2006 Spring Update on SANS Top 20 Internet Security Vulnerabilities

[Guest LilBambi]

2006 Spring Update on SANS Top 20 Internet Security Vulnerabilities Shows Marked Increase in Zero-Day Attacks and Growth in Attacks on Apple OS/XContact: Alan Paller, paller@sans.org, 301-951-0102x108Technical details on specific vulnerabilities >>WASHINGTON, DC. -- The SANS Institute today announced updates to the Top 20 Internet Security Vulnerabilities. The 2006 Spring Update enables cyber security professionals to tune their defensive systems to reflect the most important new vulnerabilities that attackers are exploiting to take over computers and steal sensitive or valuable information.Eight major trends are listed in the update: 1. Rapid growth in critical vulnerabilities being discovered in Mac OS/X including a zero-day vulnerability (OS/X still remains safer than Windows, but its reputation for offering a bullet-proof alternative to Windows is in tatters.) 2. Substantial decline in the number of critical vulnerabilities in Windows Services, offset by flaws in client-side software, including the WMF vulnerability and Internet Explorer flaws, listed in Trend #3. 3. Continuing discovery of multiple zero-day vulnerabilities in Internet Explorer. 4. Rapid growth in critical Firefox and Mozilla vulnerabilities. 5. Surge in commodity zero-day attacks used to infiltrate systems for profit motives. 6. Rapid growth in three types of critical vulnerabilities allowing direct access to databases, data warehouses, and backup data (Oracle, Veritas Back-Up and SQL Injection attacks). 7. A continuing surge in file-based attacks, especially using media and image files, Microsoft Excel files, and more. 8. A rapidly spreading scourge of successful spear-phishing attacks, especially among defense and nuclear energy sites.Several of the world's top cyber security experts joined forces to ensure the latest and best available information is embodied in the consensus update: * Rohit Dhamankar, Editor, @RISK and the SANS Top 20, and Manager, Security Research, TippingPoint, a division of 3Com * Dr. Johannes Ullrich, Chief Technology Officer, SANS Internet Storm Center * Gerhard Eschelbeck, Chief Technology Officer, Webroot * Amol Sarwate, Manager, Vulnerability Management Lab, Qualys * Ed Skoudis, SANS "Hacking Exploits" Course Director and Senior Security Analyst, Intelguardians * Alan Paller, Director of Research, SANS Institute