SANS updates vulnerability list

Semi-Annual Update to SANS Top 20 Internet Security Vulnerabilities

Application exploits, zero-day attacks and the end of Apple Computer’s reputation as a secure alternative to Microsoft Windows get top billing in the SANS Institute’s spring 2006 update to its Top 20 Internet Security Vulnerabilities list, issued last week.

For the first time, cybercriminals have developed many new exploits to compromise Apple’s Macintosh OS X operating system, the report states. “OS X still remains safer than [Microsoft] Windows, but its reputation for offering a bulletproof alternative to Windows is in tatters,” said Alan Paller, the institute’s director of research.

Commercial applications continue to be the targets and tools of choice for cybercriminals who seek to hack unwary users’ systems, the report found. Attacks on the Windows operating system and servers continued to nosedive, but rising attacks on application vulnerabilities made up much of the difference. More attacks are using doctored versions of vulnerable commercial applications, including media, image and Microsoft Excel files.

Microsoft’s Internet Explorer Web browser makes users susceptible to so many attacks that “it’s time to call it ‘Internet Exploiter,’” said Rohit Dhamankar, editor of the SANS Top 20. He is also manager of the Digital Vaccine security research team at 3Com’s TippingPoint Division.

Users can become victims of drive-by downloads that exploit Internet Explorer’s flaws to infect machines with adware and spyware just by visiting malicious sites, Dhamankar said.

Mozilla’s Firefox Web browser and other Mozilla software vulnerabilities are also becoming more popular targets, said Johannes Ullrich, chief technology officer at the SANS Internet Storm Center. “It’s a bit safer [than Internet Explorer] but not a cure-all for safe Web browsing,” he said.

Many new exploits are zero-day attacks, which exploit vulnerabilities before the software developer can release a patch and sometimes even before it is aware of the weakness. A number of new zero-day attacks were discovered for Internet Explorer and even one for Apple’s Safari browser, the report states.

A wave of low-cost zero-day attacks are installing spyware and adware on millions of computers, the report states. “The attackers have perfected their business models,” said Ed Skoudis, director of SANS’ “Hacking Exploits” courses and senior security analyst at Intelguardians. A $10 billion malicious code industry now exists, with its own research and development arm releasing modular new exploits that are easy to produce, he said.

Another trend the report describes is the rapid growth in attacks that seek to directly access databases, data warehouses and backup data. More attackers are cracking Oracle software that stores and processes data, and they are going after backup software from Veritas Software and Symantec, Paller said.

Attackers are also using SQL injection in a direct assault on data warehouses and other data collection and retrieval software, Paller said. SQL injection attacks add characters to submissions in Web forms that trick the application into releasing sensitive information.


**********

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group