2007 Report

Letter from the CEO � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �1Space 2Secunia Research Case Study � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �2

The Microsoft Windows URI Handling Vulnerability (SA26201) was just one of the many issues this year where Secunia Research shone throughSpace 6Software Inspection Yields Results � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �6

Secunia’s three Software Inspection solutions produce answers, even to questions no one thought to askSpace 10Secunia Research Highlights � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �10

In 2007, Secunia discovered more than 150 vulnerabilities in applications from vendors like Samba, Micro-soft, Symantec, Novell, Apple, and Adobe Space 14Binary Analysis, Real Results � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �14

The first full year of the Binary Analysis Service was a resounding success, yielding results not just for Secu-rity Vendor customers, but also for Secunia AdvisoriesSpace 16Secunia Advisory Statistics � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �16

Zero-day vulnerabilities � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 16Web Browser Vulnerabilities � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 18Browser Plug-ins � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 18Operating System Vulnerabilities � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 19Enterprise AV Vendors � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 20Number of advisories � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 21Impact � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 21Criticality � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 22

Table of Contents

1

Letter from the CEO

Dear customers and partners,

Welcome to Secunia’s 2007 Report�

In the 2007 Report, you’ll find highlights of vulnerabilities discovered in 2007� During the past year, Secunia verified and published 4,690 advisories, while our in-house research team discovered more than 150 new vulnerabilities in applications from vendors such as Microsoft, Symantec, Novell, CA, IBM, HP, and Adobe� You can read about these, and more, in the “Secunia Research Highlights” and “Secunia Advisory Statistics” sections of the report�

It is Secunia’s mission to be the “security watchdog”; to provide our customers with accurate and reliable Vulnerability Intelligence to ensure their network integrity� Our security researchers take the greatest pride in providing in-depth analysis and verification�

This is also why Secunia has become a world leading provider of vulnerability intelligence - acknowledged by many software vendors, who praise our services even though Secunia is not afraid to speak up when vendor standards start slipping and vulnerabilities are not properly handled� You can find out more by reading the articles “Binary Analysis, Real Results” and “Secunia Research Case Study”�

To help IT-security staff and IT-administrators in the battle against vulnerabilities, Secunia has developed a new technology to quickly and reliably identify installed software and missing security-related patches, which address vulnerabilities� The development of the Software Inspection technology was initiated in 2004� You can read more about the Software Inspector technology in the “Software Inspection Yields Results” story in the 2007 Report�

The Secunia Network Software Inspector is a revolutionary new tool that simplifies the daunting task of identifying vulnerable applications on both desktops and servers� It provides a detailed report on unpatched applications, which make your network vulnerable to attack�

The final qualification and testing of the Network Software Inspector involved more than 1,600 companies, who participated in the public beta-testing�

We received fantastic feedback both during the beta-testing and from those who have acquired the Network Software Inspector� If you haven’t already tried the solution, then we would like to invite you to do so�

You’re most welcome to contact us to gain a complete insight into the unpatched vulnerabilities in your network�

Wishing you a secure 2008 – stay secure�

Kind regards,Secunia

Niels Henrik RasmussenCEO

2

Secunia Research Case StudyThe Microsoft Windows URI Handling Vulnerability (SA26201) was just one of the many issues this year where Secunia Research shone through

In July of 2007, two security researchers named Billy Rios and Nate McFeters published a blog entry1 in which they claimed that Firefox and some other browsers had a vulnerability in the way that they handled registered URIs� The reporters mentioned a few examples, such as mailto:, telnet:, and news:, which, when opened in Firefox, would run any command on the computer�

News of the vulnerability soon made its way to various mailing lists and web sites� As with all vulnerability information received by Secunia, our in-house researchers went about investigating the information before publishing an advisory� The vulnerability was widely publicised in the security blogosphere as a Firefox issue, and Mozilla was quick to respond by creating a Bugzilla case2� Mozilla subsequently released a security update closing off the Firefox and Thunderbird attack vectors a few days later�

Identifying the CulpritThe vulnerability seemed to be exploitable by creating a link starting with a certain URI handler, containing a “%” character, and ending with a certain extension (�bat or �cmd)�

A sample proof-of-concept (PoC) code of the described vulnerability is the following:

mailto:test%../../../../windows/system32/

telnet.exe” “secunia.com 80%.bat

The above example opens a telnet terminal allowing your computer to connect to “secunia�com”� This site is, of course, safe for browsing� However, an attacker could substitute “secunia�com” with a malicious website such that if a user clicks on the “mailto:” link, a connection to that website is created instead�

1 http://xs-sniper.com/blog/2007/07/24/remote-command-ex-ecution-in-firefox-2005/

2 https://bugzilla.mozilla.org/show_bug.cgi?id=389580

Proof-of-concept code

Proof-of-concept (PoC) code is a script or program developed by security researchers to demonstrate a particular issue or vulnerability� It is usually short and simple, proving that the issue exists and can potentially be exploited by malicious people to attack a vulnerable system�

Usual PoC codes perform a visible action on vulnerable systems, such as crash the application or cause the Calculator application to run� This serves as tangible proof to other researchers that the issue is present�

Despite their simplicity, PoC codes are not meant to be played around with by inexperienced users� This is due to the dangerous nature of software vulnerabilities� It should be noted that PoC codes do exploit vulnerabilities, even though they do not (usually) perform any actual harm on a target system�

Alternatively, an attacker could use a “tftp” or “ftp” command instead of “telnet”; this would enable a remote attacker to connect directly to the affected machine and perform arbitrary actions�

During the course of our investigation, Secunia researchers noticed that the PoC code provided by the researchers were applicable not just for the reported browsers, but also, for example, in the Start>Run option in Windows systems�

Another observation was that the vulnerability was only present if Internet Explorer 7 was installed in the same system as the affected browser; the PoC code would not work if only Internet Explorer 6 was installed�

Space

3

These observations raised the questions: is Windows also affected by the vulnerability the same way Firefox is? And what is the vulnerability’s connection with Internet Explorer?

As with any other question that may be encountered in the process of investigating an issue, Secunia Research looked into the behaviour of affected systems� The fact that the proof-of-concept code worked on the reported browsers indicates that there is indeed an issue, but additional information resulting from Secunia in-house research meant that there might be more to it than initially reported�

Further investigation revealed what happens to a link once it is clicked or opened by any of the vulnerable applications� When the initial application (such as Firefox) sees that the link starts with a certain URI handler (such as “mailto:”), it invokes a Windows command called “shellExecute()” that is supposed to determine what happens next� This is expected behaviour�

With systems in which IE6 is installed, “shellExecute()” passes the URI to Internet Explorer, which then sees that it is an improperly-formed link� Therefore the link fails to resolve and the whole process exits without any consequence�

In Windows Vista with IE7 installed, “shellExecute()” rejects the malformed URI up front� However, in Windows XP and Server 2003 systems in which IE7 is installed, “shellExecute()” passes the URI to Internet Explorer, which sees that the link is improperly formed, and rejects it� The “shellExecute()” function then tries to force the link to become usable, and as a consequence the URI is run as a Windows command�

In light of these findings, the only logical conclusion that Secunia Research could reach about the report was that it was not in fact a vulnerability in the reported browsers, but in Windows itself� Secunia then published an advisory3 containing information on the newly discovered vulnerability in Windows�3 http://secunia.com/advisories/26201

Fig. 1(above) In Windows XP and Server 2003 systems in which IE6 is installed, a malformed link from any affected application (such as Netscape, Firefox, Adobe Reader, mIRC, or MS Outlook) is passed on to shellExecute, which then passes it off to IE6� IE6 then discards the link�

(left) However, in Windows XP and Server 2003 sys-tems in which IE7 is installed, IE7 rejects the malformed URI back to shellExecute(), which tries to fix it� Fixing it results in executing what-ever (possibly malicious) command was included in the link�

4

The Adobe Acrobat / Reader Attack Vector

The Adobe Acrobat/Reader attack vector was especially critical as Adobe released security upgrades for their affected products in late October, 2007�

