Automated Patching Helping Zero-Day Exploits

Windows applications continue to be key targets for hackers, according to the
latest Top 20 list of Internet security vulnerabilities from The SANS Institute.

The number one spot on the information security training and certification group’s list belongs to Microsoft’s Internet Explorer. However, the report also highlighted zero-day vulnerabilities and attacks that go beyond Internet Explorer as the number one trend in its 2006 update.

The zero-day exploits are a key trend in the modern threat landscape and it’s one that is becoming increasingly difficult to spot.

“We came from a world of disruptive behavior with Web site defacements, worms and activities that were easy to see,” Marc Sachs, director of the SANS Internet Storm Center, said on a conference call discussing the top 20 report. “In the last few years the trend has gone toward value orientation attacks, largely criminal. They don’t want to be disruptive and they don’t want to be noticed.”

The way not to get noticed is by using attacks that haven’t been discovered
yet, and for which there is no means of defense, which, by definition, is a zero-day

“While we’ve known about the phenomenon for years, here in 2006 we’re seeing it actively used on the internet and the amount of activity will continue to increase,” Sachs said.

According to the report, vulnerabilities in the Microsoft Office suite tripled compared to 2005. The report cited some 45 critical vulnerabilities found in MS Office products, nine of which were flagged as being zero-day exploits.

Better security positioning by operating system vendors and applications
themselves may be partially to blame for the rise in zero day attacks.

“The increase in zero-day [exploits] is also being seen because certain [operating systems] and apps have automated patching,” said Rohit Dhamankar, editor of the SANS Top 20 list. “So, if the end-hacker target is to compromise a lot of systems, the automated patching throws people off. That’s why you see more zero-days now because that’s the only way to
compromise a lot of systems.”

News Around the Web