View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
November 21, 2005

Security exploits turn to apps says SANS

The SANS Institute is to publish its annual Top 20 list of most exploited vulnerabilities, and for the first time, six of the group are problems in applications rather than pre-loaded code such as operating systems, browsers, or web servers.

By CBR Staff Writer

We started this study in 2000 to let people know which of the 3,000 of so vulnerabilities then identified they should make priorities for protecting themselves, so we got a list together of the ones being used most often, said Alan Paller, director of research at the Bethesda, Maryland-based institution.

SANS gathers data from bodies such as the FBI, the NSA, and the UK’s National Infrastructure Security Co-ordination Centre, which Paller said are the ones involved in cleaning up after the damage has been done.

For the last four years the list hasn’t been all that newsy, but this year there’s been a big change, said Paller. Last weekend, sensitive parts of government discovered that the systems they use to protect their computers and networks were themselves the attack vector for a new type of attack.

Until now exploits have been against things that were already on your computer when you bought it, like the OS, browser, or IIS, whereas this year six of the Top 20 are applications, which is worrying, because these products are not generally patched automatically, he said.

Among the apps that make the list are backup packages such as BackupExec from Symantec/Veritas, and various products from CA. This is particularly worrying because people only back up their most critical data, such as financial information, which is exactly what the exploits will want to harvest, which was why we said ‘Ouch!’ when they cropped up on the list, Paller said.

Other apps on the targeted list include databases such as Oracle and MySQL, as well as PHP packages for web app development work and the now ubiquitous media players such as iTunes and WMP.

For the first time last week the NISCC issued a warning about a vulnerability in IPsec VPNs, Paller said. The one area of applications that are the exception to my rule is AV software, which is also on the Top-20 list, but is subject to automatic patching.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

Gerhard Eschelbeck, CTO of security services company Qualys Inc, carries out his own annual study around vulnerabilities, based on data from customers for its scanning service, and said it corroborates the SANS data.

Qualys’ Laws of Vulnerabilities study shows that over the last year, there has been a significant shift, with 60% of new critical vulnerabilities being in client applications and only 40% on the server side, which represents a major change from previous years.

Client-side vulnerabilities have overtaken server-side ones since the end of last year, Eschelbeck said.

Meanwhile, Paller argued that this situation sets us back six years ago, to when we were all complaining that Microsoft had to start doing automatic patching. Now they’ve done it and we’ve all gotten so comfortable, the attackers have changed their focus to the apps, while the attackers have changed their focus to the apps.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.