Software vulnerabilities are regard as the most critical vulnerabilities due to its impact and availability as compared to hardware and network vulnerabilities. Throughout the years from the first appearance of software vulnerabilities in late 80s until today, there are many identified and classified software vulnerabilities such as the well-known buffer overflow, scripting and SQL command. We studied on those known software vulnerabilities, compared the criticality, impact and significant of the vulnerabilities, and further predicted the trend of the vulnerabilities and proposed the focus area based on the comparative studies. The result shows that C overflow vulnerabilities will continue to persist despite losing its dominance in terms of numbers of availability and exploitation. However, the impact of exploiting the C overflow vulnerabilities is still regard as the most critical as compare to others. Therefore, C overflow vulnerabilities will prevail again and continues its domination as it did for the past two decades.

1. Vulnerabilities and Exploitation
in Computer System
- Past, Present and Future
03 September 2013 @ 27 Syawal 1434H
Nurul Haszeli Ahmad, Syed Ahmad Aljunid, Jamalul-lail Ab Manan
SISKOM 2013
Faculty of Computer and Mathematical Sciences
UiTM Shah Alam, Selangor, Malaysia

2. Presentation Outline
1. Introduction
2. Quantitative Studies on Known Software Vulnerabilities
3. Impact Analysis
4. The Prediction
5. Conclusion

3. Introduction
Vulnerabilities in
Computer System
Hardware
vulnerabilities
Software
vulnerabilities

4. Introduction
Software
Vulnerabilities
Flaws in software /
codes
System to behave
abnormal
Unintentionally
triggered by user
Exploit by hackers
Definition (Stoneburner et al., 2002,
OWASP Org., 2013, Kaspersky Lab,
2013)
What is?
Impact?
Cause by Cause by
Root Cause
Improper Process
Poor Design
Programming
errors/mistake
Biezer, 1990 and
Piessens, 2002
Alhazmi et al., 2006,
Howard et al., 1998, Krsul,
1998, Longstaff et al. 1997,
Moore, 2007, Vipindeep et
al., 2005
Ahmad et al. 2011

5. Introduction
Programming errors/mistake Ahmad et al. 2011
Limitation in Programming
Language
Incompetence
programmers/software
engineers
Cause by
Exploitation
Impact
1. 1990 - Morris Worm (One, 1996)
2. Poland Train crash (Baker et al. 2008)
3. Iran nuclear attack (Chen 2011)
4. Toyota brake failure (Carty, 2010)
Etc.

6. Summary
• Quantitatively studies on known software vulnerabilities
• Share the criticality and significances of the identified
vulnerabilities
• Predict the future
Scope
1. Limited to quantity based on reported vulnerabilities
2. Limited to four classes-SQLi, XSS, Java, and C/C++
Introduction

7. Quantitative Studies on Known
Software Vulnerabilities
1. Software vulnerabilities was detected since programming exist
2. The first unintended exploitation happens in late 80s
3. Microsoft introduce SDL starting from 2002
4. Program Analysis (static and dynamic analysis), Anti-virus, etc
introduced as early as 1994 (Wagner)
5. Vulnerabilities still at large and exploitation increase exponentially
with vulnerabilities.
19 well-known online vulnerability databases and organization
1. Microsoft Corporation
2. Homeland Security
3. NIST
4. OSVDB
5. OWASP
6. SANS Institutes
7. CSM
etc.

8. Quantitative Studies on Known
Software Vulnerabilities
0
1000
2000
3000
4000
5000
6000
7000
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
No. of Vulnerabilities By Year
No. of Vulnerabilities
Source: National Institute of Standards and Technology (NIST)Source: Open-Source Vulnerabilities Database (OSVDB)

9. Quantitative Studies on Known
Software Vulnerabilities
Other Scary Facts
1. > 2000 vulnerabilities identified per year
2. 20% is constantly C/C++ overflow vulnerabilities
3. 40% ranked with severity 7.0 to 10.0
4. SANS Institute continues release same classes of vulnerabilities in its top 25 Software errors
since 2002
5. A single vulnerability if exploitable can cause huge impact
6. Symantec reported 42% increase in exploitation and an increase of ~50% of web attack
7. Some of latest attack still used old identified vulnerabilities (Kaspersky Lab)