Soon after, a number of antivirus companies and security organisations reported seeing a significant number of email messages circulating in the wild, which contained a Trojan exploiting the vulnerability via PDF files�

Secunia urged users to apply the Adobe security updates, but to keep in mind that only one attack vector out of many was addressed�

A New Issue? Or another Attack Vector?In September 2007, a security researcher called pdp4 released a video for what he claimed was a vulnerability in Adobe Acrobat/Reader� The video contained footage of an attack scenario in which a user opens a PDF file and arbitrary programs were executed on the computer�

The reporter did not actually disclose details of the vulnerability in the interest of responsible disclosure� However, it was reported that the flaw affected Windows XP SP2 with Internet Explorer 7 and Adobe Reader installed� In addition, the exploit did not work in Windows Vista5� These same conditions are applicable to the Windows URI-handling vulnerability�

Based on this, Secunia Research proceeded to check if the report was in any way connected to the URI-handling vulnerability�

Adobe Acrobat has an option when creating PDF files that automatically opens a specified URI when the reader opens the file� This can be done by indicating a page property action to “Open a web link” and entering the malformed URI as a link�

An attack scenario would be if a malicious person created a PDF file, embedded a malicious link in it, and enticed an unsuspecting user to open the file�

In the course if its investigation� Secunia Research determined that in such an attack scenario, the root cause of the vulnerability is again the “ShellExecute()” function� This confirmed initial suspicions that the vulnerability is not a new problem in Adobe Acrobat/Reader, but simply an attack vector using the URI-handling vulnerability in Windows�

Majority of security researchers at this time reported that the problem lay in Adobe� Adobe, for its part, was quick to respond by publishing a workaround to the issue� However, in line with its findings, Secunia updated its Microsoft URI-handling vulnerability advisory to state that opening PDF files was now also an attack vector�

4 http://www.gnucitizen.org/blog/0day-pdf-pwns-windows5 http://blogs.zdnet.com/security/?p=530

6

7

Coordinating with MicrosoftIn the interest of identifying other possible attack vectors of this highly critical vulnerability, Secunia Research also analysed several Microsoft applications� Through in-depth testing, it was determined that the same vulnerability could be triggered using Outlook and Outlook Express via the “Web Page” parameter when viewing vCards�

A malicious attacker could create a vCard and indicate a malformed URI in the “Web Page” field� If the malicious vCard is then attached to outgoing mail and a recipient unsuspectingly views it, then the malformed link is accessed and exploitation can occur�

Secunia Research then contacted Microsoft with our findings� Constructive communication with the vendor allowed us to fully share our findings, as well as to clarify questions or observations we had regarding the behaviour of the affected Microsoft components�

Microsoft agreed that the vulnerability was indeed due to the Windows function “ShellExecute()”� Whenever possible, Secunia Research coordinates with the vendor in validating analysis and results, in order to make sure that customers receive the right information and that they can expect the appropriate solution�

6 http://www.f-secure.com/weblog/archives/00001303.html7 http://isc.sans.org/diary.html?storyid=3537

5

Firefox firefoxurl: URI Handling VulnerabilityShortly after, Microsoft released a Security Advisory (943521)8 to inform users that the vulnerability in URI-handling was indeed due to a Windows function�

Microsoft patched the vulnerability in the affected Windows versions (XP and Server 2003) during its November Security Bulletin release (MS07-061)9� Secunia Research was again credited for working with Microsoft on the issue�

8 http://www.microsoft.com/technet/security/advisory/943521.mspx

9 http://www.microsoft.com/technet/security/Bulletin/MS07-061.mspx

This was not the first time that Secunia Research correctly determined the exact root of a URI-handling vulnerability, but was at odds with the rest of the industry� Just two weeks before the Windows issue came out, a similar report also by Rios and McFeters claimed that Internet Explorer compromised Firefox by allowing improperly-formed URIs beginning with “firefoxurl:” to execute�

The report was again picked up as a vulnerability in Internet Explorer since attack scenarios required that a user be tricked into opening the “firefoxurl:” link using Internet Explorer�

However, upon analysis, Secunia Research determined that because it is Firefox that registers the “firefoxurl:” handler, then it is its responsibility to check if a URI is malformed or not� Firefox is the actual application that tries to execute malformed URIs, not Internet Explorer�

The complete vulnerability description is available in Secunia Advisory SA25984�

2007-07-25: Secunia begins researching on the reported Firefox vulnerability

2007-07-26: Secunia publishes SA26201, alerting customers of the new vulnerability in Windows

2007-07-30: US-CERT releases advisory concurring that the vulnerability is in Windows

2007-07-31: Mozilla patches attack vectors via Firefox and Thunderbird

2007-09-21: Secunia begins researching on the reported Adobe Acrobat/Reader vulnerability

2007-10-08: Secunia adds Adobe Acrobat/Reader to the Windows URI advisory, alerting customers of the new attack vector

2007-10-09: Secunia adds Outlook and Outlook Express to list of known attack vectors based on Secunia Research results

2007-10-11: Microsoft releases Security Advisory 943521 acknowledging the vulnerability in Windows and crediting Secunia

2007-10-23: Adobe patches attack vector via Adobe Acrobat/Reader

2007-11-13: Microsoft releases MS07-061 to fix the URI-handling vulnerability; credits Secunia for providing details

July

September

October November

Fig. 2

The timeline of the Windows URI-handling vulnerability from the time it was first reported to the release of the official Windows patch��

6

Software Inspection Yields ResultsSecunia’s three Software Inspection solutions produce answers, even to questions no one thought to ask

In November of 2006, Secunia launched the online Software Inspector, the browser version of what was to be the first of three Secunia Software Inspection products�

The online Software Inspector, like its successors the Network Software Inspector (NSI) and the Personal Software Inspector (PSI), uses the Secunia File Signatures and Secunia Advisory Intelligence technologies to inspect the software installed in users’ systems down to the version number and determine if the software is patched or unpatched against known vulnerabilities�

Secunia Online Software InspectorThe top ten most commonly found software detected by the Software Inspector is shown in Table 1� The percentage of insecure installations are included in parentheses�

Adobe Flash Player is the most popular application, having been detected nearly 2 million times� This is likely due to multiple Adobe Flash installations being

detected in a single system�

Multiple Adobe Flash installations can be present in a system because each browser usually requires a different Flash plug-in� This can be a bit confusing for home users who are unaware that a browser plug-in is considered a separate application� However, these plug-in files are just as vulnerable to software issues as other programs, even though they are not of the usual double-click-the-icon-to-execute type� In fact, some of these issues can be exploited via “browse-by” attacks: attacks that merely require a user to visit a web page in which malicious code is hosted�

In addition, Adobe did not remove old versions of Flash when new ones are installed, leading to some confusion about “multiple detections”� Older versions of Flash are vulnerable to various security issues, so even though users have the latest version installed in their systems, they are potentially still susceptible to exploits that use older vulnerabilities�

Adobe has acknowledged that there is a need to remove older versions of Flash, and has released a single file that removes both the Adobe Flash Player ActiveX control (for Internet Explorer users), and plug-in (for non-IE users)1�

Multiple Java installations were also detected in some systems because, similar to Flash, Java does not remove older versions when newer ones are installed� Java has a web site recommending users to retain older version of Java for compatibility with some applications2� However, users should be aware that older versions of Java may contain vulnerabilities, and possibly expose their computers to online threats�

Table 2 shows the top ten most insecure applications based on number of installations� Practically all

1 http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_14157&sliceId=1

2 http://www.java.com/en/download/faq/5000070400.xml

Table 1: Top ten most commonly detected applications based on the Secunia Software Inspector results from 6 December 2006 to 31 December 2007�

Software Number ofInstallations(Percent insecure)

Adobe Flash Player 9�x 1,946,674 (30�68)

Sun Java JRE 1�6�x/6�x 1,467,944 (26�78)

Sun Java JRE 1�5�x/5�x 1,314,356 (63�92)

Microsoft Outlook Express 6 1,271,445 (3�69)

Microsoft Internet Explorer 7�x 1,136,007 (7�67)

Adobe Reader 8�x 1,041,880 (30�12)

