Vulnerability Type Distributions in CVE
(note: HTML versions of the tables in this paper are included on the
web site, whose URL is given below. Some mailing list programs seem
to be mishandling the encoding of the HTML tables, or rejecting them
due to size constraints.)
==========================================================
Vulnerability Type Distributions in CVE
==========================================================
Author: Steve Christey
Date: October 4, 2006
Document version: 1.0
URL: http://cwe.mitre.org/documents/vuln-trends.html
This is a draft report and does not represent an official position of
The MITRE Corporation. Copyright (c) 2006, The MITRE Corporation. All
rights reserved. Permission is granted to redistribute this document
if this paragraph is not removed. This document is subject to change
without notice.
=============================
===== Table of Contents =====
=============================
Introduction
Summary of Results
Data Sets
Trend Table Color Key
Table 1 Analysis: Overall Trends
Table 2 and 3 Analysis: OS vs. non-OS
Table 4 Analysis: Open and Closed Source
Possible Future Work
Notes on Potential Bias
(In)Frequently Asked Questions
Credits
References
Flaw Terminology
Table 1: Overall Results
Table 2: OS Vendors
Table 3: OS Vendors vs. Others
Table 4: Open and Closed Source (OS vendors)
========================
===== Introduction =====
========================
For the past 5 years, CVE has been tracking the types of errors that
lead to publicly reported vulnerabilities, and periodically reporting
trends on a limited scale. In support of the Common Weakness
Enumeration (CWE) project [1], and as a result of the interest in this
work as mentioned during the "Year of the web application: Hack & Data
from the Front lines" panel at the 5th Annual Cyber Security Executive
Summit in New York City on September 13, 2006, we have published a
more extensive analysis. An updated version will be released once
2006 is complete.
The primary goal of this study is to better understand research trends
using publicly reported vulnerabilities. It should be noted that the
data is obtained from an uncontrolled population, i.e., decentralized
public reports from a research community with diverse goals and
interests, with an equally diverse set of vendors and developers.
More specialized, exhaustive, and repeatable methods could be devised
to evaluate software security. But until such methods reach maturity
and widespread acceptance, the overall state of software security can
be viewed through the lens of public reports.
==============================
===== Summary of Results =====
==============================
1) The total number of publicly reported web application
vulnerabilities has risen sharply, to the point where they have
overtaken buffer overflows. This is probably due to ease of
detection and exploitation of web vulnerabilities, combined with
the proliferation of low-grade software applications. In 2005 and
2006, cross-site scripting (XSS) was number 1, and SQL injection
was number 2. PHP remote file inclusion is number 3 in 2006;
because it allows arbitrary code execution on a vulnerable server,
this is a worrisome trend, although proper configuration is
frequently enough to eliminate it.
2) Buffer overflows are still the number 1 issue as reported in
operating system (OS) vendor advisories. XSS is still high in this
category, at number 2 in 2005 and number 3 in 2006, although other
web application vulnerabilities appear much less frequently.
3) Integer overflows, barely in the top 10 overall in the past few
years, are in the top 3 for OS vendor advisories. This might
indicate expert researcher interest in high-profile software.
4) There are noticeable differences in the types of vulnerabilities
being reported in open and closed source OS vendor advisories.
These merit further investigation because they might reflect
important differences in development, research, and disclosure
practices.
5) The data is inconclusive regarding whether there is a concrete
improvement in overall software security. While there is a rise in
"new" vulnerability classes, the raw numbers for older classes have
not changed significantly. Further investigation is also required
in this area.
=====================
===== Data Sets =====
=====================
Three main data sets were used in this analysis.
OVERALL: this data set consists of all CVEs that were first publicly
reported in 2001 or later (earlier CVEs do not have the appropriate
fields filled out.) CVE includes all types of software, whether from
a major vendor or an individual hobbyist programmer, as long as the
associated vulnerability has been reported by the developer or posted
by a researcher or third party to sources such as mailing lists and
vulnerability databases. CVE only includes distributable software,
i.e., it does not include issues that are reported for custom software
in specific web sites. While CVE data is incomplete, it is estimated
that it is 80% complete relative to all major mailing lists and
vulnerability databases, with the likely exception of data from 2003.
OS VENDOR: this data set identifies CVEs that are associated with
operating system (OS) vendor advisories, which would capture
vulnerabilities in the kernel, as well as applications that are
supported by the OS vendor. The data was limited to CVEs that have
one or more references from the following sources. For open source OS
vendors, the following sources were used: DEBIAN, FREEBSD,
MANDRAKE/MANDRIVA, NETBSD, OPENBSD, REDHAT, and SUSE. The closed
source OS vendors included: AIXAPAR, APPLE, CISCO, HP, MS, MSKB, SCO,
SGI, SUN, and SUNALERT. CVE does not have the internal data fields to
support more fine-grained analysis for major non-OS vendors.
OPEN/CLOSED SOURCE: open and closed source operating system (OS)
vendors were using the same methods and categories as described in the
"OS VENDOR" section. Because some closed source vendors such as Apple
have significant codebase overlap with open source products, any
overlapping CVEs were removed from the data set. Both open and closed
sets had at least 1700 vulnerabilities.
In each data set, vulnerabilities were not removed if they were marked
as "disputed." Many disputes are incorrect or unresolved.
=================================
===== Trend Table Color Key =====
=================================
In the HTML pages, the following color key is used for trend tables.
GRAY: used in comparisons to help visually separate one data set from
another
RED: a top 10 for that year
GREEN: during that year, the vulnerability's rank was at least 5
points BELOW the average rank for that vulnerability
YELLOW: during that year, the vulnerability's rank was at least 5
points ABOVE the average rank for that vulnerability
So, green on the left indicates vulns with RISING popularity, as will
yellow on the right. Green on the right indicates vulns with FALLING
popularity, as will yellow on the left.
============================================
===== Table 1 Analysis: Overall Trends =====
============================================
The most notable trend is the sharp rise in public reports for
vulnerabilities that are specific to web applications.
Buffer overflows were number 1 year after year, but that changed in
2005 with the rise of web application vulnerabilities, including
cross-site scripting (XSS), SQL injection, and remote file inclusion,
although SQL injection is not limited just to web applications. In
fact, so far in 2006, buffer overflows are only #4.
There are probably several contributing factors to this increase in
web vulnerabilities:
1) The most basic data manipulations for these vulnerabilities are
very simple to perform, e.g., "'" for SQL injection and
"<script>alert('hi')</script>" for XSS. This makes it easy for
beginning researchers to quickly test large amounts of software.
2) There is a plethora of freely available web applications. Much of
the code is alpha or beta, written by inexperienced programmers
with easy-to-learn languages such as PHP, and distributed on
high-traffic sites. The applications might have a small or
non-existent user base. Such software is often rife with
easy-to-find vulnerabilities, and it is often a target for
beginning researchers. The large number of these
"fish-in-a-barrel" applications is probably a major contributor to
the overall trends.
3) With XSS, every input has the potential to be an attack vector,
which does not occur with other vulnerability types. This leaves
more opportunity for a single mistake to occur in a program that
otherwise protects against XSS. SQL injection also has many
potential attack vectors.
4) Despite popular opinion that XSS is easily prevented, it has many
subtleties and variants. Even solid applications can have flaws in
them; consider non-standard browser behaviors that try to "fix"
malformed HTML, which might slip by a filter that uses regular
expressions. Finally, until early 2006, the PHP interpreter had a
vulnerability in which it did not quote error messages, but many
researchers only reported the surface-level "resultant" XSS instead
of figuring out whether there was a different "primary"
vulnerability that led to the error.
5) There is some evidence that over the past couple of years, web
defacers have taken an interest in performing and publishing their
own research. This is probably due to the ease of finding
vulnerabilities, combined with the presence of high-risk problems
such as PHP file inclusion, which can be used to remotely install
powerful, easily-available backdoor code. Based on customer posts
to numerous vendor forums, there is solid evidence that remote file
inclusion is regularly used to compromise web servers, which also
helps to explain its popularity.
Overall Trends: Other Interesting Results
-----------------------------------------
1) For 2006, the top 5 vulnerability types are responsible for 57% of
all CVEs. With over 35 vulnerability types used in this report,
and dozens more as currently identified in CWE, this shows how most
public reports concentrate only on a handful of vulnerability
types.
2) PHP remote file inclusion (php-include) has been steadily gaining
ground since 2001, enough so that it is number 3 at this point in
2006. See items (2) and (5) from the previous section for a
possible explanation.
3) Over the years, there has been a noticeable decline in shell
metacharacters, symbolic link following, and directory traversal.
It is unclear whether software is actually improving with respect
to these problems, or if they are not investigated as frequently.
4) Information leaks (infoleak) appear regularly. There are 2 main
reasons for the prominence: "information leak" is a more general
class than others (see CWE for more precise sub-categories), and
when an error message includes a full path, that is usually
categorized as an information leak, although it might be resultant
from a separate primary vulnerability.
