The range of threats facing IT departments is clearly
demonstrated by the variety of vulnerabilities exposed by US
security research organisation the Sans Institute, as reported last
week by Computer Weekly. Here we give details of 12 new critical
vulnerabilities which the Sans Institute has revealed.
They are the most critical flaws among 600 security
vulnerabilities discovered by researchers during the first quarter
of 2005. Twelve of them rank in the Sans Institute's Top 20 list of
the most critical vulnerabilities.
Left unfixed they could be exploited by hackers to run malicious
code, read confidential files or gain administrator privileges over
unpatched machines.
The institute has advised organisations to check that they have
patched the 12 most critical problems, and if not, to do so within
two weeks. Research by security supplier Qualys suggests that even
the most security conscious organisations have failed to patch
between 30% and 70% of known problems.
From this month, the Sans Institute has begun to issue details
of the top 20 security vulnerabilities every quarter, rather than
annually, reflecting the growing priority of patching for
organisations.
"A lot of companies are using the Sans Top 20 as a determinate
of whether or not they have checked for critical vulnerabilities,"
said Alan Paller, research director at the Sans Institute. "We
think quarterly is reasonable for companies to go back and make
sure people got rid of them."
The vulnerabilities cover a wide range of software packages and
operating systems, including Microsoft Internet Explorer, Windows
XP Service Packs, and Oracle Application Server 9i and 10g.
Latest critical vulnerabilities in the Sans Institute
Top 20
The Sans Institute has added 12 new critical security
vulnerabilities to its top 20 list. They include:
Client-side vulnerabilities
These attacks typically require some user action to exploit the
vulnerability, such as browsing a website, or opening an
e-mail.
- Internet Explorer vulnerabilities (MS05-014 and MS05-008)
- Microsoft HTML help ActiveX control vulnerability
(MS05-001)
- Microsoft DHTML Edit ActiveX remote code execution
(MS05-013)
- Microsoft cursor and icon handling overflow (MS05-002)
- Microsoft PNG file processing vulnerabilities (MS05-009)
- Media player buffer overflows (Realplayer, Winamp and
iTunes).
Some of these vulnerabilities can be triggered by users
downloading playlists or other media files infected by malicious
code. A hacker, for example could use an overlong URL in a playlist
file to trigger a buffer overflow to execute a key logger.
Server-side vulnerabilities
A hacker can exploit the vulnerability by sending a specifically
crafted request to the server and take control or to execute
programs on the vulnerable system.
Computer Associates Licence Manager buffer
overflows
Multiple buffer overflows in Computer Associates Licence Client
and Server could allow remote attackers to execute malicious code.
The software is used in various Computer Associates products.
Oracle critical patch update
Vulnerabilities have been identified in Oracle Application
Server and Oracle Collaboration Suite. These could allow attackers
to compromise the system and gain database administration
privileges.
Microsoft Windows licence logging service overflow
(MS05-010)
The licence logging service does not properly validate the
length of messages. It could allow remote attackers to crash
machines through denial of service attacks, and possibly execute
malicious code.
DNS cache poisoning
Vulnerabilities in various Symantec products may allow hackers
to redirect users to malicious web sites, rather than the site they
are trying to log on to.
Anti-virus buffer overflow
Some anti-virus products were found to have buffer overflow
vulnerabilities in the way they handle compressed files. An
attacker could exploit them by delivering a malicious compressed
file via e-mail or the web.
More information
from www.sans.org
Source: Qualys