Web Security Holes: A Tasty Treat for Hackers
Vulnerability watcher Secunia recently posted an advisory about a "moderately critical" flaw in an obscure Web-based software application called Fast Menu Restaurant Ordering, which -- as you might expect -- is used by some dining establishments to allow customers to place orders via the Internet.
The image of hungry hackers taking a bite out of this flaw to order up free late-nite munchies from the local mom-and-pop carry-out is amusing enough, but Secunia says the flaw exists because the application doesn't properly "sanitize" input. Ewww. Don't think I want to be eating at one of those restaurants.
Seriously, though ... I mention this advisory to point out just how many of these types of Web-app security flaws are discovered and reported each week. Once a week, the SANS Institute publishes "@RISK," a newsletter that lists all of the software flaws uncovered in the previous week, and the sheer number of such problems is staggering.
Most of the flaws are exactly the type of vulnerabilities the bad guys are attacking these days. Sure, some are in relatively random apps like the restaurant plug-in, but they still deserve serious attention as they represent another way in and around an organization's or individual's perimeter security defenses.
In the first week of June, SANS tracked some 78 different new flaws in Web-facing applications, many of which are third-party, commercial scripts, plug-ins or program modules for various open-source Web applications like PHP, MySQL, Wiki tools and various blog-software utilities.
One of the big problems here -- if you operate a Web site that uses multiple scripts, plug-ins and so on from a mix of open-source and private software developers -- is staying on top of security updates for those titles. People running Linux can use various package installers to search for updates, but for most of those applications, users' only real way to keep up is to sign up for an update-alert mailing list.
Almost a decade ago, Microsoft and a company called Marimba proposed a new data standard called the Open Software Description (OSD) format to the World Wide Web Consortium. The idea behind this grand plan was to have software developers encode basic information about their creations in the programs themselves using a cross-platform language like Extensible Markup Language (XML). The thinking was that if enough developers adopted this format, it would help create a common standard for updating software, and make it far easier for developers to automagically "push" updates out to their user base.
At least one notable critic called it a plan to put software retail stores out of business. Needless to say, others were similarly cynical, suspicious or just plain unimpressed, as the proposal did not appear to go anywhere. But to me at least, it doesn't seem to have been such a horrible idea (maybe not in the hands of Redmond but rather in the hands of the open-source software community). Perhaps there are already a bunch of open-source projects starting to come together to foster a larger ecosystem on security updates, but I'm unaware of such a movement. Your thoughts?
Posted by: san fran | June 21, 2006 12:56 PM | Report abuse
Posted by: Qian Wang | June 21, 2006 1:58 PM | Report abuse
Posted by: trouble with post online | June 21, 2006 5:28 PM | Report abuse
Posted by: F1sh | June 29, 2006 9:53 AM | Report abuse
The comments to this entry are closed.