5) The inability to handle malformed inputs (dos-malform), which
usually leads to a crash or hang, is also a general class.
Malformed-input vulnerabilities have not been studied as closely as
injection vulnerabilities, at least with respect to identifying the
root cause of the problem. Also, many reports do not specify how
an input is malformed. There are likely many cases in which a
researcher accidentally triggers a more serious vulnerability but
does not perform sufficient diagnosis to determine the primary
issue. Finally, vendor reports might only identify an issue as
being related to "malformed input," which obscures the primary
cause.
6) As the percentage of buffer overflows has declined, there has been
an increase in related vulnerability types, including integer
overflows (int-overflow), signedness errors, and double frees
(double-free). These are still very low-percentage, probably due
to their relative newness and difficulty of detection compared to
classic overflows. In addition, these newly emerging vulnerability
types might be labeled as buffer overflows, since they often lead
to buffer overflows, and the "buffer overflow" term is used
interchangeably for attack, cause, and effect.
7) Other interesting web application vulnerabilities are webroot
(storage of sensitive files under the web document root),
form-field (web parameter tampering), upload of files with
executable extensions (e.g., file.php.gif), eval injection, and
Cross-Site Request Forgery (CSRF).
==================================================
===== Table 2 and 3 Analysis: OS vs. non-OS ======
==================================================
Given the increase in web application vulnerabilities and the
likelihood that it is partially due to researcher interest in software
with small user bases, an analysis was performed based solely on
advisories from operating system (OS) vendors. These advisories
frequently include the OS kernel and key applications that are
supported by the vendor. See the Data Sets section for more
information. Unfortunately, more precise data sets could not be
generated.
Table 2 provides the data for OS vendor advisories alone. Table 3
contrasts the OS vendor advisories with all other reported issues.
There are several notable results:
1) Integer overflows are heavily represented in OS vendor advisories,
rising to number 2 so far in 2006, even though they represent a
small percentage of vulnerabilities overall. This probably
reflects growing interest by expert researchers in finding integer
overflows, along with the tendency of expert researchers to
evaluate widely deployed software. The affected software ranges
widely, including the kernel, cryptographic modules, and multimedia
file processors such as image viewers and music players. After
2004, many of the reported issues occur in libraries or common
DLLs.
2) Buffer overflows are still #1. This is probably due to
under-representation of web applications in OS advisories, relative
to other CVEs. In addition, as related issues like integer
overflows increase, they might be detected or reported as buffer
overflows, since buffer overflows are frequently resultant from
integer overflows.
3) XSS is still very common, even in OS advisories, and it appears
with the same frequency as integer overflows in 2006. An informal
analysis shows that the affected software includes web servers, web
browsers, email clients, administrative interfaces, and Wiki/CMS.
4) With the exception of XSS, there is a wide gulf between web-related
vulnerabilities in OS advisories and other issues. SQL injection
is not even in the top 10 for OS advisories, and PHP remote file
inclusion is practially nonexistent. Many other web-related
vulnerabilities occupy the bottom of the chart. For SQL injection,
it is possible that most OS-supported applications do not use
databases, or aren't web accessible. SQL injection vulnerabilities
are not web-specific, but it seems that they are rarely reported
for non-web applications, so it is possible that this reflects some
researcher bias.
5) Directory traversal and format string vulnerabilities are
frequently reported at a higher rate in OS vendor advisories than
elsewhere. The reason is unclear, because these vulnerabilities
are not restricted to local attack vectors, so one might expect
that they would also appear regularly in web applications.
However, it is likely that researchers do not focus on format
strings because they are rarely exploitable for code execution in
languages other than C. In the case of PHP, many PHP functions are
subject to both remote file inclusion and directory traversal, and
it might be that only the file inclusion is publicly reported. (In
fact, the overlap is so close that this sometimes causes
difficulties with classification).
6) In 2006 so far, more than a quarter (27%) of the OS vendor
advisories did not have sufficient details to actually classify the
vulnerability (type "unk"). This is in sharp contrast to the
non-OS issues, which comprise less than 8%. However, because of
the data sets in question, the non-OS CVEs will include many
non-coordinated disclosures that would, by their nature, require
more details. The next table will demonstrate that it is not just
closed source vendor advisories that omit sufficient details for
vulnerability classification.
7) The "top 5" and "top 10" vulnerabilities in each year are a much
smaller percentage of total vulnerabilities in OS vendor advisories
than non-OS issues. For example, in 2005, the top 5 totaled 29.4%
for OS issues, but 55% for non-OS. For OS issues, this suggests an
increasing diversity in the kinds of vulnerabilities being
reported, whereas for other issues, that diversity appears to be
decreasing. However, this could be another reflection of the
domination of web application vulnerabilities.
====================================================
===== Table 4 Analysis: Open and Closed Source =====
====================================================
Table 4 compares the vulnerability type distribution between the open
source and closed source operating system (OS) vendors. See the "Data
Sets" section for more information on how the data sets were
generated. As a reminder, CVEs that overlapped both open and closed
source sets were omitted.
IMPORTANT: it is inappropriate to use these results to compare the
relative security of open and closed source products, so the report
excludes raw numbers. Both sets had at least 1700 vulnerabilities.
There are too many variations in vendor advisory release policies,
possible differences in research techniques, and other factors cited
in [2]. And, simply put, there is too much potential for raw numbers
to be misused and misinterpreted.
However, some results pose interesting questions that merit more
in-depth investigation. These discrepancies might reflect differences
in vulnerability research techniques, researcher sub-communities,
vendor disclosure policies, and development practices and APIs, but
this has not been proven.
The research and vendor communities are encouraged to investigate the
underlying causes for these differences, which could provide lessons
learned for all software developers, open and closed source alike.
Some of the most notable results are:
1) The percentage of "unknown" vulnerabilities - those that could not
be classified due to lack of details - is significantly higher in
closed source than open source advisories, and 45% so far for 2006.
With such a wide discrepancy, it is difficult to know whether any
of the remaining results in this section are significant. It
should be noted that 10% of issues in open source advisories do not
have enough details to classify the problem.
2) Buffer overflows are number 1 for both open and closed, with
roughly the same percentage over the years.
3) Symbolic link vulnerabilities appear at a higher rate in open
source than closed source, although this might be due to the
non-Unix OSes in the data set. While Windows has "shortcuts"
(.LNK) that are similar to Unix links, they appear very rarely in
Microsoft advisories, or for Windows-based applications. It is not
clear whether this is due to under-research or API/development
differences. The author recalls that at least one Linux researcher
appeared to concentrate on symbolic link issues in 2004 and 2005,
so researcher bias might also be a factor.
4) Malformed-input vulnerabilities appear more frequently in closed
source advisories than open source. This might be due to a lack of
details in closed source advisories. If an advisory mentions a
problem due to "malformed data," it might be assigned the
dos-malform type. Another factor might be due to black box
techniques. It seems likely that fuzzers and other tools would be
used more frequently against closed source products than open
source, but this is not known.
5) XSS vulnerabilities appear more frequently in open source
advisories than closed, but this might be a reflection of vendor
release policies for advisories. It seems that open source vendors
are more likely to release advisories for smaller packages.
6) Format string vulnerabilities appear more frequently in open
source. There are probably several factors. First, susceptible
API library calls such as printf() are easily found in source code
using crude methods, whereas binary reverse engineering techniques
are not conducted by many researchers (this might also be an
explanation for symbolic link issues). Second, many format string
problems seem to occur in rarely-triggered error conditions, which
makes them more difficult to test with black box methods.
Perhaps most surprising: it appears that, since 2003, the non-Unix
closed source advisories have not mentioned any format strings. It
is not clear why there would be such a radical difference, although
it could be due to the lack of details in those advisories.
7) Integer overflows have been roughly the same rank for open and
closed source. This is a curious similarity, since one might not
expect open and closed source analysis techniques to be equally
capable in finding these problems.
8) Another interesting example is in the use of default passwords.
Over the years, very few open source vendor advisories have
mentioned default passwords, whereas they appear with some
regularity in closed source advisories. It is not clear whether
this is a difference in shipping/configuration practices or vendor
disclosure policies.
9) Shell metacharacter issues appear less frequently in non-Unix
closed source than other closed source advisories. This result was
found by a separate analysis; it is not evident in Table 4. This
could be due to usage patterns of API functions such as
CreateProcess() for Windows, and system() for Unix. This result is
being reported because it is the most concrete example of how API
functions might play a role in implementation-level
vulnerabilities.
================================
===== Possible Future Work =====
================================
1) The vulnerability types could be tied to other CVE-normalized data,
such as IDS, incident databases, or vulnerability scanning results.
This could determine the types of vulnerabilities that are being
actively exploited or detected in real-world enterprises.