Microsoft Windows Media Player 11�x 953,286 (0�38)

Apple QuickTime 7�x 865,485 (46�54)

Mozilla Firefox 2�0�x 745,958 (10�22)

Adobe Reader 7�x 582,026 (76�58)

Space

7

detected Flash Player installations before version 9 are insecure (Macromedia was acquired by Adobe leading to the name change), and the fact that older versions are not easy to remove only exacerbates possible problems�

However, an interesting fact taken from the Software Inspector figures is that users tend to patch Microsoft applications more than others� For example, Table 1 contains three Windows applications in the list: Outlook Express, Internet Explorer 7, and Windows Media Player, which all have insecure installation percentages at less than 8%� This is significantly less than the percentage of insecure installations for Adobe Flash, Sun Java, and Apple Quicktime�

Of the three, 7�67% of all detected Internet Explorer 7 installations are insecure, while for Outlook Express, that number is 3�69%� For Windows Media Player 11�x, that number drops to an even lower 0�38%�

In fact, as seen for Table 3, which contains the top ten most secure software based on number of detected installations, Microsoft products occupy four of the top ten spots: the three mentioned above, and IE6, of which 88% of installations are secure�

Adobe Flash Player 9�x and Sun Java JRE versions 5�x and 6�x are in both Tables 2 and 3 because of the sheer number of installations detected for them� It should also be noted that these numbers are bloated by the fact

that previous versions are not removed by subsequent Flash installations�

Meanwhile, as seen in Table 1, almost 750,000 Mozilla Firefox 2�0�x installations were inspected, reaching two-thirds the number of Internet Explorer 7�x installations� The formerly alternative browser seems to be on its way to the mainstream as its use, and its popularity, grows� Its users also seem to be security savvy, as only 10% of the detected installations are insecure�

While the Online Software Inspector is a useful tool, and one that can provide information on 60 of the most popular user applications and versions, vulnerabilities still affect many more applications than the ones it identifies�

To give a more thorough assessment on the security of installed software for home users, the Secunia Personal Software Inspector was released in July 2007�

Secunia Personal Software InspectorSince its launch in July 2007, the BETA version of the Secunia Personal Software Inspector (PSI) has since been installed more than 190,000 times� As of 31 December 2007, the Secunia PSI is monitoring more than 16 million applications�

While the Online Inspector identified and assessed more than 60 different applications and versions, the Secunia

Table 2: Top ten most insecure applications based on number of installations� Data taken from Secunia Software Inspector results from 6 December 2006 to 31 December 2007�

Software Number ofInsecure Installations(Percent insecure)

Sun Java JRE 1�5�x/5�x 840,136 (63�92)

Adobe Flash Player 9�x 597,240 (30�68)

Adobe Reader 7�x 445,716 (76�58)

Apple QuickTime 7�x 402,797 (46�54)

Sun Java JRE 1�6�x / 6�x 393,115 (26�78)

Macromedia Flash Player 8�x 355,087 (99�99)

Macromedia Flash Player 7�x 347,726 (100)

Macromedia Flash Player 6�x 335,641 (72�13)

Adobe Reader 8�x 313,814 (30�12)

Macromedia Flash Player 5�x 153,648 (100)

Table 3: Top ten most secure applications based on number of in-stallations� Data taken from Secunia Software Inspector results from 6 December 2006 to 31 December 2007�

Software Number ofSecure Installations(Percent secure)

Adobe Flash Player 9�x 1,349,434 (69�32)

Microsoft Outlook Express 6 1,224,529 (96�31)

Sun Java JRE 1�6�x / 6�x 1,074,829 (73�22)

Microsoft Internet Explorer 7�x 1,048,875 (92�33)

Microsoft Windows Media Player 11�x 949,664 (99�62)

Adobe Reader 8�x 728,066 (69�88)

Mozilla Firefox 2�0�x 669,721 (89�78)

Sun Java JRE 1�5�x / 5�x 474,220 (36�08)

Apple QuickTime 7�x 462,688 (53�46)

Microsoft Internet Explorer 6�x 343,188 (87�66)

8

PSI could inspect for over 5,200 different applications and versions, making it more comprehensive and more thorough than the online version�

Because it detects more products, the Secunia PSI is able to inform users of applications that they may have forgotten about, or inadvertently installed (for example, with bundled applications)�

Most users are aware of what software they have installed only by looking at the list in the “Add/Remove Programs” section in their Control Panel� However, this list is by no means complete, as ActiveX controls, browser plug-ins, software components, and non-installing applications can all be present in a computer and contain vulnerabilities without having an entry in the “Add/Remove” list�

In addition, the Programs list when a user clicks on “Start>All Programs”, or when exploring their “Program Files” folder, is also not comprehensive�

As a consequence, most users may not be aware of the need to apply security updates for those applications that are not visible in the “Add/Remove” or “All Programs” lists, especially if it’s an application that is not commonly used� However, if vulnerabilities are present in these applications, there is a very real possibility that these can be exploited�

Another fact highlighted by the Secunia PSI for home users is how important it is to patch software� The

Secunia PSI tags insecure software and urges users to update to a secure version, and it also presents the users with a summary of the vulnerability that affect it� This gives users a more tangible sense of the threat that may affect their system because of these insecure software�

By providing vulnerability information from the Secunia Advisory database, the PSI presents users with the most accurate vulnerability data available: what the possible impacts are, what attack vectors are possible, and where to get the patch, if one is available�

One of the most important observations gathered by the Secunia PSI is the fact that software that use library files or components from third-party software should be secured by vendors even though they did not develop it in the first place�

It is common practice within the software industry for vendors to license and/or buy files from other software development companies� This significantly cuts down development time for crucial projects, as well as enables vendors to add functionality from trusted software developers into their own applications�

This practice yields fruitful results for both the file vendor and the application vendor, as well as being beneficial for end users, who get to have a more fulfilling experience with the software�

For example, Microsoft’s MSXML is a set of services commonly used by developers of Windows applications to make their software compatible with the Windows operating system� Some MSXML files are installed as part of the third-party application to ensure their functionality� If a vulnerability is reported in an MSXML file, Windows releases a Security Update for it� However, the security update patches only the vulnerability if a user has the entire MSXML service from Microsoft installed in the computer� Vulnerable files used and maintained by a third-party vendor often remain unpatched, and are ultimately the responsibility of the third-party developers�

Developers using licensed and/or purchased components should thus be aware of security issues in these components� It is also vitally important for these vendors to (1) inform end-users of possible threats to their computers if they have the offending file installed

Table 4: Top ten most commonly detected applications based on the Secunia PSI results from 24 July to 31 December 2007�

Software Number ofInstallations

Adobe Flash Player 9�x 409,813

Sun Java JRE 1�6�x/6�x 372,393

Microsoft Windows GenuineAdvantage 1�x

262,890

Microsoft Data Access Components (MDAC) 2�x

200,503

Microsoft Outlook Express 6 200,503

Windows NetMeeting 3�x 191,765

Sun Java JRE 1�5�x/5�x 186,597

Microsoft Windows Media Player 5�x 186,165

Microsoft Windows Media Player 6�x 180,617

Microsoft Removal Tool: Blaster/Nachi 177,926

9

as part of another application, and (2) release security updates as necessary�

This practice is followed by a number of software developers, including Microsoft (who acknowledged that a third-party driver file automatically installed with Windows XP and Server 2003 contained a vulnerability, and provided a Security Bulletin update to address the problem3) and IBM (who released their own patches when a vulnerability in Autonomy Keyview that is used by Lotus Notes was disclosed4)

The Secunia PSI BETA also assisted users in uncovering an interesting fact: most Windows users have backup Windows installation folders in their hard disc� While this is not entirely a secret for security professionals, this was not entirely clear to the bulk of home users who used the Secunia PSI�

These backup folders (usually hidden folders within the Windows system folder, or C:\i386) are meant to contain files used by Windows when it was installed for the first time (using the Windows installation CD), or when service packs are applied� These are important for situations in which you need to install a Windows component and have lost the original CD, or when you want to revert back to a previous installation or service pack because of compatibility issues with other software or hardware�

The second version of the Secunia PSI BETA came with

3 http://secunia.com/advisories/272854 http://secunia.com/advisories/27849

an “Ignore paths and folders” option� This gave users the choice to effectively tell the Secunia PSI to not inspect certain folders� While Secunia encouraged users to use the option sparingly, it is particularly effective when users have backups of several applications, including Windows, stored in their systems�

Of course, while patching is always encouraged, in rare instances updating to a more secure version can result in unexpected results� Some applications are designed to work only with specific versions of other applications, such as Java games that require a specific, older version of Java�

In light of such a situation, Secunia encourages users to always check with the vendor if there is any possibility that a patch for one program will adversely affect another, or if updating from one version or another can result in unexpected behaviour�

Secunia launched the first Release Candidate of the PSI in 18 December 2007�

Secunia Network Software InspectorThe Secunia Network Software Inspector is the Software Inspector technology for use in corporate environments� It detects the same number of applications as the Secunia PSI, but has a number of features that makes it ideal for a network environment� These include the ability to schedule inspections remotely, perform automatic inspections, and manage data from multiple hosts in a central location�

Table 5: Top ten most insecure applications based on number of installations� Data taken from Secunia PSI results from 24 July to 31 December 2007�

Software Number ofInstallations

Adobe Flash Player 9�x 198,331

Sun Java JRE 1�5�x / 5�x 181,168

Sun Java JRE 1�6�x / 6�x 146,272

Macromedia Flash Player 6�x 86,142

Macromedia Flash Player 7�x 63,166

Sun Java JRE 1�4�x 62,167

Microsoft XML Core Services (MSXML) 4�x 60,571

Macromedia Flash Player 8�x 56,111

Apple QuickTime 7�x 42,168

WinRAR 3�x 41,419

Table 6: Top ten most secure applications based on number of installations� Data taken from Secunia PSI results from 24 July to 31 December 2007�

Software Number ofInstallations

Microsoft Windows Genuine Advantage 1�x 261,580

Sun Java JRE 1�6�x / 6�x 226,163

Adobe Flash Player 9�x 211,554

Windows NetMeeting 3�x 190,109

Microsoft Outlook Express 6 189,999

Microsoft Windows Media Player 5�x 185,367

Microsoft Removal Tool: Blaster/Nachi 177,309

Microsoft Windows Media Player 6�x 176,655

Microsoft Movie Maker 2�x 170,930

Microsoft Data Access Components (MDAC) 2�x

165,428

10

Secunia Research HighlightsIn 2007, Secunia discovered more than 150 vulnerabilities in applications from vendors like Samba, Microsoft, Symantec, Novell, Apple, and Adobe

This year has been the most fruitful so far for Secunia Research� Our research team discovered more than 150 vulnerabilities in critical applications from various vendors such as Novell, Symantec, IBM, and Evolution, and popular user applications such as Quicktime, Gimp, and ACDSee�

All in all, 79 advisories were published, and 24 are pending coordinated disclosure with the vendor�

Table 7 gives a rundown of some of the enterprise software in which Secunia Research discovered vulnerabilities� The number of advisories published for 2007 are shown, with the corresponding number of vulnerabilities covered by the advisories�

The table includes only some of the notable enterprise software that Secunia Research has discovered vulnerabilities in� A full listing of all Secunia Research vulnerability reports are in http://secunia�com/secunia_research/�

It is notable that in 2007, Secunia Research has conducted analysis on more enterprise software than in previous years� For example, for the first time

ever, Secunia Research discovered vulnerabilities in Symantec, HP, CA, and McAfee products, as well as in Samba and CUPS�

In addition, the number of vulnerabilities discovered by Secunia has been steadily growing over the past years� Figure 3 contains the figures on how many advisories based on in-house research Secunia has published since 2002�

This is because of internal improvements Secunia has made to our Research team, which has expanded to include more of the world’s best security researchers� In addition, our strategy has been modified to allow us to focus on hard-core research and analysis, at the same time maintaining our expansive Secunia Vulnerability Database�

Some vulnerabilities discovered by our team are featured at the end of this article�

Secunia Research also discovered eleven vulnerabilities in Microsoft this year, four of which have been published, with seven more pending coordinated disclosure with the vendor1�

1 http://secunia.com/secunia_research

Secunia Research

Figure 3: The above figures indicate the number of adviso-ries produced by Secunia per year based on internal Secunia Research results�

2003

2004

2005

2006

2007 4690 advisories

5280 advisories

4565 advisories

3156 advisories

2716 advisories

Table 7: Number of advisories created by Secunia this year for certain software� Each Secunia advisory may cover more than one vulnerability� Not all vulnerabilities may be publicly disclosed as of 31 December 2007�

2007Advisories

2007Vulnerabilities

Microsoft 8 11

Symantec 7 10

CA 3 38

IBM 3 8

HP 2 5

Samba 2 2

Novell 1 8

Adobe 3 3

McAfee 1 1

Apple 1 1

Space

11

All in all, Secunia has discovered 23 vulnerabilities in various Microsoft products since 2004, 7 of which are pending disclosure�

NCTAudioFile2 ActiveX Control VulnerabilityAmong the vulnerabilities discovered this year was a vulnerability in an ActiveX control originally developed by NCT Company Ltd� (now known as Online Media Technologies Ltd�)�

The vulnerability is caused by a boundary error in the handling of the “SetFormatLikeSample()” method of the NCTAudioFile2�AudioFile ActiveX control� Passing an argument with a length of approximately 4124 bytes induces a stack-based buffer overflow, making it possible for a remote attacker to execute arbitrary code on the affected system�

Unfortunately the vulnerable file is included in over 40 different media products from 36 other vendors, because the ActiveX controls had been licensed to third-party products by the original developer� As a consequence, these products are affected by the vulnerability as well�

While the use of shared libraries and licenses for using ActiveX controls significantly cut down development time for applications, it is just as significant to note that such practices likely result in shared vulnerabilities also� It is therefore necessary for the software vendors to ensure that they have an SLA with the original developer of the shared code which guarantees notification and a timely resolution of bugs and security issues� This makes sure that proper coordination and planning is done on both sides, and a solution is delivered on time�

The affected products were identified using the Secunia File Signatures technology� The Secunia Advisory can be read at SA234752�

Evolution Format String VulnerabilitySecunia Researcher Ulf Härnhammar discovered a moderately critical vulnerability in Evolution, which can be exploited by malicious people to compromise a vulnerable system�

2 http://secunia.com/advisories/23475/

Evolution is an integrated email, address book, and calendar application for users of the GNOME desktop� Novell also has its own Evolution application, which was affected by the vulnerability�A format string error in the “write_html()” function in calendar/gui/e-cal-component-memo-preview�c when displaying a memo’s categories can potentially be exploited to execute arbitrary code on the system via a specially crafted shared memo containing format specifiers�

An attack scenario would be if an Evolution user opens a shared memo in his or her mailbox, clicks on “Accept”, and views the memo under the “Memo” tab�

Various Linux distributions have released patches for the vulnerability� The Secunia Advisory can be read at SA242343�

XMMS Integer Overflow and Underflow VulnerabilitiesSecunia Researcher Sven Krewitt discovered two moderately critical vulnerabilities in XMMS, which can be exploited by malicious people to compromise a user’s system�

XMMS is a popular multimedia player for Linux, and is capable of playing media files such as MP3, WAV, and MOD�

An integer underflow error when processing skin bitmap images can be exploited to cause a stack-based buffer overflow by installing a skin image that contains manipulated header information� Successful exploitation allows arbitrary code to be executed on the system�

An integer overflow error when processing skin bitmap images can be exploited to cause memory corruption by installing a skin image that contains manipulated header information� Successful exploitation may allow the arbitrary code to be executed on the system�

Various Linux distributions have released updates for these vulnerabilities� The Secunia Advisory can be read at SA239864�

3 http://secunia.com/advisories/24234/4 http://secunia.com/advisories/23986/

12

Irfanview Palette File VulnerabilitySecunia Researcher Stefan Cornelius discovered a moderately critical vulnerability in Irfanview, which can be exploited by malicious people to compromise a user’s system�

Irfanview is a popular free image graphic viewer and editor for Windows systems�

A boundary error when importing palette (*�PAL) files can be exploited to cause a stack-based buffer overflow�

Successful exploitation is possible if a user opens an image and imports a specially crafted �PAL file� The exploit can be coded so that it can execute arbitrary code on the system�

The vendor released version 4�10 to resolve the vulnerability� The Secunia Advisory can be read at SA266195�

CUPS Memory Corruption VulnerabilitySecunia Researcher Alin Rad Pop discovered a vulnerability in CUPS, which can be exploited by malicious people to compromise a vulnerable system�

CUPS is the standard printing system in Mac OS X and a majority of Linux distributions� It uses the Internet Printing Protocol, or IPP, to manage print jobs and queues�

The vulnerability is due to a boundary error within the “ippReadIO()” function in cups/ipp�c when processing IPP tags� Sending a specially crafted IPP request containing specially crafted “textWithLanguage” or “nameWithLanguage” tags can exploit the vulnerability and overwrite one byte on the stack with a zero�

Successful exploitation allows execution of arbitrary code�

Version 1�3�4 of CUPS resolves the vulnerability� Various Linux distributions have also developed updated packages� The Secunia Advisory can be read

5 http://secunia.com/advisories/26619/

at SA272336�

Novell Client nwspool�dll VulnerabilitiesSecunia Researcher JJ Reyes discovered multiple vulnerabilities in Novell Client, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system�

Novell Client software enables users to access Novell services by providing access to Novell NetWare and Open Enterprise Server�

The vulnerabilities are caused by boundary errors within nwspool�dll when processing arguments passed to certain RPC requests (such as RpcAddPrinterDriver and RpcGetPrinterDriverDirectory)� These can be exploited to cause stack-based buffer overflows via RPC requests by passing specially crafted, overly long arguments�

Successful exploitation allows an attacker to crash the service, or execute arbitrary code�

The vendor has provided a patch for the vulnerability�

6 http://secunia.com/advisories/27233/

Any vulnerability discovered by Secunia Research is thoroughly analysed, verified, and tested against possible mitigating factors and conditions that can be present in a typical installation of the application�

If the vulnerability is verified to be present in an application, the vendor is notified with details of the vulnerability along with ways on how they can replicate it� If requested, we also supply them with proof-of-concept code and other results from Secunia analysis�

Coordinating with the vendor is in line with Secunia policy of responsible disclosure� We believe in giving the vendor ample time to be aware of and respond to vulnerability reports� At the same time, we also believe that vulnerability intelligence should be made available in the best possible manner to educate customers and help them make responsible decisions regarding their networks�

Responsible Disclosure

13

The Secunia Advisory can be read at SA263747�

Apple Quicktime Java Extension VulnerabilitySecunia Researcher Dyon Balding discovered a highly critical vulnerability in Apple Quicktime, which could be exploited by malicious people to compromise a user’s system�

Apple Quicktime is a highly popular digital media processing and delivery application available for both the Mac operating system and the Windows platform�

The vulnerability is caused due to a design error in the security restrictions on subclasses of QTObject, which is the Quicktime for Java base class� The error allows untrusted Java code to allow subclassing Quicktime objects and calling unsafe functions from QTJava�dll�

Successful exploitation is possible when a user visits a web site that contains a malicious Java applet, and results in an attacker being able to read and write to arbitrary memory locations�

Apple released Quicktime version 7�1�6 to resolve the vulnerability� The Secunia Advisory can be read at SA251308

Internet Explorer File Download VulnerabilitySecunia Chief Security Specialist Carsten Eiram discovered a vulnerability in Internet Explorer, which could be exploited by malicious people to compromise a user’s system�

An error in the file download queue handling process when performing multiple concurrent download start attempts can be exploited to corrupt memory�

An attack scenario would require that a user visit a specially crafted web page, which results in the use of an already freed object� Successful exploitation allows execution of arbitrary code�

Microsoft released Security Bulletin MS07-057 to resolve the vulnerability� The Secunia Advisory can be read at SA234699�

7 http://secunia.com/advisories/26374/8 http://secunia.com/advisories/25130/9 http://secunia.com/advisories/23469/

14

Binary Analysis, Real ResultsThe first full year of the Binary Analysis Service was a resounding success, yielding results not just for Security Vendor customers, but also for Secunia Advisories

Secunia Research made waves this year as our Binary Analysis and Exploit Code Services took off� These offerings are part of the Secunia Security Vendor program available for specific, highly specialised customers� Our Binary Analysis Service released more than 300 reports in 2007�

Binary analysis is a highly technical in-depth analysis method that allows our customers to focus on their security solution for a vulnerability by cutting the time it would normally take them to identify the main root cause of the issue and develop appropriate Intrusion Detection (IDS) and anti-virus signatures� Because of its comprehensiveness, it requires more than ten times the period allotted for our normal vulnerability analysis, however, it also yields its worth in additional data�

Ideally, vulnerability analysis is straightforward -- the reporter identifies a vulnerable component or function, specifies how it can be triggered or exploited, and then the vendor releases a security update for the affected software�

However, in most instances, binary analysis of the vulnerability yields more information than is currently publicly known in the form of additional attack vectors, vulnerable components, additional impact, incomplete patches, and upgraded or downgraded criticality�

In some cases, this is because the vendor chooses not to give out more detailed information to prevent malicious parties from using it� After all, providing too much public information can be leveraged by cyber-criminal organisations against unsuspecting users� Hence, it is up to legitimate researchers and security vendors to perform analysis of a vulnerability to get the whole picture�

It can also be that the reporter of the vulnerability misidentifies the cause of the issue due to inexperience

or the difficult nature of the vulnerability� Some vulnerabilities are also notoriously difficult to exploit, thus leading their discoverers to report them as application crashes when they can actually be exploited to remotely execute code�

Whenever binary analysis results in important information that we feel should be disclosed to our Vulnerability Intelligence (VI) Solutions customers, then we inform them by updating our advisories�

For example, a vulnerability in Qbik WinGate was reported in August as a Denial of Service (DoS) condition� WinGate is a gateway/server product used in numerous networks worldwide� It contains an SMTP server component that was discovered to contain a format string vulnerability�

The original report stated that an unsafe call to vsprintf() can cause the server to crash, and that “arbitrary code execution cannot be leveraged from this attack”1� Because the vulnerability had been patched by the vendor, the original Secunia advisory had been written as a remote DoS condition�

However, upon analysis of the vulnerability, our researchers found out that arbitrary code execution was indeed possible� Not only that, but exploitation was actually straight-forward: an attacker merely had to pass specially crafted arguments to a vulnerable command� Based on this information, we updated our advisory to increase the criticality and add the specified impact� This was without a doubt valuable information to customers of the Secunia VI solutions�

But the research did not end there� A few days after, Secunia Research again made the discovery that, not only could the vulnerability be leveraged to execute arbitrary code, but that another attack vector existed� The first report stated that the vulnerability existed

1 http://www.harmonysecurity.com/HS-A007.html

Space

15

when processing “[SMTP] commands [that] the server was not expecting”� However, our researchers found out that this situation cold be triggered in two ways: first by passing SMTP commands not sent in proper sequence, and second by passing legitimate but unimplemented SMTP commands�

Our advisory was then updated to contain the additional attack vector� You can read more about the Qbik WinGate vulnerability at SA264122� More notable results are given in the sidebar�

Binary Analysis is also done for most Windows Security Updates based on criticality� Due to the value of Microsoft products to users of all kinds, in-depth analysis of their vulnerabilities is crucial to our customers who deal with securing Microsoft users against specific threats� This is especially important when one considers that Microsoft does not publicly disclose comprehensive vulnerability details, the part most important to Security Vendor customers�

For example, a heap-based buffer overflow within the NNTP protocol in Windows Mail and Outlook Express (SA271123) was reported to possibly allow a remote attacker to gain control of a user’s system�

Both the reporter and the vendor presented a summary of the vulnerability, as is appropriate� Secunia Research released our Binary Analysis of the issue, including the vulnerable function, why it is vulnerable, and exactly where the error takes place within the code� A working exploit was also developed to assist Binary Analysis customers in testing their IDS and AV patterns�

Because of the possibility of false alarms, false positives, and negatives, incomplete detections, and application functionality breakage, security vendors have to take extra care in creating patterns and signatures for reported vulnerabilities� Secunia Binary Analysis and Exploit Code Development have proven to be a great advantage to have in this regard�

But in some cases, the extensive data gathered from our analysis has also been beneficial also for our VI Solution customers, as our Secunia Advisories are updated with more information uncovered by Secunia

2 http://secunia.com/advisories/26412/3 http://secunia.com/advisories/27112/

Research�

We feel it is our responsibility to inform our VI customers of additional information that can assist them in making sound judgements in maintaining and protecting their networks� It is Secunia’s mission to work for higher levels of security, and Secunia Binary Analysis results help do exactly that�

Notable Results from Binary Analysis

Logitech VideoCall was found to have a number of vulner-able ActiveX controls that could be used to compromise a user’s system� In this case, the original reporter had the impact correct, but did not enumerate all the methods affected by the vulnerability, and the possible attack vec-tors� However, Binary Analysis revealed all the vulnerable methods, as well as information on how these could be exploited�

SA25514 Logitech VideoCall Multiple ActiveX Controls Buffer Overflows

The initial report stated that the YVerInfo�GetInfo�1 ActiveX control was vulnerable to buffer overflows from two methods� However, Binary Analysis revealed that more than one ActiveX control contained the vulnerable methods, and that even the technical fix from the vendor was incomplete (as it stated only one CLSID)� Customers of the Secunia VI solutions were informed not only of the reported affected control, but also of an additional one, giving them the data to perform additional steps to fix the problem�

SA26579 Yahoo! Messenger YVerInfo.dll ActiveX Control Buffer Overflows

Numerous errors when processing specific arguments and requests were reported and fixed in several CA products� When Secunia performed Binary Analysis, however, we discovered that approximately 60 reported vulnerabilities were still present in the supposedly “patched” version� Binary Analysis also revealed that these vulnerabilities were partly due to the nature of the product code itself, and that unless an overhaul of the code is undertaken, then the product remains susceptible to similar types of vulnerabilities�

SA25606 CA ARCServe Backup for Laptops & Desktops Multiple Vulnerabilities

16

Secunia Advisory Statistics

The Secunia Advisory Statistics shown in this section cover advisories published by Secunia between the period 1 January 2007 to 31 December 2007�

In reading and analysing the statistics shown in this section, please consider the following situations in which Secunia does not publish an advisory:• Clientcrashesforsoftware,forexample,browser crashes or unexpected application exits• Betaproductsinwhichthedeveloperexplicitly implies that the product is in Beta, for example, Safari Beta in Windows• Reportedissuesthathavebeenverifiedby Secunia Research as incorrect or outright false

It should also be considered that Secunia advisories may contain additional information (in the form of additional vulnerabilities, impact, or criticality) compared to other security research sources as Secunia Research adds information to advisories as a result of internal research or binary analysis�

Hence there may be discrepancies between the numbers you find here and the numbers made available by other security research sources that do not use the above same filters as Secunia does�

All information is taken from the Secunia Advisory Database�

Zero-day vulnerabilitiesSecunia defines zero-day vulnerabilities as security issues that are reported to be actively exploited prior to public disclosure�

In the 2006 Report, Secunia reported eleven vulnerabilities, ten of which were reported for various Microsoft applications (see Figure 4)�

However, for 2007 that number rose to 20, a more than 80% increase from 2006� While 2006’s zero-day attacks averaged almost 1 reported per month, this year it was 1�67 per month�

What’s even more surprising is that the number of Microsoft vulnerabilities for which zero-day attacks were reported has fallen to 7� The number of third-party applications that were exploited by zero-day vulnerabilities was 13, including some commonly-used applications like RealPlayer and phpMyForum�

Even a search for virus information for malware that exploit known Microsoft vulnerabilities seems to corroborate the idea that exploiting Microsoft vulnerabilities is on the decline�

Secunia Virus Information collects, groups, and indexes virus information from seven of the largest anti-virus vendors� If a malware uses a known Microsoft vulnerability to propagate, the anti-virus vendor references the vulnerability by its Microsoft Security Bulletin number�

Zero-day attacks from 2006 - 2007

Figure 4: In 2006, all but one zero-day report concerned a Microsoft vulnerability� In 2007, this number had shrunk to 6 our of 18, a huge decline from 90% the previous year, to just 33% this year�

* One zero-day vulnerability was due to a third-party driver file installed by default in Windows XP and Windows Server 2003, and was later addressed by a Microsoft Security Update (MS07-067), increasing the total number of Microsoft-connected zero-days to eight�

Others

Microsoft

20072006

1

10

13*

7

Space

17

A search for all virus information referencing a Microsoft Security Bulletin from 20071 (beginning with “MS07”) yields only 19 results, while those referencing older vulnerabilities yield extraordinarily bigger results: for 2006, there were 247 results2; for 2005, there were 3403; and for 2004, the year of the Sasser worm, there

1 http://secunia.com/search/?adv_search=1&s=1&search=ms07&w=2&vuln_title=1&vuln_software_os=1&vuln_bodytext=1&vuln_cve=1&critical%5B%5D=0&impact%5B%5D=0&where%5B%5D=0

2 http://secunia.com/search/?adv_search=1&s=1&search=ms06&w=2&vuln_title=1&vuln_software_os=1&vuln_bodytext=1&vuln_cve=1&critical%5B%5D=0&impact%5B%5D=0&where%5B%5D=0

3 http://secunia.com/search/?adv_search=1&s=1&search=ms05&w=2&vuln_title=1&vuln_software_os=1&vuln_bodytext=1&vuln_cve=1&critical%5B%5D=0&impact%5B%5D=0&where%5B%5D=0

were 8974�

It seems that as Microsoft users are becoming more and more aware of the need to apply Windows updates, malware writers are adapting as well�

The decline of attacks targeting Microsoft vulnerabilities seems to be explained by statistics gathered by the Secunia Personal Software Inspector (PSI) in Table 8�

Out of the top twenty most popular applications based on number of installations, 15 are Microsoft products (including CAPICOM), and only 5 are not� Out of these Microsoft products, the average percent of patched installations is 92�08, while for non-Microsoft products, that number is 58�01�

Because users seem to be getting more security savvy when it comes to patching Microsoft applications, cybercriminals are adjusting by exploiting vulnerabilities in other popular software� This gives them three distinct advantages: (1) popular software means a large pool of possible victims, (2) most vendors do not release security patches on a routine basis like Microsoft, hence may not have the process in place to address urgent, high-density reports, and (3) users themselves may not be as aware of the need to install updates in non-Microsoft applications, or may find the update process confusing or tedious in the lack of a user interface� Taken together, these three advantages give cybercriminals a bigger window of opportunity to release exploit code�

It should also be noted that zero-day vulnerabilities were reported for three web applications in 2007� This presents an additional attack vector that can be used by cybercriminals� For unpatched client-side application and ActiveX control vulnerabilities, the end user can follow certain steps to ensure that possible exploitation is kept to a minimum� However, when a web application is vulnerable, the user responsible for putting workarounds and solutions in place is usually the application administrator or maintainer� If the vulnerability is a script insertion or cross-site scripting vulnerability, registered users of the web application may be vulnerable until the administrator acts on it�

4 http://secunia.com/search/?adv_search=1&s=1&search=ms04&w=2&vuln_title=1&vuln_software_os=1&vuln_bodytext=1&vuln_cve=1&critical%5B%5D=0&impact%5B%5D=0&where%5B%5D=0

Table 8: Top twenty most popular applications based on Secunia PSI results� Microsoft applications are highlighted in red� Data taken from Secunia PSI results from 24 July to December 31, 2007�

The numbers in parenthesis is the number of secure installations out of the number of detected installations

Software Number ofInstallations

Adobe Flash Player 9�x 409,813 (211,554)

