, SecurityFocus 2006-12-27
Story continued from Page 1
For flaw finders, fuzzing became all the rage in 2006.
The technique for systematically finding software flaws, which many researchers frowned on as a tool for script kiddies, fueled the release of information on a large number of bugs in browsers, ActiveX, various operating systems' kernels and, likely, Microsoft Office.
The ability to find a large number of flaws quickly led researchers to search for new ways to make a public-relations splash, resulting in two months of daily bugs. The Month of Browser Bugs, spearheaded by well-known security researcher HD Moore, disclosed flaws in Microsoft's Internet Explorer, Mozilla's Firefox, and Apple's Safari. The Month of Kernel Bugs, managed by a security researcher using the handle "LMH," uncovered flaws in the Windows kernel, the Linux kernel, and the Mac OS X operating system.
The large number of flaws found by such technique helped make 2006 a banner year for bugs.
The number of vulnerabilities reported exceeded 6,400 in 2006, a third higher than the year before, according to data from the National Vulnerability Database, a federally funded effort managed by the National Institute of Standards and Technology (NIST).
Web flaws have replaced other types of bugs as the major source of vulnerabilities. An informal study of the vulnerabilities listed by the Common Vulnerabilities and Exposures (CVE) Project, the source of much of the data for the National Vulnerability Database, found that Web flaws--cross-site scripting flaws, database injection bugs, or PHP file inclusion vulnerabilities--topped the list of flaws found in the first nine months of 2006. The three types of flaws accounted for 45 percent of all vulnerabilities.
"The existence of these web-friendly languages, like PHP, lowers the bar for someone to create a useful application but also lowers the bar for someone to find vulnerabilities in that application," Steven Christey, the editor of the CVE and the author of the draft study, said at the time.
Indeed, a search of the National Vulnerability Database conducted by this reporter found that about 43 percent of the flaws listed in 2006 contain PHP in the description. Randomly checking the bug reports found each issue could be attributed to a Web application written in the PHP dynamic Web language.
The deluge of flaw reports put the topic of responsible disclosure back in the limelight. Vendors and researchers debated the merits of paying bounties for vulnerabilities, while some researchers attempted to auction off information about previously undisclosed flaws. The prosecution of a security researcher that revealed a flaw in the Univsersity of Southern California's online admissions Web database left many flaw finders feeling uneasy.
The researcher, Eric McCarty, eventually agreed to plead guilty.