the top 20 most critical internet security vulnerabilities - press update

8/4/2019 The Top 20 Most Critical Internet Security Vulnerabilities - PRESS UPDATE

http://slidepdf.com/reader/full/the-top-20-most-critical-internet-security-vulnerabilities-press-update 1/4

The Top 20 Most Critical Internet Security

Vulnerabilities - PRESS UPDATE2006 Spring Update on SANS Top 20 Internet Security Vulnerabilities

Shows Marked Increase in Zero-Day Attacks and Growth in Attacks on

Apple OS/X

Contact: Alan Paller, [email protected], 301-951-0102x108

Technical details on specific vulnerabilities >>

<< Back to The SANS Top 20 List

WASHINGTON, DC. -- The SANS Institute today announced updates to the Top 20 Internet Security

Vulnerabilities. The 2006 Spring Update enables cyber security professionals to tune their defensive systems

to reflect the most important new vulnerabilities that attackers are exploiting to take over computers and steal

sensitive or valuable information.Eight major trends are listed in the update:

a. Rapid growth in critical vulnerabilities being discovered in Mac OS/X including a zero-day vulnerability (OS/X

still remains safer than Windows, but its reputation for offering a bullet-proof alternative to Windows is in

tatters.)

b. Substantial decline in the number of critical vulnerabilities in Windows Services, offset by flaws in client-side

software, including the WMF vulnerability and Internet Explorer flaws, listed in Trend #3.

c. Continuing discovery of multiple zero-day vulnerabilities in Internet Explorer.

d. Rapid growth in critical Firefox and Mozilla vulnerabilities.

e. Surge in commodity zero-day attacks used to infiltrate systems for profit motives.

f. Rapid growth in three types of critical vulnerabilities allowing direct access to databases, data warehouses,

and backup data (Oracle, Veritas Back-Up and SQL Injection attacks).

g. A continuing surge in file-based attacks, especially using media and image files, Microsoft Excel files, and

more.

h. A rapidly spreading scourge of successful spear-phishing attacks, especially among defense and nuclear

energy sites.

Several of the world's top cyber security experts joined forces to ensure the latest and best available

information is embodied in the consensus update:

Rohit Dhamankar, Editor, @RISK and the SANS Top 20, and Manager, Security Research, TippingPoint, a

division of 3Com

Dr. Johannes Ullrich, Chief Technology Officer, SANS Internet Storm Center

Gerhard Eschelbeck, Chief Technology Officer, Webroot

Amol Sarwate, Manager, Vulnerability Management Lab, Qualys

Ed Skoudis, SANS "Hacking Exploits" Course Director and Senior Security Analyst, Intelguardians

Alan Paller, Director of Research, SANS Institute

About the SANS Institute

SANS is the most trusted and the largest source for information security training and certification in the world.

Its 55,000 alumni, of whom 11,000 have passed challenging certification examinations, lead security teams

and efforts in more than 80 countries around the world. SANS recently won unanimous approval from the

Maryland Higher Education Commission to grant Master of Science degrees in Information Security

Engineering and Information Security Management.

http://www.sans.org/top20/2005/spring_2006_detail.php


http://www.sans.org/top20/2005/index.php






SANS develops, maintains, and makes available at no cost, the largest collection of research documents about

various aspects of information security, and it operates the Internet's early warning system - the Internet Storm

Center. SANS Institute was established in 1989 as a cooperative research and education organization. Its

programs now reach more than 235,000 security professionals, auditors, system administrators, network

administrators, chief information security officers, and CIOs who share the lessons they are learning and jointly

find solutions to the challenges they face. At the heart of SANS are the many security practitioners in

government agencies, corporations, and universities around the world who invest hundreds of hours each year

in research and teaching to help the entire information security community.

Non-Technical Description of the Eight Trends

Software-Specific Trends

a. Rapid growth in critical vulnerabilities being discovered in Mac OS/X including a zero-day vulnerability

During the past few months, Apple Safari browser users faced their first zero-day attack. A zero-day

attack is one that causes damage to users even before the vendor makes a patch available. In this

case, Safari users who just browsed a malicious web site found their computers automatically

downloading and executing a malicious file. The user made no error other than to visit the web site.