2) More precise classification could be informative. Approximately
30% of CVEs have vulnerability types that cannot be described using
the current classification scheme. Another 15% are "unknown"
vulnerabilities whose disclosures do not have sufficient details to
determine any vulnerability type, but this problem is unavoidable,
since some vendors do not release these details.
3) A crude measure of researcher diversity might be possible by
linking data to other vulnerability databases that record this
information. This could be used to determine if the raw number of
researchers is increasing (probably), how that rate is increasing
relative to the number of vulnerabilities (unknown), and how many
different bug types are found by the average researcher (probably
fairly small). If such data is available, then a further breakdown
could be performed based on professional researchers versus others.
4) More precise data sets could be identified, such as a cross-section
of market leaders in various product categories, not just OS vendor
advisories. CVE does not record this type of information.
===================================
===== Notes on Potential Bias =====
===================================
The diversity of both researchers and vendor disclosure practices
introduces several unmeasurable biases, as described in more detail in
[2].
In the overall results, 2003's issues have 20% with vulnerabilities
that are "not specified" by the CVE analyst, which is inconsistent
with statistics from other years. Many of these vulnerabilities were
reviewed after this discovery, and they are in fact of type "other."
This discrepancy has not been sufficiently explained, although it is
probably at least partially due to the relative percentage of CVEs in
OS vendor advisories to other CVEs, since 2003 was a low-output year
for CVE and thus the concentration was in high-priority software.
Some vulnerability types are probably under-represented due to
classification difficulty. For example, the "form-field" type (web
parameter tampering) might occasionally get classified as an
authentication error, depending on how the original researcher reports
the issue.
==========================================
===== (In)Frequently Asked Questions =====
==========================================
1) Why aren't you giving out raw numbers for open vs. closed source?
Answer: we already said why. See paragraph 2 of the Table 4
analysis for a reminder.
2) Why are you releasing this report now, with incomplete 2006 data?
Answer: when MITRE mentioned the preliminary results at the Cyber
Security Executive Summit on September 13, there was a lot more
interest than we had originally anticipated. Subsequent discussion
of the results might help us to provide a better report when 2006
is done.
3) How does this compare with the other summaries you've posted in the
past? Why have the numbers and percentages changed for older
years?
Answer: (1) we occasionally add CVEs for older issues, (2) some of
the previously released summaries were cumulative instead of
offering a year-by-year breakdown, and (3) eventually, as a new
type of vulnerability is reported more frequently, the CVE project
notices it enough to give it a name, or at least a type. Once we
do that, we can go back and update the older CVEs that also had the
issue. However, we often rely on keyword searches in CVE
descriptions for doing these kinds of updates. The earliest
reports of new vulnerability types probably don't get captured
fully, because CVE descriptions frequently vary in the early days
or months of a new vulnerability type. Most updates to these
vulnerability trends trigger an informal review of the "other"
vulnerabilities for the data set in order to update the type
fields.
4) There are a lot more vulnerability types than what you've covered.
Answer: That's an observation, not a question. If a certain
vulnerability type is not on the list, then it probably didn't
appear frequently enough for the CVE project to track closely.
There are several reasons: (1) the vulnerability type is selected
from a large dropdown menu during CVE refinement, but also (2) our
work in the Common Weakness Enumeration (CWE) is producing hundreds
of vuln types, and we want that to become a little more stable
before doing the next round of modifications to CVE data. Finally,
(3) with approximately 3,500 vulnerabilities marked "other" or "not
specified", it is cost-prohibitive to review each CVE when the set
of categories is updated.
5) Why isn't my favorite web vulnerability here?
Answer: Many web vulnerabilities are difficult to classify because
they are "multi-factor," i.e., they are composed of multiple bugs,
weaknesses, and/or design limitations. Other web issues are really
just specialized attacks that use other primary vulnerabilities.
For example, most HTTP response splitting problems rely on CRLF
injection, so they are classified under CRLF injection.
===================
===== Credits =====
===================
Large-scale trend analyses like this are not possible without the body
of knowledge that has been formed by hundreds or thousands of
researchers, from hobbyists to professionals.
Thanks to the following for substantive feedback on the initial draft,
sometimes in the form of a question that required more investigation:
Bill Heinbockel, Chris Wysopal, and Mark Curphey.
======================
===== References =====
======================
[1] CWE, http://cwe.mitre.org
[2] "Open Letter on the Interpretation of 'Vulnerability Statistics'"
Bugtraq, Full-Disclosure
January 5, 2006
http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041028.html
============================
===== Flaw Terminology =====
============================
Type: auth
CWE: CWE-289, CWE-288, CWE-302, CWE-305, CWE-294, CWE-290, CWE-287, CWE-303
Description:
Weak/bad authentication problem
Type: buf
CWE: CWE-119, CWE-120, others
Description:
Buffer overflow
Type: CF
CWE: none
Description:
General configuration problem, not perm or default
Type: crlf
CWE: CWE-93
Description:
CRLF injection
Type: crypt
CWE: CWE-310, CWE-311, CWE-347, CWE-320, CWE-325
Description:
Cryptographic error (poor design or implementation), including
plaintext storage/transmission of sensitive information.
Type: CSRF
CWE: CWE-352
Description:
Cross-Site Request Forgery (CSRF)
Type: default
CWE: N/A
Description:
Insecure default configuration, e.g., passwords or permissions
Type: design
CWE: none
Description:
Design problem, generally in protocols or programming languages.
Since 2005, its use has been limited due to the highly general nature
of this type.
Type: dos-flood
CWE: CWE-400
Description:
DoS caused by flooding with a large number of *legitimately formatted*
requests/etc.; normally DoS is a crash, or spending a lot more time on
a task than it "should"
Type: dos-malform
CWE: CWE-238, CWE-234, CWE-166, CWE-230, many others
Description:
DoS caused by malformed input
Type: dos-release
CWE: CWE-404
Description:
DoS because system does not properly release resources
Type: dot
CWE: CWE-22, CWE-23, CWE-36
Description:
Directory traversal (file access via ".." or variants)
Type: double-free
CWE: CWE-415
Description:
Double-free vulnerability
Type: eval-inject
CWE: CWE-95
Description:
Eval injection
Type: form-field
CWE: CWE-472
Description:
CGI program inherently trusts form field that should not be modified
(i.e., should be stored locally)
Type: format-string
CWE: CWE-134
Description:
Format string vulnerability; user can inject format specifiers during
string processing.
Type: infoleak
CWE: CWE-205, CWE-212, CWE-203, CWE-209, CWE-207, CWE-200, CWE-215, others
Description:
Information leak by a product, which is not the result of another
vulnerability; typically by design or by producing different "answers"
that suggest the state; often related to configuration / permissions
or error reporting/handling.
Type: int-overflow
CWE: CWE-190
Description:
A numeric value can be incremented to the point where it overflows and
begins at the minimum value, with security implications. Overlaps
signedness errors.
Type: link
CWE: CWE-61, CWE-64
Description:
Symbolic link following
Type: memleak
CWE: CWE-401
Description:
Memory leak (doesn't free memory when it should); use this instead of
dos-release
Type: metachar
CWE: CWE-78
Description:
Unescaped shell metacharacters or other unquoted "special" char's;
currently includes SQL injection but not XSS.
Type: msdos-device
CWE: CWE-67
Description:
Problem due to file names with MS-DOS device names.
Type: not-specified
CWE: none
Description:
The CVE analyst has not assigned a flaw type to the issue, typically
similar to "other".
Type: other
CWE: none
Description:
Other vulnerability; issue could not be described with an available
type at the time of analysis.
Type: pass
CWE: CWE-259
Description:
Default or hard-coded password
Type: perm
CWE: CWE-276
Description:
Assigns bad permissions, improperly calculates permissions, or
improperly checks permissions
Type: php-include
CWE: CWE-98
Description:
PHP remote file inclusion
Type: priv
CWE: CWE-266, CWE-274, CWE-272, CWE-250, CWE-264, CWE-265, CWE-268, CWE-270,
CWE-271, CWE-269, CWE-267
Description:
Bad privilege assignment, or privileged process/action is
unprotected/unauthenticated.
Type: race
CWE: CWE-362, CWE-366, CWE-364, CWE-367, CWE-421, CWE-368, CWE-363, CWE-370
Description:
General race condition (NOT SYMBOLIC LINK FOLLOWING (link)!)
Type: rand
CWE: CWE-330, CWE-331, CWE-332, CWE-338, CWE-342, CWE-341, CWE-339, others
Description:
Generation of insufficiently random numbers, typically by using easily
guessable sources of "random" data
Type: relpath
CWE: CWE-426, CWE-428, CWE-114
Description:
Untrusted search path vulnerability - Relies on search paths to find
other executable programs or files, opening up to Trojan horse
attacks, e.g., PATH environment variable in Unix.
Type: sandbox
CWE: CWE-265
Description:
Java/etc. sandbox escape - NOT BY DOT-DOT!
