The Top 20 Most Critical Internet Security Vulnerabilities - PRESS UPDATE

2006 Spring Update on SANS Top 20 Internet Security Vulnerabilities Shows Marked Increase in Zero-Day Attacks and Growth in Attacks on Apple OS/X
Contact: Alan Paller, paller@sans.org, 301-951-0102x108
Technical details on specific vulnerabilities >> << Back to The SANS Top 20 List WASHINGTON, DC. -- The SANS Institute today announced updates to the Top 20 Internet Security Vulnerabilities. The 2006 Spring Update enables cyber security professionals to tune their defensive systems to reflect the most important new vulnerabilities that attackers are exploiting to take over computers and steal sensitive or valuable information. Eight major trends are listed in the update: Rapid growth in critical vulnerabilities being discovered in Mac OS/X including a zero-day vulnerability (OS/X still remains safer than Windows, but its reputation for offering a bullet-proof alternative to Windows is in tatters.) Substantial decline in the number of critical vulnerabilities in Windows Services, offset by flaws in client-side software, including the WMF vulnerability and Internet Explorer flaws, listed in Trend #3. Continuing discovery of multiple zero-day vulnerabilities in Internet Explorer. Rapid growth in critical Firefox and Mozilla vulnerabilities. Surge in commodity zero-day attacks used to infiltrate systems for profit motives. Rapid growth in three types of critical vulnerabilities allowing direct access to databases, data warehouses, and backup data (Oracle, Veritas Back-Up and SQL Injection attacks). A continuing surge in file-based attacks, especially using media and image files, Microsoft Excel files, and more. A rapidly spreading scourge of successful spear-phishing attacks, especially among defense and nuclear energy sites. Several of the world's top cyber security experts joined forces to ensure the latest and best available information is embodied in the consensus update: Rohit Dhamankar, Editor, @RISK and the SANS Top 20, and Manager, Security Research, TippingPoint, a division of 3Com Dr. Johannes Ullrich, Chief Technology Officer, SANS Internet Storm Center Gerhard Eschelbeck, Chief Technology Officer, Webroot Amol Sarwate, Manager, Vulnerability Management Lab, Qualys Ed Skoudis, SANS "Hacking Exploits" Course Director and Senior Security Analyst, Intelguardians Alan Paller, Director of Research, SANS Institute

a.

b. c. d. e. f. g. h.

About the SANS Institute

SANS is the most trusted and the largest source for information security training and certification in the world. Its 55,000 alumni, of whom 11,000 have passed challenging certification examinations, lead security teams and efforts in more than 80 countries around the world. SANS recently won unanimous approval from the Maryland Higher Education Commission to grant Master of Science degrees in Information Security Engineering and Information Security Management.

SANS develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system - the Internet Storm Center. SANS Institute was established in 1989 as a cooperative research and education organization. Its programs now reach more than 235,000 security professionals, auditors, system administrators, network administrators, chief information security officers, and CIOs who share the lessons they are learning and jointly find solutions to the challenges they face. At the heart of SANS are the many security practitioners in government agencies, corporations, and universities around the world who invest hundreds of hours each year in research and teaching to help the entire information security community.

Non-Technical Description of the Eight Trends

Software-Specific Trends
a. Rapid growth in critical vulnerabilities being discovered in Mac OS/X including a zero-day vulnerability

During the past few months, Apple Safari browser users faced their first zero-day attack. A zero-day attack is one that causes damage to users even before the vendor makes a patch available. In this case, Safari users who just browsed a malicious web site found their computers automatically downloading and executing a malicious file. The user made no error other than to visit the web site. Apple patched Safari to fix this flaw, but almost immediately had to issue a second patch to stop another attack involving email attachments. The experts involved in the 2006 Top 20 Spring update agree that OS/X still remains safer than Windows; but its reputation for offering a bullet-proof alternative to Windows is in tatters. As attackers are increasingly turning their attention to the platform, OS/X vulnerabilities are being discovered at a rapid pace, which could erode this safety in the future.
b. Substantial decline in the number of critical vulnerabilities in Windows Services, offset by flaws in client-side software, including the WMF vulnerability and Internet Explorer flaws, listed in Trend #3

