List Stresses Software Insecurities

Security institute SANS released its latest 20 most critical vulnerabilities list, warning of new attacks that are focused on applications, including backup and media software, and of hackers' increasing ability to embed attacks in sites to snare users simply visiting them.

The latest list of vulnerabilities includes software from a range of vendors, including Microsoft (Nasdaq: MSFT), Computer Associates (NYSE: CA), Veritas, RealNetworks (Nasdaq: RNWK), Apple (Nasdaq: AAPL) and Mozilla. The SANS security researchers said attackers are increasingly going beyond operating system attacks to reach users and their data through the applications they are using.

"We're publishing this list as a red flag for individuals as well as IT departments," said SANS director of research Alan Paller in a statement. "Too many people are unaware of these vulnerabilities, or mistakenly believe their computers are protected."

Holes for Hacks

The latest SANS vulnerability list indicated there were 422 new vulnerabilities discovered or reported during the second quarter of 2005, marking an increase of 10.8 percent from the first quarter and up 20 percent from last year's second quarter.

The vulnerabilities included operating system, browser, backup and security software holes, as well as several issues with Microsoft products, but also included media software such as RealNetworks' RealPlayer and a problem with Apple's iTunes MPEG4 file processing.

SANS warned that individuals and organizations that do not patch, update or otherwise correct the 20 most critical vulnerabilities run a heightened risk that remote, unauthorized hackers will take control of computers for ID theft, industrial espionage, spam or pornography.

Back Door in Backup

The latest critical vulnerability list from SANS also highlighted "worrisome" weakness in popular data backup products, which are designed to prevent catastrophes by recording copies of important data in storage, but may be opening the door to attacker access.

"Unfortunately, those products have become easy targets for attackers, and since they have access to substantially all data, the products weaknesses create real danger," SANS said in a statement.

Among the top 20 most critical vulnerabilities, SANS reported security holes in Computer Associates' BrightStor ARCServe Backup and Veritas backup software. Also on the list of potentially vulnerable software were: Oracle (Nasdaq: ORCL) Cumulative Update 2005; Apple Cumulative Security Updates 2005-005 and 006; and Mozilla and Firefox browsers. There were also security issues with Microsoft's Internet Explorer, Exchange Server, Message Queuing Service, Windows Shell Remote Code Execution and more.

Growing Sophistication

Ken Dunham, senior engineer for the Verisign/iDefense Intelligence Team, told TechNewsWorld the movement from operating system to applications is a natural evolution of attacker technique and technology, as well as response to operating system weakness.

Citing readily-available guides and discussions on reverse engineering and attacking software and systems, Dunham added that while operating systems have become more secure and organizations are now better at securing them, the same cannot be said about applications, even those that are heavily used.

"It appears there are plenty of holes and plenty of programs that are heavily used that are vulnerable," he said. "What that means is there is plenty of opportunity for attackers. There are a great many potential vectors that could be exploited."