SANS updates vulnerability list

Semi-Annual Update to SANS Top 20 Internet Security Vulnerabilities

Application exploits, zero-day attacks and the end of Apple Computer’s reputation as a secure alternative to Microsoft Windows get top billing in the SANS Institute’s spring 2006 update to its Top 20 Internet Security Vulnerabilities list, issued last week.

For the first time, cybercriminals have developed many new exploits to compromise Apple’s Macintosh OS X operating system, the report states. “OS X still remains safer than [Microsoft] Windows, but its reputation for offering a bulletproof alternative to Windows is in tatters,” said Alan Paller, the institute’s director of research.

Commercial applications continue to be the targets and tools of choice for cybercriminals who seek to hack unwary users’ systems, the report found. Attacks on the Windows operating system and servers continued to nosedive, but rising attacks on application vulnerabilities made up much of the difference. More attacks are using doctored versions of vulnerable commercial applications, including media, image and Microsoft Excel files.

Microsoft’s Internet Explorer Web browser makes users susceptible to so many attacks that “it’s time to call it ‘Internet Exploiter,’” said Rohit Dhamankar, editor of the SANS Top 20. He is also manager of the Digital Vaccine security research team at 3Com’s TippingPoint Division.

Users can become victims of drive-by downloads that exploit Internet Explorer’s flaws to infect machines with adware and spyware just by visiting malicious sites, Dhamankar said.

Mozilla’s Firefox Web browser and other Mozilla software vulnerabilities are also becoming more popular targets, said Johannes Ullrich, chief technology officer at the SANS Internet Storm Center. “It’s a bit safer [than Internet Explorer] but not a cure-all for safe Web browsing,” he said.

Many new exploits are zero-day attacks, which exploit vulnerabilities before the software developer can release a patch and sometimes even before it is aware of the weakness. A number of new zero-day attacks were discovered for Internet Explorer and even one for Apple’s Safari browser, the report states.

A wave of low-cost zero-day attacks are installing spyware and adware on millions of computers, the report states. “The attackers have perfected their business models,” said Ed Skoudis, director of SANS’ “Hacking Exploits” courses and senior security analyst at Intelguardians. A $10 billion malicious code industry now exists, with its own research and development arm releasing modular new exploits that are easy to produce, he said.

Another trend the report describes is the rapid growth in attacks that seek to directly access databases, data warehouses and backup data. More attackers are cracking Oracle software that stores and processes data, and they are going after backup software from Veritas Software and Symantec, Paller said.

Attackers are also using SQL injection in a direct assault on data warehouses and other data collection and retrieval software, Paller said. SQL injection attacks add characters to submissions in Web forms that trick the application into releasing sensitive information.