SANS updates vulnerability list

Semi-Annual Update to SANS Top 20 Internet Security Vulnerabilities

Application exploits, zero-day attacks and the end of Apple Computer’s reputation as a secure alternative to Microsoft Windows get top billing in the SANS Institute’s spring 2006 update to its Top 20 Internet Security Vulnerabilities list, issued last week.

For the first time, cybercriminals have developed many new exploits to compromise Apple’s Macintosh OS X operating system, the report states. “OS X still remains safer than [Microsoft] Windows, but its reputation for offering a bulletproof alternative to Windows is in tatters,” said Alan Paller, the institute’s director of research.

Commercial applications continue to be the targets and tools of choice for cybercriminals who seek to hack unwary users’ systems, the report found. Attacks on the Windows operating system and servers continued to nosedive, but rising attacks on application vulnerabilities made up much of the difference. More attacks are using doctored versions of vulnerable commercial applications, including media, image and Microsoft Excel files.

Microsoft’s Internet Explorer Web browser makes users susceptible to so many attacks that “it’s time to call it ‘Internet Exploiter,’” said Rohit Dhamankar, editor of the SANS Top 20. He is also manager of the Digital Vaccine security research team at 3Com’s TippingPoint Division.

Users can become victims of drive-by downloads that exploit Internet Explorer’s flaws to infect machines with adware and spyware just by visiting malicious sites, Dhamankar said.

Mozilla’s Firefox Web browser and other Mozilla software vulnerabilities are also becoming more popular targets, said Johannes Ullrich, chief technology officer at the SANS Internet Storm Center. “It’s a bit safer [than Internet Explorer] but not a cure-all for safe Web browsing,” he said.

Many new exploits are zero-day attacks, which exploit vulnerabilities before the software developer can release a patch and sometimes even before it is aware of the weakness. A number of new zero-day attacks were discovered for Internet Explorer and even one for Apple’s Safari browser, the report states.

A wave of low-cost zero-day attacks are installing spyware and adware on millions of computers, the report states. “The attackers have perfected their business models,” said Ed Skoudis, director of SANS’ “Hacking Exploits” courses and senior security analyst at Intelguardians. A $10 billion malicious code industry now exists, with its own research and development arm releasing modular new exploits that are easy to produce, he said.

Another trend the report describes is the rapid growth in attacks that seek to directly access databases, data warehouses and backup data. More attackers are cracking Oracle software that stores and processes data, and they are going after backup software from Veritas Software and Symantec, Paller said.

Attackers are also using SQL injection in a direct assault on data warehouses and other data collection and retrieval software, Paller said. SQL injection attacks add characters to submissions in Web forms that trick the application into releasing sensitive information.


**********

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.