We started this study in 2000 to let people know which of the 3,000 of so vulnerabilities then identified they should make priorities for protecting themselves, so we got a list together of the ones being used most often, said Alan Paller, director of research at the Bethesda, Maryland-based institution.
SANS gathers data from bodies such as the FBI, the NSA, and the UK’s National Infrastructure Security Co-ordination Centre, which Paller said are the ones involved in cleaning up after the damage has been done.
For the last four years the list hasn’t been all that newsy, but this year there’s been a big change, said Paller. Last weekend, sensitive parts of government discovered that the systems they use to protect their computers and networks were themselves the attack vector for a new type of attack.
Until now exploits have been against things that were already on your computer when you bought it, like the OS, browser, or IIS, whereas this year six of the Top 20 are applications, which is worrying, because these products are not generally patched automatically, he said.
Among the apps that make the list are backup packages such as BackupExec from Symantec/Veritas, and various products from CA. This is particularly worrying because people only back up their most critical data, such as financial information, which is exactly what the exploits will want to harvest, which was why we said ‘Ouch!’ when they cropped up on the list, Paller said.
Other apps on the targeted list include databases such as Oracle and MySQL, as well as PHP packages for web app development work and the now ubiquitous media players such as iTunes and WMP.
For the first time last week the NISCC issued a warning about a vulnerability in IPsec VPNs, Paller said. The one area of applications that are the exception to my rule is AV software, which is also on the Top-20 list, but is subject to automatic patching.
Gerhard Eschelbeck, CTO of security services company Qualys Inc, carries out his own annual study around vulnerabilities, based on data from customers for its scanning service, and said it corroborates the SANS data.
Qualys’ Laws of Vulnerabilities study shows that over the last year, there has been a significant shift, with 60% of new critical vulnerabilities being in client applications and only 40% on the server side, which represents a major change from previous years.
Client-side vulnerabilities have overtaken server-side ones since the end of last year, Eschelbeck said.
Meanwhile, Paller argued that this situation sets us back six years ago, to when we were all complaining that Microsoft had to start doing automatic patching. Now they’ve done it and we’ve all gotten so comfortable, the attackers have changed their focus to the apps, while the attackers have changed their focus to the apps.
