Internet security 'back to the Stone Age'

The Twenty Most Critical Internet Vulnerabilities (Updated) – The Experts Consensus

Related Links

Cybercriminals in 2005 changed the security landscape by attacking client applications and network operating systems that don’t receive automatic security patches, international computer experts said today.

Aside from antivirus software, none of the new targets have automatic patching updates, said Alan Paller, director of research at the SANS Institute, a training and education organization for security professionals.

The institute released today the latest update to its 20 Most Critical Internet Security Vulnerabilities in 2005 report.

“That means we’re back to the Stone Age” of five years ago, before automated patching, when everyone had to find vulnerabilities and patch them manually, Paller said. “Those days are back in spades.”

The institute, the U.S. Computer Emergency Readiness Team and Britain’s National Infrastructure Security Co-ordination Centre explained the repercussions of findings from the institute’s report.

Ten of the vulnerabilities were in cross-platform applications installed on millions of systems, including backup software, antivirus software, database software and media players. Three affected network operating systems that control routers, switches and other devices that form the Internet’s backbone.

In the past 12 months, those new types of attacks represented 65 percent of the worst threats, up from none in 2004.

Attackers have moved from server-side attacks to client-side attacks, said Rohit Dhamankar, leader of the SANS Institute team and a security architect at 3Com’s TippingPoint. The greatest concerns are attacks on backup software, browser software and media players, he said.

Sixty percent of the vulnerabilities affect client-side applications, said Gerhard Eschelbeck, chief technology officer and vice president of engineering at Qualys.

The shift from attacking server applications to client applications shows that much of the “low-hanging fruit” cybercriminals go after has been taken care of on the server side, he said.

Unfortunately, Eschelbeck said he sees “unlimited room” for finding vulnerabilities in client applications in the foreseeable future.

In addition, three of the four categories of threats in this year’s list have to do with configuration weaknesses, Eschelbeck noted.

“Some simple basic security configuration issues are being missed out there” and could be resolved by prioritized and scheduled patching, he said.

Several industry giants, including Cisco Systems and Microsoft, were mentioned as vulnerable to these new kinds of attacks.

Sanjay Beri, director of product management for the emerging technologies group at Juniper Networks, said the SANS report is useful but is not completely up to date.

"The specific items the report mentions concern old versions of the Junos operating system, and fixes have been available for these few items since the vulnerabilities were discovered" in February 2005, Beri said.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.