More than 600 new Internet security vulnerabilities turned up in the first three months of 2005, and the top 20 are dominated by eight separate vulnerabilities involving Microsoft products, according to a new report from security research and education cooperative the SANS Institute.
The SANS quarterly report for 2005 says those and other vulnerabilities pose critical risks that must be addressed by patches and other defensive action, with those who don’t hit those flaws facing “a heightened threat” from remote hackers taking over their systems and using them for spam, porn, identity theft, and even industrial espionage.
The Microsoft flaws spotted in the first quarter include ActiveX code execution, cursor and icon handling overflow, and ActiveX “cross domain” vulnerability in Internet Explorer; a PNG file processing flaw in Windows Media Player and Windows/MSN Messenger; server message blockage in Windows XP Service Packs 1 and 2 and Windows 2000 Service Packs 3 and 4; Windows networks server flaws against Windows Server 2003, Server 2000 Service Packs 3 and 4, and Windows NT Server 4.0 Service Pack 6a; and, DNS cache “poisoning” in Windows NT and 2000 Service Packs 2 or earlier DNS service servers.
The last of those flaws also was spotted in Symantec’s Gateway Security, Enterprise Firewall, and VelociRaptor products, the SANS report said. Moreover, flaws were spotted in some of the world’s most prominent security software packages, including cases of buffer overflow when decoding certain types of files with Norton AntiVirus, F-Secure, TrendMicro, and McAfee antivirus products.
Buffer overflow flaws also were spotted in RealPlayer, iTunes, and Winamp media players.
"These critical vulnerabilities are widespread and many of them are being exploited, right now, in our homes and in our offices," said SANS director of research Alan Paller, announcing the report findings. "We're publishing this list as a red flag for individuals as well as IT departments. Too many people are unaware of these vulnerabilities, or mistakenly believe their computers are protected."
The director of NISCC, the British government’s cybersecurity and critical infrastructure office, Roger Cumming, agreed. "This . . . list of critical vulnerabilities highlights the need for administrators of IT systems to stay up-to-date with patches and advances in security architecture that product vendors have been implementing," he said.
"The SANS Top 20 list is a widely recognized bench mark for identifying the most critical security vulnerabilities," said Gerhard Eschelbeck, CTO and VP of Engineering at Qualys. "Threats are evolving at a much faster rate, necessitating regular updates to the list to ensure organizations have the most current information possible on critical security vulnerabilities."
"It is important to draw people's attention to these vulnerabilities because they could result in severe consequences if not properly resolved," said Marc Willebeek-LeMair, Chief Technology Officer of 3Com's TippingPoint division.