Sun Java JRE 1�6�x / 6�x 372,393 (226,163)

Microsoft Windows Genuine Advantage 1�x 262,890 (261,580)

Microsoft Data Access Components (MDAC) 2�x

200,578 (165,428)

Microsoft Outlook Express 6 200,503 (189,999)

Windows NetMeeting 3�x 191,765 (190,109)

Sun Java JRE 1�5�x / 5�x 186,597 (5429)

Microsoft Windows Media Player 5�x 186,165 (185,367)

Microsoft Windows Media Player 6�x 180,617 (176,655)

Microsoft Removal Tool: Blaster/Nachi 177,926 (177,309)

Microsoft Movie Maker 2�x 171,407 (170,930)

Microsoft Internet Explorer 7�x 166,540 (156,605)

Microsoft �NET Framework 2�x 159,816 (138,223)

Microsoft �NET Framework 1�x 152,224 (118,944 )

Microsoft Windows Messenger 4�x 150,125 (149,551)

Microsoft Windows Media Player 11�x 145,951 (142,242)

DivX EKG 1�x 143,295 (143,095)

Mozilla Firefox 2�0�x 139,505 (104,501)

Microsoft XML Core Services (MSXML) 4�x 131,882 (71,311)

CAPICOM 2�x 125,791 (124,304)

18

In some cases, such as for the phpMyForum SQL Injection vulnerability (SA261565), malicious people could gain access to the administrative section and gather sensitive information, such as email addresses, about registered users�

Secunia expects to see more zero-day vulnerabilities in the future that exploit non-Microsoft applications� In the meantime, users are urged to ensure that their systems are up-to-date against known vulnerabilities that may also currently be actively exploited�

Web Browser VulnerabilitiesThis year, Secunia published advisories for four of the most widely used web browsers: Internet Explorer (IE), Mozilla Firefox, Safari6, and Opera�

Fourteen vulnerabilities were reported in Safari this year ; while fifteen were reported for Opera, one of which is dependent if the browser is using a vulnerable version of the Adobe Flash Player (SA248777)�

Forty-three vulnerabilities were reported in Internet Explorer (covering IE 5�x, 6�x, and 7), both those publicly disclosed prior to vendor patch, and those included in Microsoft Security Bulletins, while a total of 64 vulnerabilities were disclosed for Firefox�

Figure 5 above gives a rundown of the number of vulnerabilities for the five most popular browsers�

The window of exposure for IE and Firefox are also compared in Table 9 (next page)� This table includes only those vulnerabilities that were publicly disclosed by a reporter prior to vendor notification� These numbers do not include vulnerabilities responsibly disclosed or discovered internally by the vendor�

From the figures, Mozilla has patched five out of eight vulnerabilities, three of them in a little more than a week, while Microsoft has patched only three out of ten vulnerabilities, with the earliest patch coming in almost three months from disclosure�5 http://secunia.com/advisories/261566 As indicated in the previous page, Secunia did not publish advi-

sories for Safari in Windows, which is currently a Beta program7 http://secunia.com/advisories/24877

The criticality of the vulnerabilities in IE are in the less- and not-critical range, while Firefox’s vulnerabilities include one highly critical issue, and one moderately critical issue, both patched within eight days�

Browser Plug-insFor browser plug-ins, the number of vulnerabilities covering ActiveX controls for 2007 was by far the largest, with 339�

ActiveX controls have always been popular in terms of use and abuse (45 Secunia advisories were published concerning them in 2006), but this year the numbers may have been propped up in particular by two events� First is the Month of ActiveX Controls (MoAXB) in May 20078, and second by the discovery by Secunia Research of a vulnerable ActiveX component that was used in over 40 different products9

Figure 6 (next page) contains a summary of the numbers for the different kinds of browser components/plug-ins that had vulnerabilities this year�

While ActiveX controls, widgets, and Firefox extensions can be developed for just about any

8 http://moaxb.blogspot.com9 http://secunia.com/advisories/23475

Number of vulnerabilities by browser

Firefox

Opera

Safari

IE

14

1

43

In 3rd-partycomponents

In browseronly

64

14

Figure 5: Number of vulnerabilities for five of the most popular browsers�

19

add-on functionality for a browser, Java, Flash, and Quicktime plug-ins are developed and maintained by their respective vendors�

Operating System VulnerabilitiesThis year, Secunia compared the vulnerability reports for five Operating Systems: Microsoft Windows (98 and onwards); Mac OS X; HP-UX 10�x and 11�x; Solaris 8, 9, and 10; and Red Hat (excluding Fedora)�

Red Hat was found to have the most number of vulnerabilities (633), with 99% (629 vulnerabilities) due to third-party components� Solaris, which had a total of 252 vulnerabilities, came next and had 80% (201) due to third-party components� Apple Mac OS X came third with 235, 62% (146) of which is due to third-party components� Fourth came Windows with 123, but with only 4% due to third-party software� Last came HP-UX with 75 vulnerabilities, 81% (61) of which are due to third-party software�

Figure 7 (next page) shows a summary of the number of vulnerabilities for operating systems�

Table 9: Window of ex-ploitation for vulnerabilities publicly disclosed in both IE and Firefox�

This table considers only those vulnerabilities publicly disclosed without or prior to vendor notification�

The number of days unpatched are given in red for those vulnerabilities that are still unpatched as of 31 December 2007�

Secunia Advisory ID for Disclosed Vulnerabilities

Criticality Disclosure Date

Patching Date

Number of days before Patch Release

Internet Explorer

SA23014 Less critical 2007-02-23 2007-10-09 228

SA23655 Not critical 2007-01-09 unpatched 356

SA25564 Less critical 2007-06-06 unpatched 208

SA26427 Not critical 2007-08-13 unpatched 140

SA27007 Not critical 2007-09-28 unpatched 94

SA27901 Less critical 2007-12-04 unpatched 27

SA24314 Less critical 2007-02-26 unpatched 308

SA24535 Less critical 2007-03-15 2007-06-14 91

SA25663 Not critical 2007-06-14 unpatched 200

SA26069 Less critical 2007-07-16 2007-10-09 85

Mozilla Firefox

SA24175 Moderately critical

2007-02-16 2007-02-24 8

SA25481 Not critical 2007-06-01 unpatched 213

SA25904 Not critical 2007-07-02 2007-10-19 109

SA24153 Not critical 2007-02-19 unpatched 315

SA25984 Less critical 2007-07-10 2007-07-18 8

SA25990 Highly critical 2007-07-10 2007-07-18 8

SA27605 Less critical 2007-11-09 2007-11-27 18

SA27907 Not critical 2007-12-04 unpatched 27

Number of vulnerabilities by browser add-ons/components

Quicktime

Flash

Java

ActiveX

Widget

Firefox extension 6

21

35

339

3

12

Figure 6: Number of advisories in various browser plug-ins and add-ons� The number of ActiveX control vulnerabilities is by far the largest, what with the Month of ActiveX Control Bugs (MoAXB) in May 2007, and the discovery by Secunia Research of a vulnerable ActiveX control that was included in over 40 products�

20

As a note for the reader, these figures should not be misinterpreted in any way to determine the “most secure” operating system� A straightforward counting of the number of vulnerabilities should be interpreted merely as that: the number of vulnerabilities affecting a particular operating system�

However, to construct an effective scientific analysis of what operating system is the most secure, one requires knowledge and consideration of a number of other factors: for example, Red Hat contains two different browsers and graphic interfaces, a number of PDF readers and image editors, and so on� Red Hat, HP-UX, and Solaris can easily be used as servers, and as such include and support a large number of third party components, while the same cannot be said of all versions of Windows and Mac OS X� There should also be discussion on the average patching time for vulnerabilities, and whether or not being open source has any effect on that� However, all these considerations are beyond the scope of this document�

Enterprise AV VendorsThis year Secunia collected statistics for the number of vulnerabilities discovered or disclosed in enterprise anti-virus vendors� For these statistics, we considered some of the more well-known anti-virus vendors available in the market�

For the sake of brevity, we considered the vendor’s inventory of products when counting the vulnerabilities, rather than just counting the vulnerabilities found explicitly in anti-virus products� In addition, the fact that some vendors, such as CA and Symantec, have a much larger repertoire of products than others, covering much more than anti-virus suites� It should also be noted that because not all products from these vendors contain anti-virus components, these numbers cannot at face value be considered to determine how secure anti-virus engines are�

Figure 8 above contains the numbers in graphical format�

CA leads the way in terms of number of vulnerabilities, with 187� The majority of these vulnerabilities are due to inherent code problems with some CA products, which Secunia uncovered through our Binary Analysis Service (see story on the Binary Analysis Service)�

Next is Symantec with 73, and Trend Micro with 34� A number of the vulnerabilities found in Symantec products are due to their use of vulnerable software from third-party developers, such as the Autonomy Keyview SDK10�

10 http://secunia.com/advisories/27871/ and http://secunia.com/advisories/27367

Number of vulnerabilities by operating system

Solaris

Red Hat

Windows

HP-UX

Mac OS X 89

14

118

4

51 201

629

5

61

146

In 3rd-partycomponents

In OS only

Figure 7: Number of vulnerabilities in five of the most common operating systems�

Number of vulnerabilities by AV vendor

Figure 8: Number of vulnerabilities disclosed this year, either internally or via third-party reports, for six enterprise anti-virus vendors�

ClamAV

F-Secure

Trend Micro

McAfee

Symantec

CA 187

73

13

34

6

15

21

ClamAV, the only open-source software in the group, has 15, McAfee has 13, and F-Secure has 6, the lowest number for the group considered in this exercise�

Number of advisoriesThis year, Secunia published more than 4,600 advisories, bringing the total number of advisories in Secunia’s vulnerability intelligence database to 20,407� Vulnerability advisories can be viewed at http://secunia�com�

Figure 9 below shows the progression of number of published advisories in the Secunia Advisory Database since 2002� This is based on all reports gathered by Secunia from third-party vendors, reports, and researchers, as well as internal research results�

ImpactFigure 10 and Table 10 (next page) show the breakdown over the past five years of the different impacts that vulnerabilities can have on a system, and which are indicated in Secunia advisories�

Most of this year’s vulnerabilities has System Access as their impact, similar to the trend from the previous four years�

Secunia divides all vulnerabilities into twelve different impacts�

Brute forceThis impact is used in cases where an application or algorithm allows an attacker to guess passwords in an easy manner�

Cross-Site ScriptingCross-Site Scripting vulnerabilities allow a third party to manipulate the content or behaviour of a web application in a user’s browser, without compromising the underlying system� Different Cross-Site Scripting related vulnerabilities are also classified under this category, including “script insertion” and “cross-site request forgery”�

DoS (Denial of Service)This includes vulnerabilities ranging from excessive resource consumption (e�g� causing a system to use a lot of memory) to crashing an application or an entire system�

Exposure of sensitive informationThis impact is used for vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote�

Exposure of system informationThis impact is used for vulnerabilities where excessive information about the system (e�g� version numbers, running services, installation paths, and similar) are exposed and can be revealed from remote and in some cases locally�

HijackingThis covers vulnerabilities where a user session or a communication channel can be taken over by other users or remote attackers�

Manipulation of dataThis includes vulnerabilities where a user or a remote attacker can manipulate local data on a system, but not necessarily be able to gain escalated privileges or system access� The most frequent type of vulnerabilities with this impact are SQL-injection vulnerabilities, where a malicious user or person can manipulate SQL queries�

Privilege escalationThis covers vulnerabilities where a user is able to conduct certain tasks with the privileges of other users or administrative users� This typically includes cases where a local user on a client or server system can gain access to the administrator or root account thus taking full control of the system�

Secunia Advisories by Year

Figure 9: The above figures indicate the number of advisories published by Secunia from 2002 to 2007�

2003

2004

2005

2006

2007 4690 advisories

5280 advisories

4565 advisories

3156 advisories

2716 advisories

22

0

1000

2000

3000

4000

5000

6000

7000

8000 Brute force

Hijacking

Spoofing

Unknown

Exposure of system information

Privilege of escalation

Exposure of sensitive information

Security bypass

Manipulation of data

Cross site scripting

Denial of Service

System access

20072006200520042003

Table and Figure 10: Number of advisories published by Secunia from 2003 to 2007 broken down by impact

2003 2004 2005 2006 2007

System Access 1020 1156 1698 2148 1981

Denial of Service 817 950 1208 1572 1523

Cross site scripting 271 347 838 1196 783

Manipulation of Data 111 252 738 845 580

Security Bypass 230 403 648 763 608

Exposure of sensitive information 482 423 580 620 805

Privilege escalation 471 508 653 390 452

Exposure of system information 212 233 246 225 248

Unknown 1 61 135 81 119

Spoofing 45 106 142 75 152

Hijacking 6 21 25 30 32

Brute force 13 2 6 1 22

Security BypassThis covers vulnerabilities or security issues where malicious users or people can bypass certain security mechanisms of the application� The actual impact varies significantly depending on the design and purpose of the affected application�

SpoofingThis covers various vulnerabilities where it is possible for malicious users or people to impersonate other users or systems�

System accessThis covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user�

UnknownThis impact is used when covering various weaknesses, security issues, and vulnerabilities not covered by the other impact types, or where the impact isn’t known due to insufficient information from vendors and researchers�

CriticalityFor 2007, almost all advisories were either highly, moderately, or less critical; leaving the most dangerous and least dangerous vulnerabilities at a minimum�

The criticality for a certain vulnerability is based on Secunia’s assessment of the vulnerability’s possible impact on a system or network, the availability of a vendor-issued solution or patch, the description of workarounds if available, and if an exploit exists for the vulnerability�

Figure 11 and Table 11 (next page) show the breakdown over the past five years of the different criticalities that vulnerabilities can have on a system, and which are indicated in Secunia advisories�

23

Breakdown of Advisory Impacts from 2003 to 2007, based on Secunia Advisories

0

1000

2000

3000

4000

5000

6000

Not critical

Less critical

Moderately critical

Highly critical

Extremely critical

20072006200520042003

Table and Figure 11: Number of advisories published by Secunia from 2003 to 2007 broken down by criticality�

2003 2004 2005 2006 2007

Extremely critical 55 15 20 24 2

Highly critical 438 606 851 1244 1149

Moderately critical 893 1229 1817 2206 1675

Less critical 1093 1108 1607 1548 1562

Not critical 237 198 270 258 290

Secunia uses a rating system containing five different levels of criticality:

Extremely Critical This level is typically used for remotely exploitable vulnerabilities, which can lead to system compromise� Successful exploitation of the vulnerability does not normally require any interaction, and the vulnerability is already being actively exploited (or exploits are publicly available)� These vulnerabilities can e�g� exist in services like FTP, HTTP, and SMTP or in certain client systems like email programs or browsers�

Highly Critical This level is typically used for remotely exploitable vulnerabilities, which can lead to system compromise� Successful exploitation of the vulnerability does not normally require any interaction but there are no known exploits available at the time of disclosure� Such vulnerabilities can exist in services like FTP, HTTP, and SMTP or in client systems like email programs or browsers�

Moderately Critical Typically used for remotely exploitable Denial of Service vulnerabilities against services like FTP, HTTP, and SMTP, and for vulnerabilities, which allows system compromises but require user interaction� This rating is also used for vulnerabilities allowing system compromise on LANs in services like SMB, RPC, NFS, LPD and similar services, which are not intended for use over the Internet�

Less Critical Typically used for cross-site scripting vulnerabilities and privilege escalation vulnerabilities� This rating is also used for vulnerabilities allowing exposure of sensitive data to local users�

Not Critical Typically used for very limited privilege escalation vulnerabilities and locally exploitable Denial of Service vulnerabilities� This rating is also used for non-sensitive system information disclosure vulnerabilities (e�g� remote disclosure of installation path of applications)�

How to reach us:support@secunia.com

sales@secunia.com

SecuniaHammerensgade 4, 2nd fl.DK-1267 Copenhagen K

DenmarkTlf: +45 7020 5144Fax: +45 7020 5145