Reporting Status of Vulnerability-related Information about Software Products and Websites

Transcription

1 Reporting Status of Vulnerability- Information about Software Products and Websites - 3 rd Quarter of 218 (July - September) - Information-technology Promotion Agency, Japan (IPA) and Japan Computer Emergency Response Team Coordination Center (JPCERT/CC), initiated to handle in July, 4, pursuant to the Rules for Handling Software Vulnerability Information and Others (Directive #19, 217) by the Ministry of Economy, Trade and Industry (METI). With the authority given by the Directive, IPA has been collecting reports on the following : 1: Vulnerability- Information about Software Products: Vulnerabilities against client Software such as OS and browser, server Software such as Web server, Software embedded in hardware such as IC card, and so on. Other than vulnerability itself, on verification methods, attacking methods and workarounds are also accepted. IPA will notify these to JPCERT/CC and then JPCERT/CC will communicate those to concerned organizations such as domestic product vendors. 2: Vulnerability- Information about Websites (Web Applications): Vulnerabilities against Websites which provide services to the public through the Internet. IPA will notify such to Website managers to prompt modification. Vulnerability of Software Products Collecting response status, coordinating announcement date, etc. Reports on Notify IPA JPCERT/CC [ Reporting [ Coordination ] Point ] - Determining - Content announcement confirmation date, of the reported collaborating with overseas coordination institutions, etc. Finder [ Analysis ] - Verification of the reported vulnerability Reports on - vulnerability AIST [ Analysis Support ] Notification of vulnerability IPA, JPCERT/CC Countermeasure Information Portal Site (JVN) Software Vendors, etc. Security Promotion Realizing security measures Distribution, etc. Announcement of System Countermeasures Integrato, etc. rs, etc. Necessary Website Manager is to be provided - Verification and in case of Countermeasure personal Implementation leakage Users - Government - Companies - Individuals Vulnerability of Websites Effect Expected: 1. Encourage vendors and Website managers to implement countermeasures against vulnerabilities. 2. Prevent vulnerabilities from being carelessly publicized or left unsolved. 3. Prevent important, such as personal, from being disclosed and/or critical systems from being shut down. Information Security Early Warning Partnership (Framework for Handling Vulnerability- Information) Source: Handouts from explanatory session on handling (General introduction to the standards for handling Software and its guidelines) by the Ministry of Economy, Trade and Industry

2 Quarterly Reported Number Cumulative Number Reported The statistics for the 3rd Quarter of 218 (July - September) from the data collected under the framework is summarized as follows. 1. Reported Number and Handling Status of Reports: The total number of reported to IPA from July 1 to September 3, 218 was 177: 114 of them were about Software products and the rest of 63 were about Websites. The cumulative number of reports made to IPA since the framework started (July 8, 4) was 13998: 4169 of them were about Software products and the rest of 9829 were about Websites. The Chart 1-1 shows the reporting status for respective quarters. Reported Number/Business Day 4Q/216 1Q/217 2Q/217 3Q/217 4Q/217 1Q/218 2Q/218 3Q/ Q 215 Report for Software Products Cumulative for Software Products 1Q Report for Websites Cumulative for Websites Chart 1-1: Quarterly Number of Vulnerability- Information 2Q 51 3Q The Chart 1-2 shows the processing status of reports on the as of the end of September, 218. As for Software products, 51% (1872) of the reports being accepted as vulnerability (372) have been fixed and publicized. As for Websites, 76% (7298) of the reports being accepted as vulnerability (9583) have been fixed. 372 Software Products Publicized, 1872 Handing, 1697 Not Accepted 467 Vendor-Handled,39 Non Vulnerability, Publicized Vendor-Handled Non Vulnerability Handling Not Accepted : Vulnerability which has been publicized with vendor's responding status on JVN : Vulnerability which has been informed to each user by vender individually : Vulnerability which has been determined not to be vulnerability by vendor : Vulnerability which is being studied/handled by vendor : Vulnerability which is outside the scope defined by the Directive of METI 9583 Non Vulnerability, 69 Not Accepted, 246 Website Fixed, 7298 Securty Alert, Unable to Handle, 24 Handling, Fixed Security Alert Non Vulnerability Unable to handle Handling Not Accepted : Vulnerability fixed by Website manager : Handling was called off after countermeasure against the vulnerability is urged widely with the Security Alert by IPA : Vulnerability which has been determined not a vulnerability by Website manager : It is not possible to contact the Website manager. Website manager decided not to fix : Vulnerability which is being studied/handled by Website manager : Vulnerability which is outside the scope defined by the Directive of METI Chart 1-2: Processing Status of Reporting for Vulnerability- Information (As of the end of September, 218)

