Analysts Warn that Hackers Are Turning to Client Apps

The recent Sony drama highlights a looming rootkit security threat.

IT administrators who are inclined to dismiss the dust storm that has blown up over Sony BMG Music Entertainments digital rights management rootkit might want to reconsider.

Vulnerabilities in Web and client/server applications are becoming the new battleground in the war against malicious hackers, as holes in network perimeters and Web servers become harder to find and exploit.

Thats the good news, but shoring up applications against security vulnerabilities will be harder than plugging holes in Web servers or network firewalls, security experts agree.

Vulnerability research by Qualys Inc., of Redwood Shores, Calif., shows a significant shift from server to client vulnerabilities in the last year, said Chief Technology Officer Gerhard Eschelbeck, who has been using data from Qualys automated scans to study patterns in vulnerability disclosure and response for more than two years.

"In the early years, we saw vulnerabilities in Web and mail servers or operating systems. This year, theres been a strong shift to client-side vulnerabilities affecting browsers, media players, anti-virus and backup products," Eschelbeck said.

At The SANS Institutes Internet Storm Center, experts who monitor the Internet for attacks have also noticed an increase in those vulnerabilities, said Johannes Ullrich, CTO of ISC, in Bethesda, Md.

In general, the shift to applications is good news. Attacks on applications are harder to automate than those on Internet-facing servers. They often require user interaction to work, too, Eschelbeck said.

However, that is not always true. Alex Wheeler, an independent security researcher in Chicago, has been researching holes in anti-virus programs and says that he found a large number of unknown and unpatched holes in anti-virus software by Symantec Corp., McAfee Inc. and others, including memory corruption and buffer overflow vulnerabilities. If exploited, the holes could allow a remote attacker to take control of affected systems without any user interaction.

Wheeler blames lax coding practices for many of the holes. "Anti-virus companies dont spend enough money on code review," he said.

/zimages/6/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

The growth of Web services and the inexorable march of client/server applications to the Web are partially to blame for the increase.

E-commerce companies are particularly vulnerable to the application holes because Web-based shopping carts have to talk to back-end customer databases, inventory and tracking systems, Ullrich said.

Application security experts at Cenzic Inc. said they frequently find sloppy coding in their audits of Web-based applications.

Buffer overflow, cross-site scripting and SQL injection vulnerabilities are disturbingly common and throw open the doors to remote attackers or insiders, said officials at the Santa Clara, Calif., company.

At SPI Dynamics Inc., another application security vendor, based in Atlanta, auditors have turned up an epidemic of so-called blind SQL injection vulnerabilities.

The flaws are created by Web administrators who block application error messages.

Application holes on clients and servers are definitely garnering more attention from the U.S. military.

However, current layered security measures, such as desktop and server anti-virus, firewall and anti-spyware, are considered adequate to handle the problem, said Arthur Merar, a database administrator for the U.S. Navy who is also based in Chicago and manages about 70 Oracle databases.

Pains in the app

Some of the latest application holes to raise the hackles of enterprise IT staff:

* Sony BMGs XCP copy protection Used ham-fisted rootkit code to hide every file name that began with the characters "$sys$"; virus writers soon released worms and Trojan horse programs to leverage the XCP cloaking features

* Symantec/Veritas NetBackup A buffer overflow vulnerability in a file used by NetBackup clients and servers

* Macromedia Inc.s Flash Player A buffer overflow in some versions of the Macromedia Flash Player

* Skype Technologies S.A.s Skype A critical buffer overflow vulnerability in versions of the free Internet phone app

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.