Zero-day flaws target 'safe' programs
In the nearly six months since the release of its last Top 20 vulnerabilities list, the SANS Institute has observed a sharp spike in zero-day
flaws, many of them in programs long considered to be safe alternatives to Windows.
However, Microsoft remains the target of industry scrutiny following several high-profile flaws, including the recent Windows Meta File (WMF) and Internet Explorer (IE) createTextRange glitches.
At the same time an increasing array of zero-day vulnerabilities appeared in Mozilla's Firefox browser and Apple Computer Inc.'s Mac OS X operating system.
SANS researchers also saw a sizable increase in financially motivated zero-day attacks, as well as an ongoing problem with attacks exploiting Web application flaws.
"We've observed 80-90 flaws in Web applications a week," said Rohit Dhamankar, project manager for the SANS Top 20 effort and lead security architect for the TippingPoint division of Marlborough, Mass.-based 3Com Corp. "Immediately after the flaw is disclosed, public exploit code emerges that can compromise back-end data or the Web server quite easily."
The Bethesda, Md.-based institute noted eight trends in its spring update of the Top 20 vulnerabilities list:
Rapid growth in critical Mac OS X flaws, including a zero-day hole. SANS said the Mac remains safer than Windows, but its bullet-proof reputation "is in tatters."
A substantial decline in the number of critical flaws in Windows services, offset by flaws in client-side software, including the WMF vulnerability and flaws in IE.
The continued discovery of multiple zero-day flaws in IE.
Rapid growth in critical Firefox and Mozilla vulnerabilities. "Firefox continues to be seen as somewhat safer than IE, but it is no panacea," SANS said.
A surge in commodity (cheap) zero-day attacks used to infiltrate systems for profit. Dhamankar said, "More of these attacks are hitting large enterprises and ISPs."
Rapid growth in critical flaws allowing direct access to databases, data warehouses and backup data.
A continued surge in file-based attacks, especially those using media and image files, Microsoft Excel files, and more.
A rapid spread, especially among defense and nuclear energy sites, of successful spear-phishing attacks.
The institute described spear phishing as an activity in which the attacker sends an e-mail to as many as one hundred employees. That e-mail appears to be sent by a senior officer and orders the recipient to download a piece of software, implying it is required for security.
"The software is actually a Trojan horse that escapes from the victim's computer, roams through the [network] … gathers and infiltrates important data and leaves a back door through which the attackers can return," the institute said.