Lavasoft News - December 2006

Zero-Day Attacks Top Year’s Threat List

Zero-day attacks (see definition under “Term of the Month”) have evolved from an abstract phenomenon to a regular occurrence in everyday applications.

The SANS (SysAdmin, Audit, Network, Security) Institute’s list, formerly called the Top 20 Security Vulnerabilities, was renamed the Top 20 Internet Attack Targets this year to better explain the nature of threats now faced.

The report states that vulnerabilities in Microsoft Office have tripled from a year earlier, with 45 serious or critical exploits found in the suites. "And about 20 percent of those were zero-day vulnerabilities. The striking thing is that users can get compromised by simply viewing malicious Office files," said Amol Sarwate, a collaborator with SANS on its list. "Hackers have shifted their targets to common users, and away from servers administered by sophisticated users."

Some of the usual suspects like Internet Explorer browser, Microsoft Windows and web applications make SANS’ list this year, but new technologies are posing big risks as well.

Voice-over-Internet Protocol, or VoIP, is something researchers are keeping a close eye on. Attackers can actually intercept and sell company meeting minutes, add misleading messages or create massive outages in the traditional phone network.

"VoIP systems are a front door into a program that runs entire phone systems. Attackers can exploit VoIP to change what you hear and can cause huge outages,” says Allan Paller, research director at the SANS Institute.

The organization says that along with exploiting security vulnerabilities for the purpose of information theft, Internet criminals are honing in on military and other public systems in the U.S., U.K., and Canada with increased spear-phishing attacks, e-mails designed to look credible.

These kinds of attacks also explain why “human error” also made it onto the top 20 for the first time ever. Users continue to open these messages and click on links that expose their computers to criminals around the world.

Paller warns that cell phones and appliances like digital printers will be the next technological targets.

Read the entire SANS Institute list here.

Home


Zero-Day Attacks Top Year’s Threat List Zero-day attacks (see definition under “Term of the Month”) have evolved from an abstract phenomenon to a regular occurrence in everyday applications. The SANS (SysAdmin, Audit, Network, Security) Institute’s list, formerly called the Top 20 Security Vulnerabilities, was renamed the Top 20 Internet Attack Targets this year to better explain the nature of threats now faced. The report states that vulnerabilities in Microsoft Office have tripled from a year earlier, with 45 serious or critical exploits found in the suites. "And about 20 percent of those were zero-day vulnerabilities. The striking thing is that users can get compromised by simply viewing malicious Office files," said Amol Sarwate, a collaborator with SANS on its list. "Hackers have shifted their targets to common users, and away from servers administered by sophisticated users." Some of the usual suspects like Internet Explorer browser, Microsoft Windows and web applications make SANS’ list this year, but new technologies are posing big risks as well. Voice-over-Internet Protocol, or VoIP, is something researchers are keeping a close eye on. Attackers can actually intercept and sell company meeting minutes, add misleading messages or create massive outages in the traditional phone network. "VoIP systems are a front door into a program that runs entire phone systems. Attackers can exploit VoIP to change what you hear and can cause huge outages,” says Allan Paller, research director at the SANS Institute. The organization says that along with exploiting security vulnerabilities for the purpose of information theft, Internet criminals are honing in on military and other public systems in the U.S., U.K., and Canada with increased spear-phishing attacks, e-mails designed to look credible. These kinds of attacks also explain why “human error” also made it onto the top 20 for the first time ever. Users continue to open these messages and click on links that expose their computers to criminals around the world. Paller warns that cell phones and appliances like digital printers will be the next technological targets. Read the entire SANS Institute list here. Home		offer ends 31/12/2006 In the spirit of giving this holiday season Lavasoft is giving you 15% off all Ad-Aware SE products – Plus, Professional and Enterprise – the entire month of December. Take advantage of this merry deal and keep yourself and your loved ones spyware free! Please enter the following coupon code to retain your rebate: zz46tv12x8c Holiday Shopping Stats American consumers will spend more than $32 billion in holiday Internet purchases this year. Source: Jupiter Research As many as 12 million people could fall prey to ID theft in some form – 40% of them between mid-Nov. and Jan.1. Source: LifeLock Inc. Term of the Month A zero-day attack is a virus or other exploit that takes advantage of a newly discovered hole in a program before the developer has made the fix available, or sometimes even before they are aware the hole exists. "Zero-day" is the day you open the virus-infected e-mail or get hit by a drive-by download because the anti-virus or anti-spyware software you keep up-to-date knew nothing of the attacks. Read more at Wikipedia here. Tech Tips Attention Windows Users: If Microsoft Windows is your main operating system, be sure to visit Microsoft Security Updates and stay on top of all of the security patches that Microsoft releases on a monthly basis. Ongoing Microsoft vulnerabilities underscore the need to: 1) Regularly update your operating system with the latest patches, and 2) Maintain active virus, hacker, spyware and other identity theft protection. Lavasoft AB Lilla Bommen 1 411 04 Gothenburg Sweden www.lavasoft.com editor@lavasoft.com