X hits on this document

PDF document

Symantec enterpriSe Security - page 41 / 97





41 / 97

Symantec Global internet Security threat report

the 321 total vulnerabilities in plug-in technologies for Web browsers for 2009 is less than the 424 in 2008. Of the total for 2008, 287 vulnerabilities affected ActiveX, which is significantly more than any other plug-in technology. Of the remaining plug-ins for which vulnerabilities were documented, there were 54 vulnerabilities identified in Java SE, 40 in Quicktime, 17 in Adobe reader, 16 in Adobe Flash player, and 5 vulnerabilities in Firefox extensions.

Adobe Flash Player 4%

QuickTime 10% Adobe Reader 4%

Adobe Flash Player 7%

Adobe Reader 15%

Java SE 11%

Mozilla extensions 1% QuickTime 8%

Mozilla extensions 1%

Java SE 26%

ActiveX 70%

ActiveX 42%



Figure 9. Web browser plug-in vulnerabilities Source: Symantec

the decrease of ActiveX plug-in vulnerabilities to 42 percent of the total in 2009 from 70 percent of the total in 2008 is influenced by a number of factors. Symantec has observed that automated vulnerability discovery tools such as fuzzers were a large factor in the number of ActiveX vulnerabilities published in previous years. As of 2009, hundreds or possibly thousands of ActiveX components have been audited by the security research community. Since much of the vulnerability research can be attributed to a few popular tools, it is likely that these tools are beginning to reach their limitations. new approaches or more in-depth security research techniques may change this trend and result in the discovery of increasingly more ActiveX vulnerabilities per year. However, for the moment it appears that this trend is on the decline. interestingly, a number of vulnerabilities were discovered in one of the tools used for conducting ActiveX vulnerability research. in March 2009, a vulnerability was discovered in the iDefense COMraider ActiveX fuzzing software.98 Later, in July 2009, two vulnerabilities were discovered in the same software.99

98 99

http://www.securityfocus.com/bid/33942 http://www.securityfocus.com/bid/35725


Document info
Document views341
Page views341
Page last viewedWed Jan 18 09:56:37 UTC 2017