"A browser" – that’s all we were led to believe the next generation would need to create office applications or engineering applications. Now, the focus on security has begun to divert in that direction. Statistics from the first half of 2006 showed that 69 percent of exploitable vulnerabilities were from Web applications. Web application vulnerabilities usually get mixed up with server vulnerabilities, although the two are distinctly different. Web developers who design Web sites are not usually security gurus. The developers will often leave behind various security holes in the Web application because of bad coding practices and a lack of security reviews.
On one hand, there are many security experts around the world who fuzz Web servers with variations in order find another zero-day. The end result is that the gap between popular Web servers and exploitable vulnerabilities within them is increasing. It has been a long time since we have seen a completely exploitable security breach for a default/patched installation of IIS. It doesn't mean that there won't be such vulnerabilities in future. There will be, but the frequency has been greatly reduced, for now.
However, on the other hand, how many of us concentrate on fuzzing a Web application? The server running the application would essentially be the same, but the Web application running on top of it could be anything. Ajax, as a technology, seems to be taking the Internet in a new direction. It is now a fact that browsers on our mobile phones are capable of showing us movies, writing office documents, creating applications, or anything that previously only an operating system could perform. In other words, browsers could take over operating systems. Unfortunately, this new technology could also lead to new types of threats that are focused on browsers and Web applications. Or, is it safe to say that the focus has already started to divert?