Type: signedness
CWE: CWE-195, CWE-196
Description:
Signedness error; a numeric value in one format/representation is
improperly handled when it is used as if it were another
format/representation. Overlaps integer overflows and array index
errors.
Type: spoof
CWE: CWE-290, CWE-350, CWE-347, CWE-345, CWE-247, CWE-292, CWE-291
Description:
Product is vulnerable to spoofing attacks, generally by not properly
verifying authenticity.
Type: sql-inject
CWE: CWE-89
Description:
SQL injection vulnerability
Type: type-check
CWE: unknown
Description:
Product incorrectly identifies the type of an input parameter or file,
then dispatches the wrong "executable" (possibly itself) to process
the input, or otherwise misrepresents the input in a security-critical
way.
Type: unk
CWE: none
Description:
Unknown vulnerability; report is too vague to determine type of issue.
Type: upload
CWE: CWE-434
Description:
Product does not restrict the extensions for files that can be
uploaded to the web server, leading to code execution if executable
extensions are used in filenames, such as .asp, .php, and .shtml.
Type: webroot
CWE: CWE-219, CWE-433
Description:
Storage of sensitive data under web document root with insufficient
access control.
Type: XSS
CWE: CWE-79, CWE-80, CWE-87, CWE-85, CWE-82, CWE-81, CWE-83, CWE-84
Description:
Cross-site scripting (aka XSS)
====================================
===== Table 1: Overall Results =====
====================================
TOTAL 2001 2002 2003 2004
2005 2006
(16192) (1434) (2138) (1173) (2534)
(4538) (4375)
---------- ---------- ---------- ----------
---------- ---------- ----------
[ 1] XSS 13.9% ( 1) 02.2% (11) 08.7% ( 2) 07.5% ( 2) 10.9% (
2) 16.0% ( 1) 21.5% ( 1)
2247 32 187 88 276
725 939
[ 2] buf 13.3% ( 2) 19.5% ( 1) 20.3% ( 1) 22.5% ( 1) 15.4% (
1) 09.8% ( 3) 07.9% ( 4)
2156 279 433 264 391
445 344
[ 3] sql-inject 08.7% ( 3) 00.4% (27) 01.8% (12) 03.0% ( 4) 05.5% (
3) 12.9% ( 2) 14.0% ( 2)
1416 6 38 35 140
584 613
[ 4] dot 04.7% ( 4) 08.9% ( 2) 05.1% ( 3) 02.9% ( 5) 04.1% (
4) 04.3% ( 4) 04.4% ( 5)
764 127 110 34 104
195 194
[ 5] php-include 03.5% ( 5) 00.1% (31) 00.3% (30) 00.8% (15) 01.4%
(10) 02.1% ( 6) 09.5% ( 3)
561 1 6 9 36
95 414
[ 6] infoleak 03.3% ( 6) 02.6% ( 9) 04.2% ( 5) 02.6% ( 7) 03.7% (
5) 03.9% ( 5) 02.6% ( 6)
540 37 89 30 95
175 114
[ 7] dos-malform 02.9% ( 7) 04.8% ( 3) 05.1% ( 4) 02.5% ( 8) 03.4% (
6) 01.8% ( 8) 02.0% ( 7)
463 69 110 29 87
82 86
[ 8] link 02.0% ( 8) 04.5% ( 4) 02.1% ( 9) 03.5% ( 3) 02.8% (
7) 01.9% ( 7) 00.5% (16)
329 64 45 41 72
87 20
[ 9] format-string 01.8% ( 9) 03.2% ( 7) 01.8% (11) 02.7% ( 6) 02.4% (
8) 01.7% ( 9) 01.0% (10)
296 46 39 32 61
76 42
[10] crypt 01.6% (10) 03.8% ( 6) 02.7% ( 6) 01.5% ( 9) 00.9%
(16) 01.5% (10) 00.9% (11)
261 55 58 18 22
68 40
[11] priv 01.4% (11) 02.5% (10) 02.2% ( 8) 01.0% (12) 01.3%
(11) 01.5% (11) 00.9% (12)
233 36 46 12 32
67 40
[12] metachar 01.3% (12) 03.8% ( 5) 02.6% ( 7) 00.7% (17) 01.0%
(14) 01.3% (12) 00.3% (20)
218 55 56 8 26
59 14
[13] perm 01.3% (13) 02.7% ( 8) 01.8% (10) 01.3% (11) 00.9%
(15) 01.1% (13) 01.1% ( 9)
215 39 39 15 24
48 50
[14] int-overflow 01.0% (14) 00.1% (32) 00.4% (22) 01.4% (10) 01.9% (
9) 00.8% (15) 01.2% ( 8)
160 1 8 16 47
36 52
[15] dos-flood 00.8% (15) 02.0% (12) 01.7% (13) 00.5% (19) 01.2%
(12) 00.2% (27) 00.4% (17)
131 29 36 6 31
10 19
[16] pass 00.8% (16) 01.1% (18) 01.3% (14) 00.2% (28) 01.1%
(13) 00.8% (14) 00.4% (18)
125 16 27 2 28
36 16
[17] auth 00.8% (17) 01.5% (13) 01.3% (15) 00.5% (20) 00.7%
(17) 00.5% (19) 00.7% (14)
124 22 27 6 17
21 31
[18] webroot 00.5% (18) 00.1% (29) 00.2% (32) 00.3% (24) 00.2%
(30) 00.7% (16) 00.9% (13)
88 2 5 3 5
33 40
[19] form-field 00.5% (19) 00.7% (24) 00.8% (17) 00.5% (21) 00.2%
(27) 00.4% (20) 00.5% (15)
81 10 17 6 6
19 23
[20] relpath 00.4% (20) 00.8% (22) 00.3% (29) 00.9% (14) 00.6%
(18) 00.3% (22) 00.3% (21)
71 12 6 10 14
15 14
[21] race 00.4% (21) 00.5% (26) 00.4% (24) 00.6% (18) 00.4%
(21) 00.6% (17) 00.3% (24)
69 7 8 7 10
26 11
[22] memleak 00.4% (22) 01.1% (17) 00.2% (31) 00.4% (22) 00.5%
(19) 00.3% (23) 00.2% (27)
61 16 5 5 13
15 7
[23] msdos-device 00.4% (23) 01.0% (20) 00.6% (19) 00.9% (13) 00.2%
(23) 00.2% (28) 00.0% (32)
57 15 13 11 6
10 2
[24] crlf 00.3% (24) 00.0% N/A 00.2% (33) 00.1% (30) 00.5%
(20) 00.4% (21) 00.3% (19)
49 0 4 1 13
17 14
[25] default 00.3% (26) 01.1% (16) 00.7% (18) 00.1% (33) 00.2%
(26) 00.1% (33) 00.1% (29)
48 16 16 1 6
3 6
[26] spoof 00.3% (25) 01.0% (19) 00.3% (28) 00.1% (32) 00.1%
(33) 00.2% (26) 00.3% (25)
48 15 7 1 3
11 11
[27] sandbox 00.3% (27) 01.2% (15) 01.0% (16) 00.0% N/A 00.2%
(29) 00.0% (34) 00.0% N/A
46 17 22 0 5
2 0
[28] rand 00.3% (28) 01.2% (14) 00.6% (20) 00.3% (25) 00.2%
(32) 00.0% (35) 00.2% (26)
45 17 12 3 4
2 7
[29] upload 00.3% (29) 00.0% N/A 00.0% (36) 00.1% (29) 00.2%
(24) 00.5% (18) 00.3% (22)
43 0 1 1 6
22 13
[30] signedness 00.2% (30) 00.1% (30) 00.4% (23) 00.8% (16) 00.2%
(25) 00.3% (24) 00.0% (34)
38 1 8 9 6
12 2
[31] dos-release 00.2% (31) 00.9% (21) 00.5% (21) 00.2% (27) 00.2%
(31) 00.0% N/A 00.0% N/A
30 13 10 2 5
0 0
[32] CF 00.2% (32) 00.7% (23) 00.3% (27) 00.2% (26) 00.0%
N/A 00.1% (31) 00.1% (28)
29 10 7 2 0
4 6
[33] eval-inject 00.2% (33) 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
(34) 00.2% (25) 00.3% (23)
