities in software with massive market penetration.

The 216 unique vulnerability categories detected during the audits were distributed almost evenly between two major buckets. Nearly 52 percent of the issues were a result of insecure client-side operation while about 48 percent were related to either insecure server-side application code or code quality issues that could result in unstable application behavior.

Another extremely tempting target—supervisory control and data acquisition (SCADA) systems—first gained attention after the Stuxnet worm was discovered to have infiltrated an Iranian uranium enrichment plant in 2010 and specifically targeted equipment manufactured by one company. ZDI’s external researchers are actively interested in finding, and disclosing these vulnerabilities.

One of the most prolific vulnerabilities over the past decade, cross-site scripting stands at the top regarding the frequency in which it appears in the affected applications. Although 82 percent of the affected applications demonstrated weaknesses to type one , or “reflected,” cross-site scripting, the category with the highest impact comprises a mere 5 percent of the applications—type two, or “persistent,” cross-site scripting.

Since early 2011, Oracle has patched almost 300 remotely exploitable vulnerabilities in Java. These issues range from the classic stack-based buffer overflow to the more complicated sandbox bypass vulnerabilities that require the attacker to chain a series of weaknesses to disable the security manager. Every year, the number of vulnerabilities being fixed has increased, with just over 50 issues patched in all of 2011 to more than 180 in 2013, and researchers continue to discover new ways to find holes in the various subcomponents of Java and bypass the security architecture.

The company’s examination of more than 500,000 apps for the Android platform turned up some surprising results, including major discrepancies between how Google and different antivirus companies judge the behavior and intent of mobile apps. Limiting the number of apps available within an organization, monitoring approved apps and thoroughly vetting end-user licensing agreements are the absolute baseline for responsible defense, the report said.

As discovered in analyzing targeted attacks in the South Korea—in which a malware payload was executed last March on computers belonging to targeted businesses and organizations in the country—even though the malware involved was not that sophisticated, it was good enough to compromise the networks of several organizations and cause malicious damage and significant interruptions to normal function. The report warned that organizations must understand that there isn’t a single path to take to protect vital business assets from threats.

Compared with the high detection numbers for Android apps reported by particular companies, things look different for iOS, with few reports of malware for this platform. A major difference between the Android and iOS app platforms is the screening process of the app store. The Apple iOS store performs a detailed screening process that can take weeks and will reject apps for a number of nontechnical reasons, including test or demo versions and apps that are primarily marketing materials or advertisements.

While vulnerability research continued to gain attention, the total number of publicly disclosed vulnerabilities in 2013 was stable, and the number of high-severity vulnerabilities decreased for the fourth consecutive year. The number classified as “high severity” as reported by the company has declined since 2010.