Zero-Day Attacks Top Year’s Threat List
Zero-day attacks (see definition under “Term of the Month”) have evolved from an abstract phenomenon to a regular occurrence in everyday applications.
The SANS (SysAdmin, Audit, Network, Security) Institute’s list, formerly called the Top 20 Security Vulnerabilities, was renamed the Top 20 Internet Attack Targets this year to better explain the nature of threats now faced.
The report states that vulnerabilities in Microsoft Office have tripled from a year earlier, with 45 serious or critical exploits found in the suites. "And about 20 percent of those were zero-day vulnerabilities. The striking thing is that users can get compromised by simply viewing malicious Office files," said Amol Sarwate, a collaborator with SANS on its list. "Hackers have shifted their targets to common users, and away from servers administered by sophisticated users."
Some of the usual suspects like Internet Explorer browser, Microsoft Windows and web applications make SANS’ list this year, but new technologies are posing big risks as well.
Voice-over-Internet Protocol, or VoIP, is something researchers are keeping a close eye on. Attackers can actually intercept and sell company meeting minutes, add misleading messages or create massive outages in the traditional phone network.
"VoIP systems are a front door into a program that runs entire phone systems. Attackers can exploit VoIP to change what you hear and can cause huge outages,” says Allan Paller, research director at the SANS Institute.
The organization says that along with exploiting security vulnerabilities for the purpose of information theft, Internet criminals are honing in on military and other public systems in the U.S., U.K., and Canada with increased spear-phishing attacks, e-mails designed to look credible.
These kinds of attacks also explain why “human error” also made it onto the top 20 for the first time ever. Users continue to open these messages and click on links that expose their computers to criminals around the world.
Paller warns that cell phones and appliances like digital printers will be the next technological targets.
Read the entire SANS Institute list here.
*offer ends 31/12/2006
In the spirit of giving this holiday season Lavasoft is giving you 15% off all Ad-Aware SE products – Plus, Professional and Enterprise – the entire month of December. Take advantage of this merry deal and keep yourself and your loved ones spyware free! * Please enter the following coupon code to retain your rebate: zz46tv12x8c