Apple patched Safari to fix this flaw, but almost immediately had to issue a second patch to stop

another attack involving email attachments. The experts involved in the 2006 Top 20 Spring updateagree that OS/X still remains safer than Windows; but its reputation for offering a bullet-proof

alternative to Windows is in tatters. As attackers are increasingly turning their attention to the

platform, OS/X vulnerabilities are being discovered at a rapid pace, which could erode this safety in

the future.

b. Substantial decline in the number of critical vulnerabilities in Windows Services, offset by flaws in client-side

software, including the WMF vulnerability and Internet Explorer flaws, listed in Trend #3

The size and popularity of the Windows programs continue to make Windows platforms the top target

of attackers. Even non-Internet Explorer vulnerabilities like the WMF problem use Internet Explorer as

a primary vector to reach user systems across networks.

c. Continuing discovery of multiple zero-day vulnerabilities in Internet Explorer

Internet Explorer users continue to be subjected to "drive-by" attacks when they visit web sites set up

to exploit vulnerabilities in IE that Microsoft hasn't yet patched, or for which the user hasn't installedthe patch. These vulnerabilities are responsible for many thousands of computers being infected with

spyware and adware. There have been so many vulnerabilities, including some that may never have

been disclosed outside Microsoft, that Microsoft had to issue separate "cumulative security updates"

for Internet Explorer in December 2005, February 2006, and April 2006.

d. Rapid growth in critical Firefox and Mozilla vulnerabilities.

Users of Firefox and Mozilla have had to patch eleven vulnerabilities that can be exploited by a

malicious webpage to execute arbitrary code on a user's system as well as several more critical

vulnerabilities. Firefox continues to be seen as somewhat safer than Internet Explorer, but it is no

panacea.

Overarching Trends in Attack Patterns

e. Surge in commodity zero-day attacks used to infiltrate systems for profit motivesThe growth in zero-day attacks, an overall trend, can be seen in several of the previous trends. One

possible explanation is that cyber crime has become so lucrative - reaching at least $10 billion per

year -- that huge sums of money are being spent to sponsor research to find more vulnerabilities

faster. Many vulnerabilities being found make their way into zero-day attacks meant to collect

zombies to be infected with lucrative adware downloads.

f. Rapid growth in three types of critical vulnerabilities allowing direct access to databases, data warehouses,

and backup data (Oracle, Veritas Back-Up and SQL Injection attacks)



Attackers are targeting important data by finding and exploiting vulnerabilities in software that stores

and processes the data (especially Oracle), software that backs up the data (Backup products from

Symantec/Veritas) and data warehouses and other data collection and data retrieval applications

exploited through SQL injection attacks. In a SQL injection attack, an attacker filling in an online form

adds special characters into the form that fools the database to disclose large amounts of sensitive

data.

g. A continuing surge in file-based attacks, especially using media and image files, Microsoft Excel files, and

more. These, like the browser attacks, are part of a larger trend away from attacks on servers and toward

attacks on client applications

An increasing number of attacks take advantage of flaws in file processing software. The Windows

Metafile described earlier is one example. In addition we have seen a major upsurge in attacks using

flaws in programs that process media files, such as Apple QuickTime/iTunes, Windows Media Player,

RealNetworks RealPlayer, Macromedia Flash Player and Nullsoft Winamp. Microsoft Office users,

especially users of Excel, have also been subjected to file-based attacks. These attacks are typically

the result of insufficient input validation in file parsers - in other words, programming errors by

programmers who have weak security skills.

The figure below shows a steady decline in attacks against servers.

Source: SANS Internet Storm Center

h. A rapidly spreading scourge of successful spear-phishing attacks, especially among defense and

nuclear energy sites



Finally, a three-year series of attacks by disciplined attackers in hostile nation-states against US,

British, and Canadian government agencies, contractors, and other companies, is now reaching an

even higher pitch. In this attack, called spear phishing, the attacker sends an email to employees of a

defense facility. In one type of spear phishing, the email appears to come from a senior officer and

orders the recipient to download a piece of software, implying it is required for security. The software

is actually a Trojan horse that escapes from the victim's computer, roams through the military or other

sensitive site, and gathers and exfiltrates important data, leaving a back door through which the

attackers can return. The vulnerability? Gullible users.

Technical details on specific vulnerabilities >>

<< Back to The SANS Top 20 List







the top 20 most critical internet security vulnerabilities - press update

Documents