10. Impact Analysis
Fantastic Four
SQLi XSS
Java
C/C++ overflow
•95% has CVSS 4.0 – 6.9
•Severity between low -
medium
•70% has CVSS 4.0 – 6.9
•Severity between low -
medium
•85% has CVSS 7.0 – 10
•Severity is high
•60% has CVSS 7.0 – 10
•Severity is high
•Security bypass
•Gain control / steal user
identity (depending on
user privileges
•Security bypass
•Gain control / steal user
identity (depending on
user privileges
•With overflow vulnerabilities – access/control can be gain
without used of user privileges
•System malfunctions, accident, control system, etc
(McGraw, 2013, Baker et al. , 2008, and Chen, 2010)

11. Impact Analysis
•Windows-based OS – 90%
•30% is Windows XP
•Most mobile OS used is Android (> 60% market shares)
Market shares
•Used of Microsoft IE reduce possibility of being hacked
•Safari (by Apple) and Chrome (runs on Android based mobile)
increase the risk of being attacked
Browser used
•Only XSS, SQLi, and Java vulnerabilities is affected and shall
increase the risk of being exploited
Rise of online
applications
•Java – has built in security (JVM)
•XSS and SQLi vulnerabilities is input related
•C/C++ has no perfect defense
Detection/Prevention
Mechanism

12. The Prediction
The Famous Four will remains for
another decades
C/C++ will prevail again

13. Conclusion
• There are many sites support hackers
– Shodan, Rapid7, Offensive Security and SecurityVuln
• Old vulnerabilities is still relevant (Kaspersky Lab)
• Compare to other classes of vulnerabilities, C/C++
is the most dangerous
• Vulnerabilities and exploitations in computer
systems will persist to exist
• C/C++ overflow vulnerabilities will regain its
domination

14. References
1. Ahmad, N. H., Aljunid, S. A., & Ab Manan, J.-l. (2010a). Preventing Exploitation on Software Vulnerabilities: Why Most Static Analysis Is
Ineffective? Conferences on Engineering and Technology Education. Kuching: World Engineering Congress.
2. Ahmad, N. H., Aljunid, S. A., & Ab Manan, J.-l. (2011). Taxonomy of C Overflow Vulnerabilities Attack. In Z. Jasni Mohamad, W. Mohd, & E.-
Q. Eyas (Ed.), International Conferences on Software Engineering and Computer Systems. 180, pp. 376 - 390. Kuantan, Pahang: Springer.
3. Ahmad, N. H., Aljunid, S. A., & Ab Manan, J.-l. (2011c). Understanding Vulnerabilities by Refining Taxonomy. 7th International Conference on
Information Assurance and Security (IAS) (pp. 25 - 29). Melaka: IEEE Computer Society.
4. Alhazmi, H. O. (2005). Quantitative vulnerability assessment of systems software. Annual Proceedings of Reliability and Maintainability
Symposium (pp. 615 - 620). IEEE.
5. Alhazmi, O. H., Woo, S. W., & Malaiya, Y. K. (2006). Security Vulnerability Categories in Major Software Systems. 3rd IASTED International
Conference on Communication, Network, and Information Security (CNIS), (pp. 138 - 143).
6. Aslam, T. (1995). A Taxonomy of Security Faults in the UNIX Operating System. MSc Thesis, Department of Computer Sciences, Purdue
University.
7. Baker, & Graeme. (2008, January 11). Schoolboy hacks into city's tram system. Retrieved November 17, 2011, from The Telegraph:
http://www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-tram-system.html
8. Beizer, B. (1990). Software Testing Technique (2nd Edition ed.). New York, USA: Van Nostrand Reinhold Co.
9. Carty, D. (2010, February 3). Apple's Wozniak: Toyota Has Software Problem. (CBS Interactive Inc) Retrieved November 18, 2011, from CBS
News: http://www.cbsnews.com/8301-503983_162-6169804-503983.html
10. Cenzic Inc. (2013). Resources - Application Security Papers. Retrieved August 09, 2013, from CENZIC:
http://www.cenzic.com/resources/application-security-papers/
11. Chen, T. M. (2010). Stuxnet, the Real Start of Cyber Warfare. IEEE Network , 24 (6), 2 - 3.
12. CISCO. (2013). Cisco Security Report. Retrieved August 09, 2013, from Cisco:
http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html
13. Critical Patch Updates, Security Alerts and Third Party Bulletin. (2013). Retrieved August 09, 2013, from Oracle Technology Network:
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
14. CyberSecurity Malaysia. (2013). e-Security Bulleting. Retrieved August 09, 2013, from CyberSecurity Malaysia:
http://www.cybersecurity.my/en/knowledge_bank/bulletin/content/main/detail/182/index.html?mytabsmenu=2
15. Department of Homeland Security. (2013). US-CERT. Retrieved August 09, 2013, from US-CERT (United States Computer Emergency
Readiness Team): http://www.us-cert.gov/
16. Fritzinger, S. J., & Mueller, M. (1996). Java™ Security. White paper, Sun Microsystems, Inc.

