In the nearly six months since the release of its last Top 20 vulnerabilities list, the SANS Institute has observed a sharp spike in zero-day flaws, many of them in programs long considered to be safe alternatives to Windows.
SANS researchers also saw a sizable increase in financially motivated zero-day attacks, as well as an ongoing problem with attacks exploiting Web application flaws.
"We've observed 80-90 flaws in Web applications a week," said Rohit Dhamankar, project manager for the SANS Top 20 effort and lead security architect for the TippingPoint division of Marlborough, Mass.-based 3Com Corp. "Immediately after the flaw is disclosed, public exploit code emerges that can compromise back-end data or the Web server quite easily."
The Bethesda, Md.-based institute noted eight trends in its spring update of the Top 20 vulnerabilities list:
The institute described spear phishing as an activity in which the attacker sends an e-mail to as many as one hundred employees. That e-mail appears to be sent by a senior officer and orders the recipient to download a piece of software, implying it is required for security.
"The software is actually a Trojan horse that escapes from the victim's computer, roams through the [network] … gathers and infiltrates important data and leaves a back door through which the attackers can return," the institute said.