Microsoft, Zero-Day Flaws Dominate SANS Vulnerability Rankings

Zero-day defects and holes in popular Microsoft products remain atop the SANS Institute's latest rankings of the world's top Web-based hacker targets, with VOIP attacks and government spying programs also reported to be on the rise.

The SANS Institute released its annual rankings of the Top 20 Internet-based attack vectors on Nov. 15, pointing to the continued rise of targeted threats aimed at newly discovered zero-day flaws and vulnerabilities in Microsoft products.

Among the other trends highlighted by SANS, a Washington, D.C.-based cooperative research and education group focused on IT security issues, are the continued proliferation of threats aimed at specific companies and growing evidence that governments are employing hackers to gather sensitive data from other countries.

Other shifts in the threat landscape charted by SANS include the more frequent creation of attacks on Internet-based phone systems and the increased popularity of threats that attempt to take advantage of vulnerabilities in Web-based applications.

Vulnerabilities in products made by software giant Microsoft represent the overwhelming majority of SANS list of operating system-oriented attack targets. The companys Internet Explorer Web browser remains the most popular object for threats such as malware attacks, followed by the data libraries in its Windows products, flaws present in Microsoft Office, glitches in Windows services, and other weaknesses in the configuration features of its dominant operating system.

/zimages/6/28571.gifMicrosoft has released a critical cumulative update for Internet Explorer that fixes a flaw that was being used in targeted zero-day attacks. Click here to read more.

Apples Mac OS X software and loopholes in the configuration functions of UNIX-based technologies rounded out the groups list of the most popular operating system targets, of which there were seven in total.

Cross-platform applications accounted for the most significant share of the vulnerability rankings. With eight targets listed overall, the category actually led the list of frequent attack points.

Web applications remain the most fashionable target for hackers in the genre, followed by vulnerabilities in database software, P2P (peer-to-peer) file sharing systems, instant messaging tools, media players, DNS (Domain Name System) servers, backup software applications and IT systems management servers.

Rounding out the 2006 SANS Top 20 were vulnerabilities in two types of network devices, specifically flaws in VOIP (voice over IP) systems and configuration weaknesses in other network hardware, along with two types of common security policy breaches—namely the existence of excessive user rights within networks and social engineering problems such as phishing schemes. Zero-day attacks were given their own designation in the rankings.

In addition to the well-publicized shift toward attacks that aim to steal money from businesses and users, compared to the defacement and denial-of-service threats of years past, hackers are working hard to ensure that their work remains hidden as long as possible, said Marc Sachs, director of the SANS Internet Storm Center research group. Sachs is also a security expert at the research group SRI International.

"Weve come from a world of disruptive behavior that was easy to see, with the trend moving toward value orientation from criminals who dont want their work to be noticed," Sachs said in a conference call. "The most effective way for them to do that is to use vulnerabilities that targets have no means of patching, or zero-day attacks, and we expect the amount of activity along those lines to continue to increase."

SANS experts contend that in addition to the ready availability of Windows vulnerabilities, users habits in utilizing Microsofts Office productivity software are contributing to the popularity of threats aimed at the companys products. Since workers feel comfortable viewing Microsoft PowerPoint documents and other files over the Web, there will continue to be more attacks that seek to take advantage of those systems, said Amol Sarwate, manager of security service provider Qualys Vulnerability Management Lab, in Redwood Shores, Calif.

According to Sarwate, the number of attacks targeting Microsoft vulnerabilities tripled over the last 12 months.

In the realm of VOIP attacks, experts said that there is also much for businesses to be concerned about. Among the threats highlighted for SANS by Rohit Dhamankar, senior manager of security research at 3Coms TippingPoint division, in Austin, Texas, were attacks on VOIP phones that have poorly configured interfaces and "weak" passwords, which could allow hackers to eavesdrop on callers or use the compromised devices to host phishing schemes.

Dhamankar said that SANS is also charting an increase in scams that aim to infiltrate VOIP systems with the goal of allowing outsiders to resell peoples calling minutes, and threats aimed at Internet telephony servers. The latter, he said, could present hackers with a new opportunity to impact telecommunications systems.

"Something more sinister, not yet exploited in the wild, will be if hackers can use compromised VOIP servers to connect to traditional phone systems, which have never been accessible to them before," Dhamankar said. "Especially in the service provider environment, hackers could craft attacks on traditional phone networks; as more vulnerabilities are found in VOIP servers, the risk of these types of attacks [is] growing significantly."

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.