the top 20 most critical internet security vulnerabilities - press update
TRANSCRIPT
![Page 1: The Top 20 Most Critical Internet Security Vulnerabilities - PRESS UPDATE](https://reader031.vdocument.in/reader031/viewer/2022021213/577d25981a28ab4e1e9f3469/html5/thumbnails/1.jpg)
8/4/2019 The Top 20 Most Critical Internet Security Vulnerabilities - PRESS UPDATE
http://slidepdf.com/reader/full/the-top-20-most-critical-internet-security-vulnerabilities-press-update 1/4
The Top 20 Most Critical Internet Security
Vulnerabilities - PRESS UPDATE2006 Spring Update on SANS Top 20 Internet Security Vulnerabilities
Shows Marked Increase in Zero-Day Attacks and Growth in Attacks on
Apple OS/X
Contact: Alan Paller, [email protected], 301-951-0102x108
Technical details on specific vulnerabilities >>
<< Back to The SANS Top 20 List
WASHINGTON, DC. -- The SANS Institute today announced updates to the Top 20 Internet Security
Vulnerabilities. The 2006 Spring Update enables cyber security professionals to tune their defensive systems
to reflect the most important new vulnerabilities that attackers are exploiting to take over computers and steal
sensitive or valuable information.Eight major trends are listed in the update:
a. Rapid growth in critical vulnerabilities being discovered in Mac OS/X including a zero-day vulnerability (OS/X
still remains safer than Windows, but its reputation for offering a bullet-proof alternative to Windows is in
tatters.)
b. Substantial decline in the number of critical vulnerabilities in Windows Services, offset by flaws in client-side
software, including the WMF vulnerability and Internet Explorer flaws, listed in Trend #3.
c. Continuing discovery of multiple zero-day vulnerabilities in Internet Explorer.
d. Rapid growth in critical Firefox and Mozilla vulnerabilities.
e. Surge in commodity zero-day attacks used to infiltrate systems for profit motives.
f. Rapid growth in three types of critical vulnerabilities allowing direct access to databases, data warehouses,
and backup data (Oracle, Veritas Back-Up and SQL Injection attacks).
g. A continuing surge in file-based attacks, especially using media and image files, Microsoft Excel files, and
more.
h. A rapidly spreading scourge of successful spear-phishing attacks, especially among defense and nuclear
energy sites.
Several of the world's top cyber security experts joined forces to ensure the latest and best available
information is embodied in the consensus update:
Rohit Dhamankar, Editor, @RISK and the SANS Top 20, and Manager, Security Research, TippingPoint, a
division of 3Com
Dr. Johannes Ullrich, Chief Technology Officer, SANS Internet Storm Center
Gerhard Eschelbeck, Chief Technology Officer, Webroot
Amol Sarwate, Manager, Vulnerability Management Lab, Qualys
Ed Skoudis, SANS "Hacking Exploits" Course Director and Senior Security Analyst, Intelguardians
Alan Paller, Director of Research, SANS Institute
About the SANS Institute
SANS is the most trusted and the largest source for information security training and certification in the world.
Its 55,000 alumni, of whom 11,000 have passed challenging certification examinations, lead security teams
and efforts in more than 80 countries around the world. SANS recently won unanimous approval from the
Maryland Higher Education Commission to grant Master of Science degrees in Information Security
Engineering and Information Security Management.
![Page 2: The Top 20 Most Critical Internet Security Vulnerabilities - PRESS UPDATE](https://reader031.vdocument.in/reader031/viewer/2022021213/577d25981a28ab4e1e9f3469/html5/thumbnails/2.jpg)
8/4/2019 The Top 20 Most Critical Internet Security Vulnerabilities - PRESS UPDATE
http://slidepdf.com/reader/full/the-top-20-most-critical-internet-security-vulnerabilities-press-update 2/4
SANS develops, maintains, and makes available at no cost, the largest collection of research documents about
various aspects of information security, and it operates the Internet's early warning system - the Internet Storm
Center. SANS Institute was established in 1989 as a cooperative research and education organization. Its
programs now reach more than 235,000 security professionals, auditors, system administrators, network
administrators, chief information security officers, and CIOs who share the lessons they are learning and jointly
find solutions to the challenges they face. At the heart of SANS are the many security practitioners in
government agencies, corporations, and universities around the world who invest hundreds of hours each year
in research and teaching to help the entire information security community.
Non-Technical Description of the Eight Trends
Software-Specific Trends
a. Rapid growth in critical vulnerabilities being discovered in Mac OS/X including a zero-day vulnerability
During the past few months, Apple Safari browser users faced their first zero-day attack. A zero-day
attack is one that causes damage to users even before the vendor makes a patch available. In this
case, Safari users who just browsed a malicious web site found their computers automatically
downloading and executing a malicious file. The user made no error other than to visit the web site.
