SANS updates vulnerability list

Semi-Annual Update to SANS Top 20 Internet Security Vulnerabilities

Application exploits, zero-day attacks and the end of Apple Computer’s reputation as a secure alternative to Microsoft Windows get top billing in the SANS Institute’s spring 2006 update to its Top 20 Internet Security Vulnerabilities list, issued last week.

For the first time, cybercriminals have developed many new exploits to compromise Apple’s Macintosh OS X operating system, the report states. “OS X still remains safer than [Microsoft] Windows, but its reputation for offering a bulletproof alternative to Windows is in tatters,” said Alan Paller, the institute’s director of research.

Commercial applications continue to be the targets and tools of choice for cybercriminals who seek to hack unwary users’ systems, the report found. Attacks on the Windows operating system and servers continued to nosedive, but rising attacks on application vulnerabilities made up much of the difference. More attacks are using doctored versions of vulnerable commercial applications, including media, image and Microsoft Excel files.

Microsoft’s Internet Explorer Web browser makes users susceptible to so many attacks that “it’s time to call it ‘Internet Exploiter,’” said Rohit Dhamankar, editor of the SANS Top 20. He is also manager of the Digital Vaccine security research team at 3Com’s TippingPoint Division.

Users can become victims of drive-by downloads that exploit Internet Explorer’s flaws to infect machines with adware and spyware just by visiting malicious sites, Dhamankar said.

Mozilla’s Firefox Web browser and other Mozilla software vulnerabilities are also becoming more popular targets, said Johannes Ullrich, chief technology officer at the SANS Internet Storm Center. “It’s a bit safer [than Internet Explorer] but not a cure-all for safe Web browsing,” he said.

Many new exploits are zero-day attacks, which exploit vulnerabilities before the software developer can release a patch and sometimes even before it is aware of the weakness. A number of new zero-day attacks were discovered for Internet Explorer and even one for Apple’s Safari browser, the report states.

A wave of low-cost zero-day attacks are installing spyware and adware on millions of computers, the report states. “The attackers have perfected their business models,” said Ed Skoudis, director of SANS’ “Hacking Exploits” courses and senior security analyst at Intelguardians. A $10 billion malicious code industry now exists, with its own research and development arm releasing modular new exploits that are easy to produce, he said.

Another trend the report describes is the rapid growth in attacks that seek to directly access databases, data warehouses and backup data. More attackers are cracking Oracle software that stores and processes data, and they are going after backup software from Veritas Software and Symantec, Paller said.

Attackers are also using SQL injection in a direct assault on data warehouses and other data collection and retrieval software, Paller said. SQL injection attacks add characters to submissions in Web forms that trick the application into releasing sensitive information.


**********

The Fed 100

Read the profiles of all this year's winners.

Featured

  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group