SANS: No Safety From Vulnerabilities

Unless you’ve been hiding under a rock for the past three months, you’ve likely been hit with an Internet security vulnerability needing your attention. The latest threats cover the gamut of popular client- and server-side applications, and they’re even getting the ones once thought to be safe.

There were 422 newly reported Internet security vulnerabilities in the second quarter of 2005, according to the SANS Institute. The number represents a 20 percent year-over-year and an 11 percent quarterly increase in reported vulnerabilities.

SANS’ quarterly update of the top 20 list of Internet vulnerabilities, released Monday, identifies the most critical of the 422 that resulted in widespread damage to both enterprise and home users. Six different vendors made the list, including Microsoft, Mozilla, Apple, Real Networks, Computer Associates and Veritas.

Rohit Dhamankar, editor of the SANS Top 20, noted on a morning conference call that the issues with backup software products from Computer Associates and Veritas were particularly worrisome.

At the end of June, US-CERT issued a Technical Cyber Security Alert warning that a previously disclosed vulnerability with the Veritas backup server was being actively exploited.

Backup software may just be the tip of the iceberg in terms of new attacks being waged against critical management applications.

“In the future we can expect to see more flaws being targeted against such class of products like management software and even licensing software,” Dhamankar said.

Another trend noted by SANS is the increasing number of client-side vulnerabilities, such as those appearing in Microsoft Internet Explorer and Mozilla Firefox, as well as Apple iTunes and Real Networks’ Real Player.

“Two of the products that people have been moving to to protect themselves had vulnerabilities,” Alan Paller, director of research for SANS Institute said. “Firefox and Mozilla browsers had multiple vulnerabilities this quarter and Apple — the company that people think of as the safe haven — had two separate updates fixing multiple security vulnerabilities.

“So as you can see there are no safe havens,” Paller added.

It’s not all necessarily doom and gloom, though.

Johannes Ullrich, chief technology officer at SANS’ Internet Storm Center (ISC), said that service scanning, the act of a user searching for ports on a remote server running a particular service, has declined by 30 percent.

Ullrich attributed the decline to an increase in the use of personal firewalls, which restricts port access and severely hampers a malicious user’s opportunity to scan for services.

Ullirch also noted that the ISC is seeing fewer attacks overall on Web servers like Apache or Microsoft IIS and more on applications that are installed on the Web servers.

All of the top 20 issues on SANS’ list have been patched by their respective vendors. Users are apparently however not patching their own systems as rapidly as one might expect.

Gerhard Eschelbeck, chief technology officer at Qualys, reported that the average time it takes to patch a vulnerability on the server side is 21 days. On the desktop side, it’s 62 days, he said, and that’s for enterprise and corporate users. But he noted that 62 days may be a bit optimistic, even when it comes to home users who likely take even longer to patch their systems.

News Around the Web