According to the Cenzic Q1,Q2 2010 Trends Report, the total number of application vulnerabilities in 2010 increased by 50 percent. In fact, Web application vulnerabilities in the first half of the year were nearly the same as the total number of vulnerabilities in commercial apps discovered during the second half of 2009.
InformationWeek says the news gets worse: 60 percent of the Web vulnerabilities still do not have a fix available and for 45 percent of them exploit code is available.
Cenzic found an increasing number of vulnerabilities in Safari and Chrome, which it attributes to WebKit, the open-source rendering engine used in both browsers, as well as iPhone and Android flaws.
Cenzic also lists the 10 most severe vulnerabilities identified during the first half of 2010, which include:
- Oracle Java Deployment Toolkit Java Web Start Argument Injection Arbitrary Program Execution
- Tandberg Video Communication Server Admin Web Console secure.php Crafted HTTP
- Cisco Digital Media Player Unspecified Remote Display Content Injection
- Microsoft IE Dynamic OBJECT Tag Cross-domain Arbitrary File Access
- Linksys WAP54Gv3 firmware