2Android Applications Use Encryption Improperly
As the lines are blurred between mobile technology and traditional form factors, and mobile devices are often used to manipulate confidential data for both personal and business use, encryption of targeted data is increasingly important. The report found that 46 percent of Android apps improperly use encryption.
3Internet Explorer the Most Targeted Software
Many more vulnerabilities were discovered for Internet Explorer in 2013, and HP’s Zero Day Initiative (ZDI) recorded more than a 100 percent increase, compared with 2012 numbers. The report said this is not a gauge of the security of Internet Explorer, but rather, results from the market forces (both legitimate and illegitimate) that govern the price of vulnerabilities in software with massive market penetration.
4Clients, Servers Both Susceptible to Attack
The 216 unique vulnerability categories detected during the audits were distributed almost evenly between two major buckets. Nearly 52 percent of the issues were a result of insecure client-side operation while about 48 percent were related to either insecure server-side application code or code quality issues that could result in unstable application behavior.
5SCADA Systems Are Increasingly Targeted
Another extremely tempting target—supervisory control and data acquisition (SCADA) systems—first gained attention after the Stuxnet worm was discovered to have infiltrated an Iranian uranium enrichment plant in 2010 and specifically targeted equipment manufactured by one company. ZDI’s external researchers are actively interested in finding, and disclosing these vulnerabilities.
6Cross-Site Scripting a Top Vulnerability
One of the most prolific vulnerabilities over the past decade, cross-site scripting stands at the top regarding the frequency in which it appears in the affected applications. Although 82 percent of the affected applications demonstrated weaknesses to type one , or “reflected,” cross-site scripting, the category with the highest impact comprises a mere 5 percent of the applications—type two, or “persistent,” cross-site scripting.
7Java Remains a Target for Exploitation
Since early 2011, Oracle has patched almost 300 remotely exploitable vulnerabilities in Java. These issues range from the classic stack-based buffer overflow to the more complicated sandbox bypass vulnerabilities that require the attacker to chain a series of weaknesses to disable the security manager. Every year, the number of vulnerabilities being fixed has increased, with just over 50 issues patched in all of 2011 to more than 180 in 2013, and researchers continue to discover new ways to find holes in the various subcomponents of Java and bypass the security architecture.
8Differing Definitions of Malware Make Measuring Difficult
The company’s examination of more than 500,000 apps for the Android platform turned up some surprising results, including major discrepancies between how Google and different antivirus companies judge the behavior and intent of mobile apps. Limiting the number of apps available within an organization, monitoring approved apps and thoroughly vetting end-user licensing agreements are the absolute baseline for responsible defense, the report said.
9South Korea: A Case Study in Vulnerability
As discovered in analyzing targeted attacks in the South Korea—in which a malware payload was executed last March on computers belonging to targeted businesses and organizations in the country—even though the malware involved was not that sophisticated, it was good enough to compromise the networks of several organizations and cause malicious damage and significant interruptions to normal function. The report warned that organizations must understand that there isn’t a single path to take to protect vital business assets from threats.
10Apple’s Screening Process Makes iOS Safer
Compared with the high detection numbers for Android apps reported by particular companies, things look different for iOS, with few reports of malware for this platform. A major difference between the Android and iOS app platforms is the screening process of the app store. The Apple iOS store performs a detailed screening process that can take weeks and will reject apps for a number of nontechnical reasons, including test or demo versions and apps that are primarily marketing materials or advertisements.
11Vulnerability Disclosures Decrease in Severity
While vulnerability research continued to gain attention, the total number of publicly disclosed vulnerabilities in 2013 was stable, and the number of high-severity vulnerabilities decreased for the fourth consecutive year. The number classified as “high severity” as reported by the company has declined since 2010.