BETHESDA, Md. More than 422 new Internet security vulnerabilities were discovered during the second quarter of 2005, according to SANS Institute and a team of experts from industry and government. This group has isolated the most critical vulnerabilities disclosed in Q2 that that need to be addressed through patching and other defensive actions. Individuals and organizations that do not correct these problems face a heightened threat that remote, unauthorized hackers will take control of their computers and use them for identity theft, for industrial espionage, or for distributing spam or pornography.
The 422 new vulnerabilities discovered or reported during Q2 2005 represent an increase of 10.8% from the first quarter of 2005 (381) and an increase of nearly 20% from the second quarter of 2004 (352).
The new report provides a quarterly update to the SANS Top 20 Internet Security Vulnerabilities list (www.sans.org/top20/) published annually in the Fall. To be included on the new quarterly update, vulnerabilities must meet five requirements: (1) they affect a large number of users, (2) they have not been patched on a substantial number of systems, (3) they allow computers to be taken over by a remote, unauthorized user, (4) sufficient details about the vulnerabilities have been posted to the Internet to enable attackers to exploit them, and (5) they were discovered or first patched during the second three months of 2005.
Particularly worrisome this quarter are the extensive vulnerabilities found in the most popular data back-up products. Backup products are designed to prevent catastrophes by recording copies of important data and allowing those copies to be stored in a safe place. Unfortunately, those products have become easy targets for attackers and since they have access to substantially all data, the products weaknesses create real danger.
Home users face heightened risk from new vulnerabilities in iTunes and RealPlayer, along with a seemingly endless stream of new vulnerabilities in Microsofts Internet Explorer web browser.
Any person or organization running the vulnerable software products should ensure that they or their computer support professionals have corrected the problems listed. (The vulnerable software packages are listed at the end of this release and details on each of the vulnerabilities and instructions on correcting them may be found at www.sans.org/top20/Q2-2005update)
These critical vulnerabilities are widespread and many of them are being exploited, right now, in our homes and in our offices according to Alan Paller, Director of Research for SANS Institute.
We're publishing this list as a red flag for individuals as well as IT departments. Too many people are unaware of these vulnerabilities, or mistakenly believe their computers are protected.
SANS is not acting alone in drawing attention to these critical vulnerabilities.
IT administrators need to keep right up to date, said Roger Cumming, Director of NISCC, the British Governments Cybersecurity and Critical Infrastructure office,
to protect their systems from emerging vulnerabilities. SANS has done its usual excellent job in listing the highlights and security professionals should waste no time installing vendor patches.
An increase of 11% in the number of new vulnerabilities discovered since the last quarter is significant this is why we need these quarterly updates, said Gerhard Eschelbeck, CTO and VP of Engineering at Qualys.
With up-to-date information, security professionals can immediately address new vulnerabili-ties, such as the ones recently discovered in popular desktop applications.
Addressing vulnerability is the chief way that an organization can reduce its overall cyber risk in the face of varied and unpredictable threats, said Julie Spallin, Director of the Canadian Cyber Incident Response Centre.
The SANS Top 20 can help organizations focus their limited resources on the most pressing vulnerabilities so as not to become a target of opportunity.
We are seeing a trend to exploit not only the Windows, but other vendor programs that are installed on potentially large number of systems, says Rohit Dhamankar, Manager of the Digital Vaccine research team at 3Coms TippingPoint division.
These include backup software, management software, licensing software etc. Flaws in these programs put critical resources at risk as well as having a potential to compromise the entire enterprise.
It is important to draw peoples attention to these vulnerabilities because they could result in severe consequences if not properly resolved, adds Marc Willebeek-LeMair, Chief Technology Officer of 3Com.
These critical new vulnerabilities have been selected from data compiled for @RISK, the free, authoritative vulnerability summary issued by SANS (and co-authored by experts from TippingPoint and Qualys) each week to more than 120,000 security professionals around the world. These
critical new vulnerabilities represent only those vulnerabilities first discovered or patched during the second quarter of calendar year 2005.
The team that collaborated to compile the Quarterly Vulnerability Update to the Top 20 includes representatives from seven key security organizations:
inside knowledgeof commonly used attack vectors because it is the firm most commonly called in, after attackers have penetrated large banks and other companies, to identify how the attacks were carried out and what must be done to stop future attacks using that same path.
SANS Institute was established in 1989 and has become the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system -- Internet Storm Center. SANS Institute began as a cooperative research and education organization and now reaches more than 165,000 security professionals, auditors, system administrators, network administrators, chief information security officers, and CIOs. At the heart of SANS are the many security practitioners in government agencies, corporations, and universities around the world who invest hundreds of hours each year in research and teaching to help the entire information security community. Further information about SANS is available at http://www.sans.org/about.