15. References
17. Hewlett-Packard Development Company. (2013). Resource Center. Retrieved August 09, 2013, from HP Enterprise Security:
http://www.hpenterprisesecurity.com/news/resource-center
18. Howard, J. D., & Longstaff, T. A. (1998). A Common Language for Computer Security Incidents. Sandia Technical Report, Sandia National
Laboratories, Sandia Corporation.
19. Howard, M., LeBlanc, D., & Viega, J. (2010). 24 Deadly Sins of Software Security - Programming Flaws and How to Fix Them. McGraw-Hill.
20. IBM X-Force. (2013). IBM X-Force Annual Trend and Risk Report. Retrieved August 09, 2013, from IBM X-Force: http://www-
03.ibm.com/security/xforce/downloads.html
21. iMPERVA. (2013). Imperva Web Application Attack Report. iMPERVA.
22. IT Security Research Group. (2013). Map Honeynet. Retrieved August 09, 2013, from The Honeynet Project: http://map.honeynet.org/
23. Johnson, S. (2013, August 07). FortiGuard Labs sees fast rise of mobile malware in 2013. (TechTarget) Retrieved August 09, 2013, from
SearchSecurity: http://searchsecurity.techtarget.com/news/2240203220/FortiGuard-Labs-sees-fast-rise-of-mobile-malware-in-
2013?asrc=EM_ERU_22893730&utm_medium=EM&utm_source=ERU&utm_campaign=20130808_ERU%20Transmission%20for%2008/08
/2013%20(UserUniverse:%20551200)_myka-rep
24. Kaspersky Lab. (2013b). Analysis. Retrieved August 09, 2013, from SECURELIST: http://www.securelist.com/en/analysis?genre=1
25. Kaspersky Lab. (2013). Kaspersky Security Bulletin 2012. The overall statistics for 2012. Retrieved August 09, 2013, from SECURELIST:
http://www.securelist.com/en/analysis/204792255/
26. Kaspersky Lab. (2013a). Software vulnerabilities. Retrieved August 09, 2013a, from SECURELIST:
http://www.securelist.com/en/threats/vulnerabilities?chapter=35
27. Krsul, I. V. (1998). Software Vulnerability Analysis. Phd Thesis, Purdue University.
28. Lipner, S. (2013, May 14). The time is now. Security Development Must be a Priority for Everyone. Retrieved August 09, 2013, from
Microsoft Trustworthy Computing: http://blogs.technet.com/b/trustworthycomputing/archive/2013/05/08/security-development-
conference-2013.aspx
29. Longstaff, T. A., Ellis, J. T., Hernan, S. V., Lipson, H. F., McMillan, R. D., Pesante, L. H., et al. (1997). Security of the Internet. (M. Dekker, Ed.)
The Froehlich/Kent Encyclopedia of Telecommunications , 15, pp. 231 - 255.
30. McGraw, G. (2013, August 09). Five major technology trends affecting software security assurance. Retrieved August 11, 2013, from
SearchSecurity.com: http://searchsecurity.techtarget.com/opinion/Five-major-technology-trends-affecting-software-security-assurance
31. Microsoft Corporation. (2002, January 15). Memo from Bill Gates. Retrieved 2010, from Microsoft News Center:
http://www.microsoft.com/en-us/news/features/2012/jan12/gatesmemo.aspx
32. Microsoft Corporation. (2013b). Microsoft Security Advisories. Retrieved August 09, 2013b, from Security TechCenter:
http://technet.microsoft.com/en-us/security/advisory/