Apple patched Safari to fix this flaw, but almost immediately had to issue a second patch to stop
another attack involving email attachments. The experts involved in the 2006 Top 20 Spring updateagree that OS/X still remains safer than Windows; but its reputation for offering a bullet-proof
alternative to Windows is in tatters. As attackers are increasingly turning their attention to the
platform, OS/X vulnerabilities are being discovered at a rapid pace, which could erode this safety in
the future.
b. Substantial decline in the number of critical vulnerabilities in Windows Services, offset by flaws in client-side
software, including the WMF vulnerability and Internet Explorer flaws, listed in Trend #3
The size and popularity of the Windows programs continue to make Windows platforms the top target
of attackers. Even non-Internet Explorer vulnerabilities like the WMF problem use Internet Explorer as
a primary vector to reach user systems across networks.
c. Continuing discovery of multiple zero-day vulnerabilities in Internet Explorer
Internet Explorer users continue to be subjected to "drive-by" attacks when they visit web sites set up
to exploit vulnerabilities in IE that Microsoft hasn't yet patched, or for which the user hasn't installedthe patch. These vulnerabilities are responsible for many thousands of computers being infected with
spyware and adware. There have been so many vulnerabilities, including some that may never have
been disclosed outside Microsoft, that Microsoft had to issue separate "cumulative security updates"
for Internet Explorer in December 2005, February 2006, and April 2006.
d. Rapid growth in critical Firefox and Mozilla vulnerabilities.
Users of Firefox and Mozilla have had to patch eleven vulnerabilities that can be exploited by a
malicious webpage to execute arbitrary code on a user's system as well as several more critical
vulnerabilities. Firefox continues to be seen as somewhat safer than Internet Explorer, but it is no
panacea.
Overarching Trends in Attack Patterns
e. Surge in commodity zero-day attacks used to infiltrate systems for profit motivesThe growth in zero-day attacks, an overall trend, can be seen in several of the previous trends. One
possible explanation is that cyber crime has become so lucrative - reaching at least $10 billion per
year -- that huge sums of money are being spent to sponsor research to find more vulnerabilities
faster. Many vulnerabilities being found make their way into zero-day attacks meant to collect
zombies to be infected with lucrative adware downloads.
f. Rapid growth in three types of critical vulnerabilities allowing direct access to databases, data warehouses,
and backup data (Oracle, Veritas Back-Up and SQL Injection attacks)
![Page 3: The Top 20 Most Critical Internet Security Vulnerabilities - PRESS UPDATE](https://reader031.vdocument.in/reader031/viewer/2022021213/577d25981a28ab4e1e9f3469/html5/thumbnails/3.jpg)
8/4/2019 The Top 20 Most Critical Internet Security Vulnerabilities - PRESS UPDATE
http://slidepdf.com/reader/full/the-top-20-most-critical-internet-security-vulnerabilities-press-update 3/4
Attackers are targeting important data by finding and exploiting vulnerabilities in software that stores
and processes the data (especially Oracle), software that backs up the data (Backup products from
Symantec/Veritas) and data warehouses and other data collection and data retrieval applications
exploited through SQL injection attacks. In a SQL injection attack, an attacker filling in an online form
adds special characters into the form that fools the database to disclose large amounts of sensitive
data.
g. A continuing surge in file-based attacks, especially using media and image files, Microsoft Excel files, and
more. These, like the browser attacks, are part of a larger trend away from attacks on servers and toward
attacks on client applications
An increasing number of attacks take advantage of flaws in file processing software. The Windows
Metafile described earlier is one example. In addition we have seen a major upsurge in attacks using
flaws in programs that process media files, such as Apple QuickTime/iTunes, Windows Media Player,
RealNetworks RealPlayer, Macromedia Flash Player and Nullsoft Winamp. Microsoft Office users,
especially users of Excel, have also been subjected to file-based attacks. These attacks are typically
the result of insufficient input validation in file parsers - in other words, programming errors by
programmers who have weak security skills.
The figure below shows a steady decline in attacks against servers.
Source: SANS Internet Storm Center
h. A rapidly spreading scourge of successful spear-phishing attacks, especially among defense and
nuclear energy sites
![Page 4: The Top 20 Most Critical Internet Security Vulnerabilities - PRESS UPDATE](https://reader031.vdocument.in/reader031/viewer/2022021213/577d25981a28ab4e1e9f3469/html5/thumbnails/4.jpg)
8/4/2019 The Top 20 Most Critical Internet Security Vulnerabilities - PRESS UPDATE
http://slidepdf.com/reader/full/the-top-20-most-critical-internet-security-vulnerabilities-press-update 4/4
Finally, a three-year series of attacks by disciplined attackers in hostile nation-states against US,
British, and Canadian government agencies, contractors, and other companies, is now reaching an
even higher pitch. In this attack, called spear phishing, the attacker sends an email to employees of a
defense facility. In one type of spear phishing, the email appears to come from a senior officer and
orders the recipient to download a piece of software, implying it is required for security. The software
is actually a Trojan horse that escapes from the victim's computer, roams through the military or other
sensitive site, and gathers and exfiltrates important data, leaving a back door through which the
attackers can return. The vulnerability? Gullible users.
Technical details on specific vulnerabilities >>
<< Back to The SANS Top 20 List