25 0 0 0 1
11 13
[34] design 00.1% (34) 00.6% (25) 00.4% (26) 00.1% (31) 00.0%
(35) 00.1% (32) 00.0% (31)
23 8 8 1 1
3 2
[35] double-free 00.1% (35) 00.0% N/A 00.1% (34) 00.3% (23) 00.2%
(22) 00.1% (30) 00.1% (30)
21 0 2 4 6
5 4
[36] CSRF 00.1% (37) 00.0% N/A 00.0% (35) 00.0% N/A 00.2%
(28) 00.2% (29) 00.0% (33)
16 0 1 0 5
8 2
[37] type-check 00.1% (36) 00.4% (28) 00.4% (25) 00.0% N/A 00.0%
N/A 00.0% (36) 00.0% (35)
16 6 8 0 0
1 1
-------------------------
UNKNOWN/UNSPECIFIED ITEMS
-------------------------
n/a unk 09.0% N/A 07.9% N/A 07.1% N/A 07.0% N/A 08.2%
N/A 08.9% N/A 11.5% N/A
1460 114 151 82 209
402 502
n/a other 15.2% N/A 16.7% N/A 19.0% N/A 11.8% N/A 17.2%
N/A 13.1% N/A 14.9% N/A
2468 239 407 139 435
595 653
n/a not-specified 06.9% N/A 00.1% N/A 03.1% N/A 20.5% N/A 11.3%
N/A 11.3% N/A 00.3% N/A
1121 2 66 240 286
513 14
===============================
===== Table 2: OS Vendors =====
===============================
TOTAL 2001 2002 2003 2004
2005 2006
(4418) ( 443) ( 660) ( 527) ( 736)
(1199) ( 853)
---------- ---------- ---------- ----------
---------- ---------- ----------
[ 1] buf 20.0% ( 1) 21.0% ( 1) 26.8% ( 1) 24.9% ( 1) 20.4% (
1) 16.2% ( 1) 16.1% ( 1)
882 93 177 131 150
194 137
[ 2] link 04.0% ( 2) 07.4% ( 2) 03.3% ( 4) 04.0% ( 2) 05.2% (
2) 04.0% ( 3) 01.8% ( 5)
177 33 22 21 38
48 15
[ 3] dos-malform 03.7% ( 3) 05.6% ( 3) 06.1% ( 2) 02.7% ( 4) 04.5% (
4) 01.8% ( 7) 03.3% ( 4)
162 25 40 14 33
22 28
[ 4] XSS 03.4% ( 4) 01.6% (12) 04.4% ( 3) 03.0% ( 3) 01.4% (
7) 04.2% ( 2) 04.7% ( 3)
152 7 29 16 10
50 40
[ 5] int-overflow 02.7% ( 5) 00.0% N/A 01.2% (12) 02.3% ( 6) 04.6% (
3) 02.1% ( 6) 04.7% ( 2)
119 0 8 12 34
25 40
[ 6] format-string 02.4% ( 6) 05.2% ( 4) 01.5% (10) 02.3% ( 5) 02.6% (
5) 02.4% ( 5) 01.6% ( 7)
107 23 10 12 19
29 14
[ 7] priv 02.0% ( 7) 04.1% ( 5) 02.3% ( 6) 00.8% (13) 00.8%
(14) 02.6% ( 4) 01.6% ( 6)
88 18 15 4 6
31 14
[ 8] perm 01.8% ( 8) 04.1% ( 6) 02.1% ( 7) 01.1% (11) 01.1%
(10) 01.7% ( 8) 01.4% ( 9)
78 18 14 6 8
20 12
[ 9] dot 01.4% ( 9) 01.6% (13) 01.5% ( 9) 01.1% ( 8) 01.6% (
6) 01.3% (12) 01.6% ( 8)
64 7 10 6 12
15 14
[10] metachar 01.2% (10) 02.0% ( 9) 02.6% ( 5) 00.8% (16) 00.7%
(17) 01.3% (11) 00.4% (19)
53 9 17 4 5
15 3
[11] infoleak 01.2% (11) 00.9% (20) 01.2% (13) 01.1% ( 9) 01.1% (
9) 01.3% (10) 01.2% (10)
52 4 8 6 8
16 10
[12] race 01.0% (12) 01.1% (17) 00.9% (15) 00.4% (19) 01.0%
(11) 01.6% ( 9) 00.7% (13)
45 5 6 2 7
19 6
[13] memleak 00.8% (13) 02.0% (10) 00.6% (19) 00.8% (14) 01.0%
(12) 00.9% (14) 00.2% (23)
37 9 4 4 7
11 2
[14] sql-inject 00.8% (14) 00.2% (27) 00.6% (21) 01.1% (10) 00.7%
(16) 00.9% (13) 00.9% (11)
35 1 4 6 5
11 8
[15] crypt 00.8% (15) 01.6% (14) 01.4% (11) 01.1% ( 7) 00.4%
(18) 00.4% (18) 00.5% (16)
34 7 9 6 3
5 4
[16] sandbox 00.7% (16) 02.7% ( 7) 02.1% ( 8) 00.0% N/A 00.1%
(23) 00.2% (28) 00.0% N/A
29 12 14 0 1
2 0
[17] relpath 00.6% (18) 01.6% (11) 00.3% (28) 00.4% (18) 01.1% (
8) 00.3% (27) 00.7% (14)
28 7 2 2 8
3 6
[18] dos-flood 00.6% (17) 02.5% ( 8) 00.6% (20) 00.2% (22) 00.3%
(20) 00.3% (25) 00.8% (12)
28 11 4 1 2
3 7
[19] auth 00.5% (20) 01.4% (15) 01.1% (14) 00.6% (17) 00.3%
(21) 00.3% (21) 00.2% (24)
24 6 7 3 2
4 2
[20] signedness 00.5% (19) 00.2% (24) 00.9% (16) 00.9% (12) 00.4%
(19) 00.6% (15) 00.2% (25)
24 1 6 5 3
7 2
[21] pass 00.5% (21) 00.2% (25) 00.8% (17) 00.2% (20) 00.8%
(15) 00.3% (24) 00.5% (15)
21 1 5 1 6
4 4
[22] double-free 00.4% (22) 00.0% N/A 00.3% (29) 00.8% (15) 00.8%
(13) 00.3% (20) 00.4% (18)
19 0 2 4 6
4 3
[23] rand 00.3% (23) 01.4% (16) 00.5% (22) 00.2% (27) 00.1%
(24) 00.0% N/A 00.2% (27)
13 6 3 1 1
0 2
[24] crlf 00.2% (25) 00.0% N/A 00.5% (23) 00.2% (25) 00.0%
N/A 00.4% (17) 00.2% (20)
11 0 3 1 0
5 2
[25] spoof 00.2% (24) 00.2% (26) 00.3% (26) 00.0% N/A 00.0%
N/A 00.3% (23) 00.5% (17)
11 1 2 0 0
4 4
[26] form-field 00.2% (26) 00.5% (22) 00.3% (27) 00.2% (21) 00.0%
N/A 00.4% (16) 00.0% N/A
10 2 2 1 0
5 0
[27] default 00.2% (27) 00.2% (28) 00.5% (24) 00.0% N/A 00.1%
(22) 00.3% (26) 00.2% (21)
10 1 3 0 1
3 2
[28] type-check 00.2% (28) 00.7% (21) 00.6% (18) 00.0% N/A 00.0%
N/A 00.1% (30) 00.0% N/A
8 3 4 0 0
1 0
[29] CF 00.2% (29) 00.9% (18) 00.2% (31) 00.2% (26) 00.0%
N/A 00.0% N/A 00.1% (29)
7 4 1 1 0
0 1
[30] dos-release 00.2% (30) 00.9% (19) 00.3% (25) 00.2% (23) 00.0%
N/A 00.0% N/A 00.0% N/A
7 4 2 1 0
0 0
[31] php-include 00.1% (31) 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.3% (19) 00.2% (26)
6 0 0 0 0
4 2
[32] eval-inject 00.1% (32) 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.3% (22) 00.2% (22)
6 0 0 0 0
4 2
[33] design 00.1% (33) 00.2% (23) 00.3% (30) 00.2% (24) 00.0%
N/A 00.1% (31) 00.0% N/A
5 1 2 1 0
1 0
[34] webroot 00.0% (35) 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.0% N/A 00.1% (28)
1 0 0 0 0
0 1
[35] upload 00.0% (36) 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.1% (32) 00.0% N/A
1 0 0 0 0
1 0
[36] CSRF 00.0% (34) 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.1% (29) 00.0% N/A
1 0 0 0 0
1 0
-------------------------
UNKNOWN/UNSPECIFIED ITEMS
-------------------------
n/a unk 16.0% N/A 12.4% N/A 12.6% N/A 10.4% N/A 12.2%
N/A 16.1% N/A 27.2% N/A
708 55 83 55 90
193 232
n/a other 16.4% N/A 15.3% N/A 15.6% N/A 12.0% N/A 12.2%
N/A 14.4% N/A 26.6% N/A
724 68 103 63 90
173 227