16. References
33. Microsoft Corporation. (2013a). What is the Security Development Lifecycle? Retrieved August 09, 2013a, from Microsoft Security
Development Lifecycle: http://www.microsoft.com/security/sdl/default.aspx
34. MITRE Corporation. (2011). Common Vulnerabilities And Exposures. Retrieved November 15, 2011, from CVE - Format String:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Format+String
35. Moore, H. D. (2007). Exploiting Vulnerabilities. Presentation Slide, Secure Application Development (Secappdev.org).
36. National Institute of Standards and Technology (NIST). (2013). CVE and CCE Statistics Query Page. Retrieved August 09, 2013, from National
Vulnerability Database (NVD): http://web.nvd.nist.gov/view/vuln/statistics
37. Net Applications.com. (2013b). Desktop Browser Market Share. Retrieved August 11, 2013b, from NETMARKETSHARE:
http://www.netmarketshare.com/browser-market-share.aspx?qprid=0&qpcustomd=0
38. Net Applications.com. (2013). Desktop Operating System Market Share. Retrieved August 10, 2013, from NETMARKETSHARE:
http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0
39. Offensive Security. (2013). Retrieved from Exploit Database: http://www.exploit-db.com/
40. One, A. (1996). Smashing the Stacks for Fun and Profit. Phrack Magazine , 7 (49).
41. Open Sourced Vulnerability Database (OSVDB). (2013). Open Sourced Vulnerability Database. Retrieved August 09, 2013, from OSVDB:
http://osvdb.org/
42. Oracle Corporation. (2012). Java SE Security. Retrieved January 10, 2012, from ORACLE:
http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136007.html
43. Oracle Corporation. (2010). Secure Computing with Java: Now and the Future. Retrieved January 10, 2012, from ORACLE - Sun Developer
Network (SDN): http://java.sun.com/security/javaone97-whitepaper.html
44. Oracle FAQ. (2012, January 2). Oracle Corporation. Retrieved January 10, 2012, from Oracle FAQ:
http://www.orafaq.com/wiki/Oracle_Corporation
45. OWASP Organization. (2013). Category: Vulnerability. Retrieved August 09, 2013, from OWASP - The Open Web Applications Security
Project: https://www.owasp.org/index.php/Category:Vulnerability
46. Passeri, P. (2013). 2012 Cyber Attack Statistics. Retrieved August 09, 2013, from Hackmageddon.com: http://hackmageddon.com/2012-
cyber-attacks-statistics-master-index/
47. Pierluigi, P. (2013). Security Affairs. Retrieved August 09, 2013, from Security Affairs: http://securityaffairs.co/wordpress/
48. Piessens, F. (2002). A Taxonomy (with Examples) of Causes of Software Vulnerabilities in Internet Software. Technical Report, Katholieke
Universiteit Leuven, Department of Computer Science.
49. Positive Research. (2012). Vulnerability Statistics for 2011. Positive Technologies.
50. Rapid7. (2013). Vulnerability and Exploit Database. Retrieved August 09, 2013, from Rapid7: http://www.rapid7.com/db/modules/

17. References
51. Rashid, F. Y. (2013, May 15). Microsoft Talks Secure Coding Practices, Standards at Security Development Conference. Retrieved August
09, 2013, from SECURITYWEEK: http://www.securityweek.com/microsoft-talks-secure-coding-practices-standards-security-development-
conference
52. Red Hat Inc. (2013). Red Hat vulnerabilities by CVE name. Retrieved August 09, 2013, from redhat: https://access.redhat.com/security/cve/
53. SANS Institute. (2013). CWE/SANS TOP 25 Most Dangerous Software Errors. Retrieved August 09, 2013, from http://www.sans.org/top25-
software-errors/
54. Secunia. (2013). Advisories. Retrieved August 09, 2013, from Secunia: http://secunia.com/community/advisories/historic/
55. SecurityVulns. (2013). Retrieved August 09, 2013, from Computer Security Vulnerabilities: http://securityvulns.com/
56. SHODAN. (2013). Expose Online Devices. Retrieved August 09, 2013, from SHODAN: http://www.shodanhq.com/
57. Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk Management Guide for Information Technology Systems – Recommendation of the
National Institute of Standard and Technology (Special Publications). National Institute of Standard and Technology (NIST).
58. Symantec Corporation. (2013). Internet Security Threat Report 2013 Volume 18. Symantec Corporation.
59. Symantec Corporation. (2013). Security Response Publications. Retrieved August 09, 2013, from Symantec:
http://www.symantec.com/security_response/publications/threatreport.jsp
60. Vipindeep, V., & Jalote, P. (2005). List of Common Bugs and Programming Practices to avoid them. Technical Report, Indian Institute of
Technology, Kanpur.
61.

18. THANK YOU
Nurul Haszeli Ahmad, Syed Ahmad Aljunid, Jamalul-lail Ab Manan
Email: masteramuk@yahoo.com / masteramuk@hotmail.com
Twitter/LinkedIn: masteramuk / Nurul Haszeli
Website: http://malaysiandeveloper.blogspot.com