Amid reports of new flaws disclosed within Quicktime, Adobe Reader, and RealPlayer, I had a chance to talk with Chris Wysopal (also known as Weld Pond), who knows a thing or two about software vulnerabilities. He was a member of L0pht, a Boston-based hacking think tank in the 1990s; he started VulnWatch, a mailing list that predated Full Disclosure; and he worked at both @stake and Symantec (which bought @stake). Most recently, Wysopal cofounded Veracode, a company that provides binary analysis to software developers to find flaws before they ship their software. But, even with companies such as Veracode, the vulnerabilities keep coming. Wysopal offered some perspective.

Any progress?
I asked Wysopal if he's seen any progress toward writing more secure software code. "I think the very large software companies have learned, but I think 90 percent of the industry still isn't there yet. I think there's been some effort on the part of the operating system vendors such as with Windows and OS X and Linux. All three of them in the last couple of years have put in address randomization and stacking areas and things that make it harder for software to be exploited, like buffer overflows type issues to be exploited."

	If you look at something like buffer overflows, there's actually been a pretty constant amount of them over the last five or six years.

But, Wysopal concludes, overall, "If you look at sort of the vulnerability density in a piece of software that was written five years ago versus today from the average software company, it's pretty much the same."

Blame the Web apps
So the move toward exploiting flaws within individual applications, Wysopal told me, is logical. As Apple and Microsoft have gotten "much better at releasing codes," the attackers are looking elsewhere. We're becoming adept at expecting and running updates to Windows and Mac OS X, but many applications, such as media players and document viewers, which often lack the means for issuing updates to customers, or escape our attention since flaws in these in the past have been rare. So it's not the operating system, but the Web-browsing environment that's making users vulnerable again.

The idea that a user has any concept of what's being downloaded to their machine when they pull up a Web page is kind of ridiculous.

"If you look at something like buffer overflows," Wysopal said, "there's actually been a pretty constant amount of them over the last five or six years. It really hasn't dipped, but relative to these, some of these new classes which are exploding in quantity such as the Web-based vulnerabilities like SQL injection and cross-site scripting. They've doubled and tripled the amounts of vulnerabilities for a individual sort of category.... I think the reason there's more code being written today and it's being written on the Web platform where these SQL injection and cross-site scripting and things like cross-site request forging will present themselves when developers don't understand how to take the right care to writing the code securely."

Volume, volume, volume
Wysopal thinks the increase in software vulnerabilities is a function of code volume as we shift "the packaged application written in C or C++ to these Web applications which are written in many different languages, you know, from staring with PERL to PHP and Java, JavaScript, and .NET. So you have lots of different activity, and we still see the same poor quality, poor quality of coding. So we haven't been saved by...shifting a lot of the coding to these new non-C platform, it's just that the vulnerabilities seem to be different."

The increase in volume coupled with the end-user's desire to see the latest Paris Hilton video is keeping security vendors very busy. "The idea that a user has any concept of what's being downloaded to their machine when they pull up a Web page is kind of ridiculous. Things, the music just starts playing, files just pop up, there are IFrames which will just download the code and display it."

Web vulnerablities are everywhere
Wysopal cites information from StopBadware, Harvard University. "They've been studying where all this malicious software is coming from, and they found that they're not coming from porn sites or gambling sites or these places where you think the people operating the sites are shady characters. They're coming from just any old site. It's your knitting site, it's any kind of site that's a hobbyist site. That's because the people who run these kind of Web sites [...] run them, say, on a Linux Web server that's hosted at a facility, and they're running software that's vulnerable to these things like SQL injection and these other vulnerabilities." Often the amateur Web site operator doesn't know enough to update Wordpress or whatever package they're running on their site, and the server host isn't going to do for them.

That makes it easy for the criminals, says Wysopal. "They read about a vulnerability in QuickTime or RealPlayer, they get the exploit on the Net, and then they go and they find a vulnerable Web site. They plant the seeds of destruction there, so someone goes to this unsuspecting Web site and they get owned.

The vulnerabilities are reported but …
Just before my interview, Wysopal said he called up the National Vulnerability Database and queried SQL injection, what was vulnerable in the last five days. He found, among others, Web server packages such as Amazing Flash, AFCommerce, JobSite Professional 2.0, emagiC Content Management system, and something called MiniBB. These are PHP or Java applications that people can install on their Web site to give functionality.

"There is no way that everyone who installs those five packages has them patched right now. There's no auto-update for Web server sites. So it just seems to me that this is like a train wreck waiting to happen, where you can combine the client side stuff with the vulnerable Web applications, so then the attacker can just deploy all these bad payloads basically with little effort."

Do you maintain a Web site? Are you up-to-date with all your software packages? TalkBack to me.