Internet security 'back to the Stone Age'

The Twenty Most Critical Internet Vulnerabilities (Updated) – The Experts Consensus

Cybercriminals in 2005 changed the security landscape by attacking client applications and network operating systems that don’t receive automatic security patches, international computer experts said today.

Aside from antivirus software, none of the new targets have automatic patching updates, said Alan Paller, director of research at the SANS Institute, a training and education organization for security professionals.

The institute released today the latest update to its 20 Most Critical Internet Security Vulnerabilities in 2005 report.

“That means we’re back to the Stone Age” of five years ago, before automated patching, when everyone had to find vulnerabilities and patch them manually, Paller said. “Those days are back in spades.”

The institute, the U.S. Computer Emergency Readiness Team and Britain’s National Infrastructure Security Co-ordination Centre explained the repercussions of findings from the institute’s report.

Ten of the vulnerabilities were in cross-platform applications installed on millions of systems, including backup software, antivirus software, database software and media players. Three affected network operating systems that control routers, switches and other devices that form the Internet’s backbone.

In the past 12 months, those new types of attacks represented 65 percent of the worst threats, up from none in 2004.

Attackers have moved from server-side attacks to client-side attacks, said Rohit Dhamankar, leader of the SANS Institute team and a security architect at 3Com’s TippingPoint. The greatest concerns are attacks on backup software, browser software and media players, he said.

Sixty percent of the vulnerabilities affect client-side applications, said Gerhard Eschelbeck, chief technology officer and vice president of engineering at Qualys.

The shift from attacking server applications to client applications shows that much of the “low-hanging fruit” cybercriminals go after has been taken care of on the server side, he said.

Unfortunately, Eschelbeck said he sees “unlimited room” for finding vulnerabilities in client applications in the foreseeable future.

In addition, three of the four categories of threats in this year’s list have to do with configuration weaknesses, Eschelbeck noted.

“Some simple basic security configuration issues are being missed out there” and could be resolved by prioritized and scheduled patching, he said.

Several industry giants, including Cisco Systems and Microsoft, were mentioned as vulnerable to these new kinds of attacks.

Sanjay Beri, director of product management for the emerging technologies group at Juniper Networks, said the SANS report is useful but is not completely up to date.

"The specific items the report mentions concern old versions of the Junos operating system, and fixes have been available for these few items since the vulnerabilities were discovered" in February 2005, Beri said.