n/a not-specified 14.3% N/A 00.2% N/A 05.9% N/A 26.0% N/A 24.6%
N/A 22.2% N/A 00.8% N/A
631 1 39 137 181
266 7
==========================================
===== Table 3: OS Vendors vs. Others =====
==========================================
TOTAL 2001 2002 2003 2004
2005 2006
---------- ---------- ---------- ----------
---------- ---------- ----------
OS-ven 4418 443 660 527 736
1199 853
Other 11774 991 1478 646 1798
3339 3522
---------- ---------- ---------- ----------
---------- ---------- ----------
[ 1] XSS 03.4% ( 4) 01.6% (13) 04.4% ( 3) 03.0% ( 3) 01.4% (
7) 04.2% ( 2) 04.7% ( 2)
152 7 29 16 10
50 40
**** 17.8% ( 1) 02.5% ( 8) 10.7% ( 2) 11.1% ( 2) 14.8% (
1) 20.2% ( 1) 25.5% ( 1)
2095 25 158 72 266
675 899
[ 2] buf 20.0% ( 1) 21.0% ( 1) 26.8% ( 1) 24.9% ( 1) 20.4% (
1) 16.2% ( 1) 16.1% ( 1)
882 93 177 131 150
194 137
**** 10.8% ( 3) 18.8% ( 1) 17.3% ( 1) 20.6% ( 1) 13.4% (
2) 07.5% ( 3) 05.9% ( 4)
1274 186 256 133 241
251 207
[ 3] sql-inject 00.8% (14) 00.2% (27) 00.6% (19) 01.1% ( 8) 00.7%
(16) 00.9% (13) 00.9% (11)
35 1 4 6 5
11 8
**** 11.7% ( 2) 00.5% (26) 02.3% ( 8) 04.5% ( 3) 07.5% (
3) 17.2% ( 2) 17.2% ( 2)
1381 5 34 29 135
573 605
[ 4] dot 01.4% ( 9) 01.6% (14) 01.5% ( 9) 01.1% (10) 01.6% (
6) 01.3% (11) 01.6% ( 8)
64 7 10 6 12
15 14
**** 05.9% ( 4) 12.1% ( 2) 06.8% ( 3) 04.3% ( 4) 05.1% (
4) 05.4% ( 4) 05.1% ( 5)
700 120 100 28 92
180 180
[ 5] php-include 00.1% (32) 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.3% (19) 00.2% (27)
6 0 0 0 0
4 2
**** 04.7% ( 5) 00.1% (30) 00.4% (22) 01.4% (11) 02.0% (
8) 02.7% ( 6) 11.7% ( 3)
555 1 6 9 36
91 412
[ 6] infoleak 01.2% (11) 00.9% (20) 01.2% (13) 01.1% (11) 01.1% (
9) 01.3% (10) 01.2% (10)
52 4 8 6 8
16 10
**** 04.1% ( 6) 03.3% ( 6) 05.5% ( 4) 03.7% ( 5) 04.8% (
5) 04.8% ( 5) 03.0% ( 6)
488 33 81 24 87
159 104
[ 7] dos-malform 03.7% ( 3) 05.6% ( 3) 06.1% ( 2) 02.7% ( 4) 04.5% (
4) 01.8% ( 7) 03.3% ( 4)
162 25 40 14 33
22 28
**** 02.6% ( 7) 04.4% ( 5) 04.7% ( 5) 02.3% ( 8) 03.0% (
6) 01.8% ( 8) 01.6% ( 7)
301 44 70 15 54
60 58
[ 8] link 04.0% ( 2) 07.4% ( 2) 03.3% ( 4) 04.0% ( 2) 05.2% (
2) 04.0% ( 3) 01.8% ( 5)
177 33 22 21 38
48 15
**** 01.3% (11) 03.1% ( 7) 01.6% (13) 03.1% ( 7) 01.9% (
9) 01.2% (11) 00.1% (25)
152 31 23 20 34
39 5
[ 9] format-string 02.4% ( 6) 05.2% ( 4) 01.5% (10) 02.3% ( 6) 02.6% (
5) 02.4% ( 5) 01.6% ( 6)
107 23 10 12 19
29 14
**** 01.6% ( 9) 02.3% ( 9) 02.0% (11) 03.1% ( 6) 02.3% (
7) 01.4% ( 9) 00.8% (12)
189 23 29 20 42
47 28
[10] crypt 00.8% (15) 01.6% (12) 01.4% (11) 01.1% ( 9) 00.4%
(19) 00.4% (16) 00.5% (15)
34 7 9 6 3
5 4
**** 01.9% ( 8) 04.8% ( 3) 03.3% ( 6) 01.9% ( 9) 01.1%
(14) 01.9% ( 7) 01.0% (10)
227 48 49 12 19
63 36
[11] priv 02.0% ( 7) 04.1% ( 5) 02.3% ( 6) 00.8% (16) 00.8%
(13) 02.6% ( 4) 01.6% ( 7)
88 18 15 4 6
31 14
**** 01.2% (12) 01.8% (12) 02.1% (10) 01.2% (14) 01.4%
(11) 01.1% (12) 00.7% (13)
145 18 31 8 26
36 26
[12] metachar 01.2% (10) 02.0% (10) 02.6% ( 5) 00.8% (15) 00.7%
(17) 01.3% (12) 00.4% (19)
53 9 17 4 5
15 3
**** 01.4% (10) 04.6% ( 4) 02.6% ( 7) 00.6% (20) 01.2%
(13) 01.3% (10) 00.3% (21)
165 46 39 4 21
44 11
[13] perm 01.8% ( 8) 04.1% ( 6) 02.1% ( 7) 01.1% ( 7) 01.1%
(10) 01.7% ( 8) 01.4% ( 9)
78 18 14 6 8
20 12
**** 01.2% (13) 02.1% (10) 01.7% (12) 01.4% (12) 00.9%
(15) 00.8% (15) 01.1% ( 9)
137 21 25 9 16
28 38
[14] int-overflow 02.7% ( 5) 00.0% N/A 01.2% (12) 02.3% ( 5) 04.6% (
3) 02.1% ( 6) 04.7% ( 3)
119 0 8 12 34
25 40
**** 00.3% (22) 00.1% (31) 00.0% N/A 00.6% (18) 00.7%
(17) 00.3% (21) 00.3% (17)
41 1 0 4 13
11 12
[15] dos-flood 00.6% (18) 02.5% ( 8) 00.6% (18) 00.2% (27) 00.3%
(21) 00.3% (26) 00.8% (12)
28 11 4 1 2
3 7
**** 00.9% (15) 01.8% (11) 02.2% ( 9) 00.8% (17) 01.6%
(10) 00.2% (23) 00.3% (18)
103 18 32 5 29
7 12
[16] pass 00.5% (21) 00.2% (25) 00.8% (17) 00.2% (26) 00.8%
(15) 00.3% (20) 00.5% (17)
21 1 5 1 6
4 4
**** 00.9% (14) 01.5% (16) 01.5% (14) 00.2% (27) 01.2%
(12) 01.0% (14) 00.3% (16)
104 15 22 1 22
32 12
[17] auth 00.5% (20) 01.4% (15) 01.1% (14) 00.6% (17) 00.3%
(20) 00.3% (23) 00.2% (23)
24 6 7 3 2
4 2
**** 00.8% (16) 01.6% (13) 01.4% (15) 00.5% (22) 00.8%
(16) 00.5% (17) 00.8% (11)
100 16 20 3 15
17 29
[18] webroot 00.0% (35) 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.0% N/A 00.1% (28)
1 0 0 0 0
0 1
**** 00.7% (17) 00.2% (28) 00.3% (26) 00.5% (21) 00.3%
(26) 01.0% (13) 01.1% ( 8)
87 2 5 3 5
33 39
[19] form-field 00.2% (27) 00.5% (22) 00.3% (26) 00.2% (21) 00.0%
N/A 00.4% (18) 00.0% N/A
10 2 2 1 0
5 0
**** 00.6% (18) 00.8% (20) 01.0% (16) 00.8% (15) 00.3%
(23) 00.4% (18) 00.7% (14)
71 8 15 5 6
14 23
[20] relpath 00.6% (17) 01.6% (11) 00.3% (25) 00.4% (19) 01.1% (
8) 00.3% (27) 00.7% (13)
28 7 2 2 8
3 6
**** 00.4% (20) 00.5% (25) 00.3% (27) 01.2% (13) 00.3%
(22) 00.4% (19) 00.2% (22)
43 5 4 8 6
12 8
[21] race 01.0% (12) 01.1% (17) 00.9% (16) 00.4% (18) 01.0%
(12) 01.6% ( 9) 00.7% (14)
45 5 6 2 7
19 6
**** 00.2% (27) 00.2% (29) 00.1% (29) 00.8% (16) 00.2%
(30) 00.2% (27) 00.1% (24)
24 2 2 5 3
7 5
[22] memleak 00.8% (13) 02.0% ( 9) 00.6% (20) 00.8% (13) 01.0%
(11) 00.9% (14) 00.2% (25)
37 9 4 4 7
11 2
**** 00.2% (28) 00.7% (22) 00.1% (33) 00.2% (29) 00.3%
(19) 00.1% (30) 00.1% (26)
24 7 1 1 6
4 5
[23] msdos-device 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.0% N/A 00.0% N/A
0 0 0 0 0
0 0
