Applications the Target of Security Attacks, SANS Says

by Alex Woodie

Flaws in Windows operating systems continue to provide a broad attackable surface for hackers and malicious code like viruses and worms to do their dirty work, but vulnerabilities in applications, including databases, antivirus, and backup software, and network devices increasingly are being exploited, according to SANS Institute, which released its annual Top 20 list of Internet security vulnerabilities last week.

Since 2002, SANS' Top 20 list has been split into two components, including the top 10 security vulnerabilities for Windows and the top 10 security vulnerabilities for Unix. (It debuted in June 2000 as a top 10 list that was not OS-specific.) That changed last week with the debut of its sixth Top 20 list, which features categories for "cross-platform applications" and "networking products," in addition to the Windows and Unix categories. The change was made to reflect "the dynamic nature of the evolving threat landscape and the vulnerabilities that attackers target," the group says.

This is good news for Microsoft, which has been pouring resources into making Windows more secure for the last several years. While Windows XP and Windows Server 2003 are not without their security flaws, they are considerably more secure than their predecessors. By just turning off some Windows services by default, these operating systems are more secure than Windows 2000 and Windows NT, according to the SANS (SysAdmin, Audit, Network, Security) Institute list. The last round of service packs for Windows XP and Windows Server 2003 further bolstered that security, and Microsoft tells us the next releases of the OS, Windows Vista and the as-yet-unnamed server version of that operating system (still referred to as Longhorn Server), will take security up another notch.

However, if we're comparing the number of operating system flaws on this year's top 20 list compared to past years, it should be noted that five critical Windows problems are on the list this year, compared to just two for Unix--one for Apple's Mac OS X, and one for general configuration weaknesses in Unix. Windows still has a ways to go, and this year's Top 20 list lays out the biggest Windows security concerns, including all those Windows Services that are still allowing viruses and hackers into systems, the perennially security-challenged Internet Explorer browser, the wealth of attack vectors provided by Windows Libraries, the Microsoft Office and Outlook Express productivity apps (which will always be on the list because it's what everybody uses and, therefore, what attackers target), and configuration weaknesses in Windows, including poor choices in default passwords.

While securing Windows must remain a priority for Microsoft, the software behemoth is allowed to breathe a slight--we're talking microscopic here--sigh of relief, as it appears that the rising tide of vulnerabilities, exploit code, and attacks focused on Windows has peaked, and the Internet's ne'er-do-wells have moved onto greener pastures, at least for the time being.

That's a conclusion that can be drawn from the SANS list, which paints a picture of a threat landscape that has shifted from operating systems to applications. Many of the products on the list are applications that businesses rely on for their daily data processing needs, including backup software, which has grown in importance as companies consolidate their servers and data sets. In the last year, a number of critical vulnerabilities have been found in backup software products, including the Veritas products from Symantec, Computer Associates' BrightStor, EMC's Legato software, Sun Microsystems' StorEdge, Arkeia Network Backup Software, and BakBone' NetVault, according to SANS.

Another security-related product afflicted with security problems of its own are antivirus scanners. With their deep kernel-level integration with operating systems, vulnerabilities in antivirus software can present an especially pernicious problem. In the last year, flaws have been found in just about every major antivirus product on the market, including buffer overflow flaws and "evasion" attacks; check out www.sans.org/top20#2 for a list of all 15 affected products.

Databases are also at-risk, according to SANS. Because this is where the crown jewels of an organization are held, every step should be taken to rectify database vulnerabilities as soon as they're discovered. And there has been no shortage of them over the last year, according to SANS, with flaws discovered in the products from the Big 3 databases, including IBM DB2, Microsoft SQL Server, and Oracle's eponymous database.

Web applications written in the PHP scripting language are also being targeted by attackers. With PHP apps running on 50 percent of the world's Web servers running Apache (which, in turn, is used on about 75 percent of the world's Web servers, according to Netcraft), security flaws in PHP provide a very attackable target. There has not been a single week during the last year that a problem was not reported in some software using PHP, SANS says. To protect your PHP applications, apply vendor patches as soon as they're available, regularly scan your systems with vulnerability scanning tools, and ensure that your applications are properly configured. (See SANS' "How to Protect against PHP Vulnerabilities" for configuration tips.)

Flaws in DNS products round out the list of products that are likely to be used in a corporate data center. Symantec's firewalls, Microsoft's DNS servers, and the Linux-based DNSmasq utility were all afflicted with flaws in the last year, according to SANS. Consumer and desktop apps make up the rest of the cross-platform area of the SANS list, including the usual suspects like file sharing programs, instant messengers, and media players. Mozilla Firefox Web browser, which was unfurled about a year ago, (and which is about to be updated at version 1.5), also gains a seat on SANS list as a result of its several security flaws and its rapidly growing installed base.

Three networking products also gain a spot on SANS' wall of shame, including networking behemoth Cisco, whose Internetwork Operating System (IOS) powers 85 percent of the routers and switches running the Internet backbone. While IOS-based devices have enjoyed a reputation for security and robustness, they are not without their flaws. In fact, there have been five security flaws discovered in IOS in the last year, including three denial of service vulnerabilities, and two remote code execution problems. Factory settings for IOS gear is also not secure by default; see the 20th entry in this year's list, Cisco Devices Configuration Weaknesses, for more on that.

The second largest provider of networking gear, Juniper Networks, has also shipped products with security flaws, according to SANS. Joining Juniper on this list are Check Point firewall and VPN products and Symantec firewalls.