The size and popularity of the Windows programs continue to make Windows platforms the top target of attackers. Even non-Internet Explorer vulnerabilities like the WMF problem use Internet Explorer as a primary vector to reach user systems across networks.
c. Continuing discovery of multiple zero-day vulnerabilities in Internet Explorer

Internet Explorer users continue to be subjected to "drive-by" attacks when they visit web sites set up to exploit vulnerabilities in IE that Microsoft hasn't yet patched, or for which the user hasn't installed the patch. These vulnerabilities are responsible for many thousands of computers being infected with spyware and adware. There have been so many vulnerabilities, including some that may never have been disclosed outside Microsoft, that Microsoft had to issue separate "cumulative security updates" for Internet Explorer in December 2005, February 2006, and April 2006.
d. Rapid growth in critical Firefox and Mozilla vulnerabilities.

Users of Firefox and Mozilla have had to patch eleven vulnerabilities that can be exploited by a malicious webpage to execute arbitrary code on a user's system as well as several more critical vulnerabilities. Firefox continues to be seen as somewhat safer than Internet Explorer, but it is no panacea.

Overarching Trends in Attack Patterns

e. Surge in commodity zero-day attacks used to infiltrate systems for profit motives

The growth in zero-day attacks, an overall trend, can be seen in several of the previous trends. One possible explanation is that cyber crime has become so lucrative - reaching at least $10 billion per year -- that huge sums of money are being spent to sponsor research to find more vulnerabilities faster. Many vulnerabilities being found make their way into zero-day attacks meant to collect zombies to be infected with lucrative adware downloads.
f. Rapid growth in three types of critical vulnerabilities allowing direct access to databases, data warehouses, and backup data (Oracle, Veritas Back-Up and SQL Injection attacks)

Attackers are targeting important data by finding and exploiting vulnerabilities in software that stores and processes the data (especially Oracle), software that backs up the data (Backup products from Symantec/Veritas) and data warehouses and other data collection and data retrieval applications exploited through SQL injection attacks. In a SQL injection attack, an attacker filling in an online form adds special characters into the form that fools the database to disclose large amounts of sensitive data.
g. A continuing surge in file-based attacks, especially using media and image files, Microsoft Excel files, and more. These, like the browser attacks, are part of a larger trend away from attacks on servers and toward attacks on client applications

An increasing number of attacks take advantage of flaws in file processing software. The Windows Metafile described earlier is one example. In addition we have seen a major upsurge in attacks using flaws in programs that process media files, such as Apple QuickTime/iTunes, Windows Media Player, RealNetworks RealPlayer, Macromedia Flash Player and Nullsoft Winamp. Microsoft Office users, especially users of Excel, have also been subjected to file-based attacks. These attacks are typically the result of insufficient input validation in file parsers - in other words, programming errors by programmers who have weak security skills. The figure below shows a steady decline in attacks against servers.

Source: SANS Internet Storm Center

h. A rapidly spreading scourge of successful spear-phishing attacks, especially among defense and nuclear energy sites

Finally, a three-year series of attacks by disciplined attackers in hostile nation-states against US, British, and Canadian government agencies, contractors, and other companies, is now reaching an even higher pitch. In this attack, called spear phishing, the attacker sends an email to employees of a defense facility. In one type of spear phishing, the email appears to come from a senior officer and orders the recipient to download a piece of software, implying it is required for security. The software is actually a Trojan horse that escapes from the victim's computer, roams through the military or other sensitive site, and gathers and exfiltrates important data, leaving a back door through which the attackers can return. The vulnerability? Gullible users. Technical details on specific vulnerabilities >> << Back to The SANS Top 20 List