**** 00.5% (19) 01.5% (15) 00.9% (17) 01.7% (10) 00.3%
(21) 00.3% (22) 00.1% (31)
57 15 13 11 6
10 2
[24] crlf 00.2% (24) 00.0% N/A 00.5% (23) 00.2% (25) 00.0%
N/A 00.4% (17) 00.2% (24)
11 0 3 1 0
5 2
**** 00.3% (23) 00.0% N/A 00.1% (34) 00.0% N/A 00.7%
(18) 00.4% (20) 00.3% (19)
38 0 1 0 13
12 12
[25] spoof 00.2% (25) 00.2% (28) 00.3% (29) 00.0% N/A 00.0%
N/A 00.3% (21) 00.5% (16)
11 1 2 0 0
4 4
**** 00.3% (25) 01.4% (17) 00.3% (25) 00.2% (28) 00.2%
(29) 00.2% (25) 00.2% (23)
37 14 5 1 3
7 7
[26] default 00.2% (26) 00.2% (26) 00.5% (24) 00.0% N/A 00.1%
(22) 00.3% (25) 00.2% (26)
10 1 3 0 1
3 2
**** 00.3% (24) 01.5% (14) 00.9% (18) 00.2% (26) 00.3%
(27) 00.0% N/A 00.1% (29)
38 15 13 1 5
0 4
[27] sandbox 00.7% (16) 02.7% ( 7) 02.1% ( 8) 00.0% N/A 00.1%
(24) 00.2% (28) 00.0% N/A
29 12 14 0 1
2 0
**** 00.1% (33) 00.5% (24) 00.5% (20) 00.0% N/A 00.2%
(28) 00.0% N/A 00.0% N/A
17 5 8 0 4
0 0
[28] rand 00.3% (23) 01.4% (16) 00.5% (22) 00.2% (23) 00.1%
(23) 00.0% N/A 00.2% (22)
13 6 3 1 1
0 2
**** 00.3% (26) 01.1% (18) 00.6% (19) 00.3% (23) 00.2%
(32) 00.1% (32) 00.1% (28)
32 11 9 2 3
2 5
[29] upload 00.0% (34) 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.1% (32) 00.0% N/A
1 0 0 0 0
1 0
**** 00.4% (21) 00.0% N/A 00.1% (32) 00.2% (30) 00.3%
(20) 00.6% (16) 00.4% (15)
42 0 1 1 6
21 13
[30] signedness 00.5% (19) 00.2% (24) 00.9% (15) 00.9% (12) 00.4%
(18) 00.6% (15) 00.2% (20)
24 1 6 5 3
7 2
**** 00.1% (35) 00.0% N/A 00.1% (30) 00.6% (19) 00.2%
(31) 00.1% (28) 00.0% N/A
14 0 2 4 3
5 0
[31] dos-release 00.2% (29) 00.9% (19) 00.3% (30) 00.2% (20) 00.0%
N/A 00.0% N/A 00.0% N/A
7 4 2 1 0
0 0
**** 00.2% (29) 00.9% (19) 00.5% (21) 00.2% (25) 00.3%
(25) 00.0% N/A 00.0% N/A
23 9 8 1 5
0 0
[32] CF 00.2% (30) 00.9% (18) 00.2% (31) 00.2% (24) 00.0%
N/A 00.0% N/A 00.1% (29)
7 4 1 1 0
0 1
**** 00.2% (30) 00.6% (23) 00.4% (23) 00.2% (24) 00.0%
N/A 00.1% (29) 00.1% (27)
22 6 6 1 0
4 5
[33] eval-inject 00.1% (31) 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.3% (22) 00.2% (21)
6 0 0 0 0
4 2
**** 00.2% (31) 00.0% N/A 00.0% N/A 00.0% N/A 00.1%
(34) 00.2% (26) 00.3% (20)
19 0 0 0 1
7 11
[34] design 00.1% (33) 00.2% (23) 00.3% (27) 00.2% (22) 00.0%
N/A 00.1% (30) 00.0% N/A
5 1 2 1 0
1 0
**** 00.2% (32) 00.7% (21) 00.4% (24) 00.0% N/A 00.1%
(33) 00.1% (31) 00.1% (32)
18 7 6 0 1
2 2
[35] double-free 00.4% (22) 00.0% N/A 00.3% (28) 00.8% (14) 00.8%
(14) 00.3% (24) 00.4% (18)
19 0 2 4 6
4 3
**** 00.0% (37) 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.0% (33) 00.0% (33)
2 0 0 0 0
1 1
[36] type-check 00.2% (28) 00.7% (21) 00.6% (21) 00.0% N/A 00.0%
N/A 00.1% (31) 00.0% N/A
8 3 4 0 0
1 0
**** 00.1% (36) 00.3% (27) 00.3% (28) 00.0% N/A 00.0%
N/A 00.0% N/A 00.0% (34)
8 3 4 0 0
0 1
[37] CSRF 00.0% (36) 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.1% (29) 00.0% N/A
1 0 0 0 0
1 0
**** 00.1% (34) 00.0% N/A 00.1% (31) 00.0% N/A 00.3%
(24) 00.2% (24) 00.1% (30)
15 0 1 0 5
7 2
-------------------------
UNKNOWN/UNSPECIFIED ITEMS
-------------------------
n/a unk 16.0% N/A 12.4% N/A 12.6% N/A 10.4% N/A 12.2%
N/A 16.1% N/A 27.2% N/A
708 55 83 55 90
193 232
**** 06.4% N/A 06.0% N/A 04.6% N/A 04.2% N/A 06.6%
N/A 06.3% N/A 07.7% N/A
752 59 68 27 119
209 270
n/a other 16.4% N/A 15.3% N/A 15.6% N/A 12.0% N/A 12.2%
N/A 14.4% N/A 26.6% N/A
724 68 103 63 90
173 227
**** 14.8% N/A 17.3% N/A 20.6% N/A 11.8% N/A 19.2%
N/A 12.6% N/A 12.1% N/A
1744 171 304 76 345
422 426
n/a not-specified 14.3% N/A 00.2% N/A 05.9% N/A 26.0% N/A 24.6%
N/A 22.2% N/A 00.8% N/A
631 1 39 137 181
266 7
**** 04.2% N/A 00.1% N/A 01.8% N/A 15.9% N/A 05.8%
N/A 07.4% N/A 00.2% N/A
490 1 27 103 105
247 7
==================================================
===== Table 4: Open and Closed Source (OS vendors)
==================================================
TOTAL 2001 2002 2003 2004
2005 2006
---------- ---------- ---------- ----------
---------- ---------- ----------
[ 1] buf 19.7% ( 1) 20.3% ( 1) 24.6% ( 1) 25.0% ( 1) 24.5% (
1) 14.6% ( 1) 17.1% ( 1)
**** 20.4% ( 1) 20.3% ( 1) 27.7% ( 1) 26.1% ( 1) 15.3% (
1) 18.5% ( 1) 16.3% ( 1)
[ 2] link 06.4% ( 2) 14.0% ( 2) 04.8% ( 3) 04.9% ( 2) 08.6% (
2) 06.1% ( 2) 02.4% ( 5)
**** 01.6% ( 6) 01.0% (17) 01.8% ( 9) 03.0% ( 2) 01.9% (
5) 00.8% ( 7) 01.6% ( 6)
[ 3] dos-malform 02.8% ( 5) 02.7% ( 7) 04.4% ( 4) 02.6% ( 6) 03.5% (
5) 01.7% ( 8) 03.3% ( 4)
**** 05.3% ( 2) 09.2% ( 2) 08.1% ( 2) 02.5% ( 3) 07.3% (
2) 02.1% ( 3) 03.9% ( 3)
[ 4] XSS 04.6% ( 3) 02.7% ( 8) 05.9% ( 2) 03.0% ( 5) 01.4%
(10) 05.5% ( 3) 07.1% ( 2)
**** 02.3% ( 3) 00.5% (22) 03.6% ( 4) 02.5% ( 4) 00.8% (
8) 02.1% ( 4) 03.2% ( 4)
[ 5] format-string 04.0% ( 4) 08.6% ( 3) 02.9% ( 6) 03.0% ( 4) 04.9% (
3) 03.7% ( 4) 02.4% ( 6)
**** 00.8% (16) 01.4% (13) 00.6% (17) 02.0% ( 5) 00.4%
(18) 00.8% (10) 00.3% (17)
[ 6] int-overflow 02.6% ( 6) 00.0% N/A 02.2% ( 7) 03.4% ( 3) 04.0% (
4) 02.2% ( 7) 03.5% ( 3)
**** 01.7% ( 5) 00.0% N/A 00.0% N/A 01.0% ( 7) 03.4% (
3) 00.8% ( 8) 04.2% ( 2)
[ 7] priv 02.3% ( 7) 05.4% ( 4) 01.8% ( 8) 01.5% (12) 01.2%
(11) 02.3% ( 5) 02.2% ( 7)
**** 01.8% ( 4) 01.9% ( 8) 03.0% ( 6) 00.0% N/A 00.4%
(16) 03.4% ( 2) 00.8% (13)
[ 8] perm 02.2% ( 8) 05.4% ( 5) 01.1% (13) 01.9% ( 8) 01.7% (
7) 02.3% ( 6) 01.4% ( 9)
**** 01.6% ( 7) 02.4% ( 6) 03.3% ( 5) 00.5% (11) 00.4%
(12) 00.8% (12) 01.8% ( 5)
[ 9] dot 01.5% (10) 00.5% (18) 01.8% ( 9) 01.1% (15) 02.0% (
