SANS Top 20 internet security risks report published
The annual SANS Top 20 security risks report for the period November 2006 - October 2007 has been released, and will be up for public discussion later today (Wednesday) in London. As usual, the report contains a substantial body of detail, listing among other things the CVE references of important vulnerabilities.
According to SANS, although fewer operating system vulnerabilities have been reported than in previous years, security flaws in applications are increasingly being discovered and exploited. SANS considers that "attackers are finding more creative ways to obtain sensitive data from organizations" and that vulnerable default configurations are still prevalent and widely used.
Almost half the vulnerabilities reported in 2007 affected web applications, allowing web sites to be breached and contaminated for phishing and malware distribution. The volume of vulnerabilities in web browsers, client side helper applications and office applications has also increased. For example, almost four times as many Microsoft Office vulnerabilities were reported in 2007 as in the previous year - interestingly the majority of these (and the greatest increase) related to the Excel spreadsheet application, which suffered 13 in 2007 and only one in 2006.
Internet Explorer has been leveraged to exploit vulnerabilities in other core Windows components such as HTML Help and the Graphics Rendering Engine. During the past year, hundreds of vulnerabilities in ActiveX controls installed by Microsoft and other software vendors have been discovered. Insecure application services implemented as Service Control Programs (SCP), which run by default from system restart, are identified as a major avenue for attacks.
UNIX and Mac OS X seem to have come out relatively smelling of roses this year as far as SANS is concerned. Users are recommended to review their configuration and eliminate unnecessary services in order to reduce the target area for attackers, but the report only lists 20 CVE references for these platforms, of which 12 relate to kernel, libraries and services. This however, is somewhat at odds with the experience of heise Security, which has noted much more patches for services under Unix and Mac OS X this year.
On the web front, SANS single out PHP remote file includes, SQL injection, Cross site scripting (XSS) and Cross-site request forgeries as the dominant exploit types, identifying poor security understanding on the part of web application programmers and failure to update and patch hosting systems as the key culprits.
Disturbingly, security products, including both backup software and anti-virus, feature quite strongly in this year's report. Three backup products contribute 18 CVE references, and anti-virus packages by no less than 13 vendors are represented by between one and five CVE references each. The report points out that vulnerabilties found in products by seven vendors could be used to gain complete control of a system, or in some cases even a gateway.
Database systems have in general not fared well either. Numerous vulnerabilities are referenced for IBM products, MS SQL server, Oracle, and PostgresSQL. However, MySQL and Sybase have survived unscathed this year.
The security policy and personnel section is mostly advisory in nature, but it does include some disturbing statistics. The report estimates somewhat loosely that between 1 and 50 million systems were running the Storm worm as of September 2007, and quotes numbers of personal IDs exposed by seven US companies and state agencies due to loss of unencrypted data, running to hundreds of thousands in most cases. Unauthorised devices and software and excessive user rights remain key problems, and poor user awareness still contributes to the success of phishing attacks.
The report ends with brief sections on VoIP security and zero day attacks, both including CVE references of significant example vulnerabilities.