A Stirring Giant

5:08 PM -- The sleeping giant may finally be awakening. (See CSRF Bug Runs Rampant.)

Calyptix Security's discovery of cross-site request forgery (CSRF) bugs in eight (yes, eight) security vendors' products is a bit unnerving, but it shouldn't really be surprising. Web app security experts have warned that this elusive threat has been embedded for some time in most every Web interface, and not just the one on your Website.

The scariest part is, save for Check Point, how unresponsive the security vendors were so far with Calyptix. Sure, you can cut them some slack for possibly not having much of a process in place for handling vulnerability reports on their own products. When they are reporting bugs in their competitors' wares, it's no problem, of course, but that's another story. And there's always that tricky balance of checking out the report and carefully patching it without scaring off customers or suffering some bad PR.

But with especially deadly bugs like CSRF, which can give an attacker carte blanche on your network and browser transactions, you'd think it would be a priority. Hard to say. It's certainly been perplexing for Calyptix, which has been careful to abide by responsible disclosure rules, but also sees the bigger picture here. Dan Weber, the researcher at Calyptix that discovered the CSRF bugs, says he doesn't understand why the other seven security vendors only sent Calyptix auto-responses when he and his team alerted them about the bugs in their products.

"They don't seem to be doing anything beyond that. It's tough to figure out why they wouldn't care -- maybe because there's no big exploit on it across the board" at this time, he says. And although Calyptix can't and won't say who the other vendors are, you can only imagine: The very first UTM device in which Weber found the bug has sold over 1 million boxes according to that vendor, he says.

That's a lot of vulnerable users.

Still, you can argue that CSRF is tough to exploit, and hackers typically go after the easy stuff first, so it's likely not a top priority for vendors. But if you can't trust your security vendor to protect you from the giant threats, who can you trust?

— Kelly Jackson Higgins, Senior Editor, Dark Reading