Vulnerability hunters continue to find plenty of problems in Windows. But they're also finding a disturbing amount of cracks in media players and the very software users rely on to secure their machines. That's what the SANS Institute found after updating last year's Top 20 Internet Security Vulnerabilities list.
"Four to five years ago almost all the vulnerabilities were being found in the operating systems," said Alan Paller, director of research for the Bethesda, Md.-based institute. "Now a big chunk of it is being found in data storage and other applications. We're seeing more vulnerabilities in products from security vendors and in the media players."
He said those flaws aren't getting fixed quickly enough. While enterprise IT professionals are more aware, Paller said home users aren't thinking about it and are increasingly vulnerable. In turn, flawed software in household machines puts enterprises at greater risk.
"I don't know of a way to get people to change their behavior," Paller said. "But hopefully we can keep the temperature higher so vendors will want to fix problems more quickly."
To that end, the SANS Top 20 Internet Security Vulnerabilities list that comes out each October will now be updated quarterly. The first such update was revealed this morning. It outlines flaws in products from Microsoft, Computer Associates and Oracle and from such security vendors as Symantec, Trend Micro, McAfee and F-Secure. Media players such as RealPlayer, iTunes and WinAmp also made the list.
More than 600 new Internet security vulnerabilities were uncovered in the first quarter of 2005. To be included on the new quarterly update, SANS said vulnerabilities must:
- Affect a large number of users;
- Be something that has not been patched on a substantial number of systems;
- Allow computers to be taken over by a remote, unauthorized user;
- Be something in which sufficient exploit details have been posted to the Internet; and
- Be something that was discovered or first patched in the first three months of 2005.
Gerhard Eschelbeck is CTO and vice president of engineering at Redwood Shores, Calif.-based security firm Qualys, which helps SANS track the vulnerability landscape. Asked why the quarterly updates are important, he said, "Threats are evolving at a much faster rate, necessitating regular updates to the list to ensure organizations have the most current information possible on critical security vulnerabilities."
Here's a breakdown of flaws listed in Monday's update:
- Vulnerabilities in Microsoft Internet Explorer included DHTML Edit ActiveX remote code execution; a cursor and icon handling overflow; and a HTML help ActiveX control cross domain vulnerability. Affected machines could be targeted by spyware, keystroke loggers and remote control software downloaded when the user visits malicious Web sites.
- Windows Media Player, Messenger and MSN Messenger had .png file processing flaws attackers could use to take over machines when the user downloads a malicious media file from a Web site or opens a malicious picture using MSN or Windows Messenger.
- Windows XP SP1 and 2, Windows 2000 SP3 and 4 and Windows Server 2003 suffered from a server message blocking flaw attackers could exploit to take over machines using a malicious Web server.
- Windows NT Server 4.0 SP6a, Terminal Server Edition SP6; Windows 2000 Server SP3 and 4 and Windows Server 2003 suffered from a license logging service overflow attackers could exploit to hijack computers by sending special packets to the machine.
- A DNS cache poisoning vulnerability appeared in Windows NT and 2000 (prior to SP3) DNS servers; as well as Symantec Gateway Security (Anti-Virus and Anti-Spam), Enterprise Firewall and VelociRaptor. Attackers could exploit this to direct users to malicious Web sites. In turn, these Web sites can exploit Internet Explorer vulnerabilities to install spyware.
- AV products from Symantec, F-Secure, TrendMicro and McAfee contained buffer overflow flaws in the decoding of certain types of files. Remote users can exploit this to take over computers that run these products.
- In January, Oracle issued patches for flaws in Application Server 9i and 10g and Collaboration Suite Release 2 for vulnerabilities remote hackers could exploit to gain control of computers and sensitive information. The update also addressed lesser flaws in the Oracle Database and E-business Server.
- Computer Associates products running License Manager contained license package buffer overflow vulnerabilities attackers could exploit to take over affected computers.
- Buffer overflow flaws in the RealPlayer, iTunes and WinAmp media players could be exploited if users visited Web sites infected with malcode.