6) 01.4% (12) 01.6% ( 8)
**** 01.2% (10) 01.9% (10) 00.9% (13) 01.0% ( 9) 01.5% (
7) 00.5% (18) 01.6% ( 7)
[10] infoleak 01.1% (13) 00.5% (19) 01.5% (12) 01.1% (13) 01.2%
(12) 01.0% (14) 01.4% (10)
**** 01.1% (13) 01.4% (12) 00.9% (12) 01.0% ( 8) 00.4%
(17) 01.6% ( 5) 01.1% (10)
[11] metachar 01.5% ( 9) 03.2% ( 6) 02.9% ( 5) 01.5% (11) 00.6%
(15) 01.4% (11) 00.5% (15)
**** 00.5% (18) 01.0% (18) 01.2% (11) 00.0% N/A 00.4%
(14) 00.5% (15) 00.0% N/A
[12] race 01.4% (11) 02.3% ( 9) 01.8% (10) 00.4% (19) 01.7% (
8) 01.6% ( 9) 00.8% (13)
**** 00.3% (24) 00.0% N/A 00.0% N/A 00.5% (10) 00.0%
N/A 00.8% (14) 00.3% (21)
[13] sql-inject 01.2% (12) 00.5% (21) 00.7% (18) 01.9% ( 9) 00.9%
(13) 01.6% (10) 01.4% (11)
**** 00.4% (19) 00.0% N/A 00.6% (18) 00.5% (20) 00.4%
(13) 00.0% N/A 00.8% (14)
[14] memleak 00.9% (14) 00.0% N/A 00.7% (16) 01.1% (14) 01.4% (
9) 01.2% (13) 00.3% (24)
**** 00.9% (15) 04.3% ( 4) 00.3% (19) 00.5% (12) 00.0%
N/A 00.8% (13) 00.3% (19)
[15] crypt 00.7% (16) 01.8% (11) 00.7% (15) 01.9% ( 7) 00.0%
N/A 00.4% (18) 00.3% (21)
**** 00.9% (14) 01.0% (16) 02.1% ( 7) 00.0% N/A 00.8%
(11) 00.5% (16) 00.5% (15)
[16] sandbox 00.2% (26) 00.5% (15) 00.0% N/A 00.0% N/A 00.3%
(20) 00.3% (23) 00.0% N/A
**** 01.4% ( 8) 05.3% ( 3) 04.2% ( 3) 00.0% N/A 00.0%
N/A 00.0% N/A 00.0% N/A
[17] dos-flood 00.3% (21) 01.4% (12) 00.4% (24) 00.0% N/A 00.0%
N/A 00.3% (24) 00.0% N/A
**** 01.1% (11) 03.9% ( 5) 00.9% (14) 00.5% (14) 00.8% (
9) 00.3% (19) 01.3% ( 8)
[18] relpath 00.6% (17) 01.8% (10) 00.7% (17) 00.4% (18) 00.3%
(16) 00.4% (19) 00.5% (18)
**** 00.7% (17) 01.4% (14) 00.0% N/A 00.5% (13) 01.9% (
6) 00.0% N/A 01.1% (12)
[19] auth 00.1% (28) 00.5% (16) 00.0% N/A 00.0% N/A 00.3%
(17) 00.0% N/A 00.3% (20)
**** 01.2% ( 9) 02.4% ( 7) 02.1% ( 8) 01.5% ( 6) 00.4%
(15) 01.0% ( 6) 00.3% (18)
[20] pass 00.0% (32) 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.1% (28) 00.0% N/A
**** 01.1% (12) 00.5% (20) 01.5% (10) 00.5% (16) 02.3% (
4) 00.8% (11) 01.1% ( 9)
[21] signedness 00.8% (15) 00.5% (17) 01.8% (11) 01.5% (10) 00.3%
(19) 00.6% (17) 00.5% (16)
**** 00.2% (29) 00.0% N/A 00.0% N/A 00.5% (17) 00.0%
N/A 00.5% (17) 00.0% N/A
[22] double-free 00.6% (18) 00.0% N/A 00.4% (22) 01.1% (16) 00.9%
(14) 00.3% (25) 00.8% (12)
**** 00.2% (28) 00.0% N/A 00.0% N/A 00.5% (19) 00.8%
(10) 00.3% (21) 00.0% N/A
[23] spoof 00.2% (23) 00.0% N/A 00.7% (20) 00.0% N/A 00.0%
N/A 00.4% (21) 00.0% N/A
**** 00.3% (22) 00.5% (23) 00.0% N/A 00.0% N/A 00.0%
N/A 00.3% (20) 01.1% (11)
[24] form-field 00.4% (20) 00.5% (20) 00.7% (19) 00.4% (20) 00.0%
N/A 00.7% (16) 00.0% N/A
**** 00.1% (31) 00.5% (21) 00.0% N/A 00.0% N/A 00.0%
N/A 00.0% N/A 00.0% N/A
[25] crlf 00.5% (19) 00.0% N/A 01.1% (14) 00.0% N/A 00.0%
N/A 00.7% (15) 00.5% (17)
**** 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.0% N/A 00.0% N/A
[26] rand 00.2% (22) 00.9% (13) 00.4% (21) 00.4% (17) 00.0%
N/A 00.0% N/A 00.3% (22)
**** 00.3% (23) 01.9% ( 9) 00.3% (22) 00.0% N/A 00.0%
N/A 00.0% N/A 00.0% N/A
[27] default 00.1% (29) 00.0% N/A 00.0% N/A 00.0% N/A 00.3%
(18) 00.0% N/A 00.3% (23)
**** 00.4% (20) 00.5% (24) 00.6% (16) 00.0% N/A 00.0%
N/A 00.8% ( 9) 00.3% (16)
[28] dos-release 00.1% (27) 00.5% (22) 00.4% (23) 00.4% (21) 00.0%
N/A 00.0% N/A 00.0% N/A
**** 00.2% (27) 01.4% (11) 00.3% (21) 00.0% N/A 00.0%
N/A 00.0% N/A 00.0% N/A
[29] type-check 00.0% (34) 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.1% (26) 00.0% N/A
**** 00.3% (21) 01.4% (15) 00.9% (15) 00.0% N/A 00.0%
N/A 00.0% N/A 00.0% N/A
[30] CF 00.1% (30) 00.9% (14) 00.0% N/A 00.0% N/A 00.0%
N/A 00.0% N/A 00.0% N/A
**** 00.2% (26) 01.0% (19) 00.0% N/A 00.5% (18) 00.0%
N/A 00.0% N/A 00.3% (22)
[31] eval-inject 00.2% (24) 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.4% (20) 00.5% (14)
**** 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.0% N/A 00.0% N/A
[32] php-include 00.2% (25) 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.4% (22) 00.3% (19)
**** 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.0% N/A 00.0% N/A
[33] design 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.0% N/A 00.0% N/A
**** 00.2% (25) 00.5% (25) 00.3% (20) 00.5% (15) 00.0%
N/A 00.3% (22) 00.0% N/A
[34] webroot 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.0% N/A 00.0% N/A
**** 00.1% (30) 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.0% N/A 00.3% (20)
[35] upload 00.0% (33) 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.1% (29) 00.0% N/A
**** 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.0% N/A 00.0% N/A
[36] CSRF 00.0% (31) 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.1% (27) 00.0% N/A
**** 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0%
N/A 00.0% N/A 00.0% N/A
-------------------------
UNKNOWN/UNSPECIFIED ITEMS
-------------------------
n/a unk 09.7% N/A 12.2% N/A 10.3% N/A 04.5% N/A 07.8%
N/A 11.5% N/A 10.1% N/A
**** 25.7% N/A 13.0% N/A 15.7% N/A 20.1% N/A 23.0%
N/A 26.9% N/A 45.0% N/A
n/a other 19.3% N/A 13.1% N/A 20.6% N/A 15.7% N/A 10.4%
N/A 15.9% N/A 39.4% N/A
**** 12.4% N/A 18.8% N/A 12.7% N/A 05.0% N/A 14.9%
N/A 10.7% N/A 12.4% N/A
n/a not-specified 13.4% N/A 00.0% N/A 04.4% N/A 21.6% N/A 21.9%
N/A 20.5% N/A 00.8% N/A
**** 13.2% N/A 00.5% N/A 06.3% N/A 28.6% N/A 22.6%
N/A 24.3% N/A 00.5% N/A