3 2. Handling of Vulnerability- Information on Software Products and its Coordination: The total number of to vulnerabilities in Software Products reported to IPA since the framework started in July 8, 4, was The Chart 2-1 shows the breakdown of 1638 of publicized vulnerabilities, and the Chart 2-2 shows the breakdown of 372 reports ( 4169 minus Not Accepted 467). The vulnerabilities are organized according to their severity, determined by the Common Vulnerability Scoring System (CVSS v2) standard. The scale of low, medium, and high severity corresponds to the following scores: Low - Vulnerabilities will be labeled the Low severity if they have a CVSS base score of Medium - Vulnerabilities will be labeled the Medium severity if they have a CVSS base score of High - Vulnerabilities will be labeled the High severity if they have a CVSS base score of The most reported type of software was Web application and subsequently followed by Web Browser and those listed below. 16% Web Application 2% 2% 5% 7% (7%) 8% (8%) 45% (45%) Smartphone Application Routers Groupware Development/Runtime Web Browser Smart home appliance File Management Software OS System Adm. Software in this graph includes Software for Database, etc. (Breakdown of 372: Numbers in parenthesis are for the previous quarter) Chart 2-2: Breakdown of the Vulnerabilities in Software Products (from July 8, 4 to the end of September, 218) The Chart 2-3 shows the time required for the announcement of vulnerabilities in Software products. 29% of the reports was addressed within 45 from its initial reporting to announcement. 29% Low Medium High Chart 2-1 : Severity of Vulnerabilities in Software Products on JVN Several reports may be summarized in one on JVN. (from Initial Acceptance to the end of September, 218) Chart 2-3: Time Required for the Announcement of Vulnerabilities in Software Products In this Quarter, 31 vulnerabilities were announced.

4 3. Handling of Vulnerability- Information on Websites: The number of to vulnerabilities in websites reported to IPA since the framework started in July 8, 4, was Removing those not accepted as vulnerabilities, the total number of the vulnerabilities was Chart 3-1 shows the breakdown of the vulnerabilities and Chart 3-2 shows the quarterly shift in their proportion found in last two years. As for the type of vulnerabilities, Cross-site Scripting, Lamed DNS zone and SQL Injection account for 8% of the entire vulnerabilities. 2% 12% Cross-site Scripting Lamed DNS zone SQL Injection 11% (12%) 55% (55%) Directory Traversal Unintended file disclosure Inadvisability HTTPS handle 1 (1) - Breakdown of 9583: Numbers in the parenthesis are for the previous quarter Chart 3-1: Breakdown of Vulnerabilities in Websites by Type (from July 8 4, to the end of September, 218) Inadvisability HTTPS handle Unintended file disclosure Directory Traversal SQL Injection Lamed DNS zone Cross-site Scripting Q 216 1Q Chart 3-2: Shift in Number of Vulnerabilities in Websites by Type (from October 1 216, to the End of September, 218) 2Q 3Q

5 The Chart 3-3 and 3-4 show the time required to fix vulnerabilities by type after notification of detailed of the vulnerabilities to Website managers. 66% of vulnerabilities reported was fixed within % 1 (429) Mail third party relay (46) OS Command Injection (84) Insufficient Session Management (91) Improper Authentication (13) HTTP Response Splitting (14) Unintended file disclosure (194) Directory Traversal (213) Lamed DNS Zone (548) SQL Injection (887) Cross-site Scripting (4599) On the Day 1day >3 Chart 3-3: Time Required to Fix Vulnerabilities in Websites Cross-site Scripting (4599) SQL Injection (887) Lamed DNS Zone (548) Directory Traversal (213) Unintended file disclosure (194) HTTP Response Splitting (14) Improper Authentication (13) Insufficient Session Management (91) OS Command Injection (84) Mail third party relay (46) (429) % 2% 6% 8% 1% > 3 Chart 3-4: Time Required to Fix Vulnerabilities in Websites by Type Contact IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC) Tel : +81-() Fax : +81-()