"For years buffer overflow has been the favorite target of online attackers, but no more: Cross-site scripting is now the biggest culprit

That's the scoop from Mitre Corp., which later this week will release its latest findings about the flaws behind publicly-disclosed vulnerabilities.

The number two favorite flaw is SQL injection, says Robert Martin, lead for compatibility and outreach at Mitre, who first discussed the new data at yesterday's Cyber Security Executive Conference in New York. The number of buffer overflow flaws exploited dropped to number three in 2005 and number four so far this year, according to Mitre.

Martin says he was surprised to find that cross-site scripting has become the main flaw that attackers exploit in software. "We hadn't heard anything about this shift."

Mitre has recorded about 20,000 common vulnerability and exposures (CVE) -- the designation given to all publicly reported vulnerabilities -- with around 150 coming in per week. The statistics were based on samples of these CVEs, he says. " - Darkreading

Article Link: http://www.darkreading.com/document.asp?doc_id=103774