The range of threats facing IT departments is clearly demonstrated by the variety of vulnerabilities exposed by US security research organisation the Sans Institute, as reported last week by Computer Weekly. Here we give details of 12 new critical vulnerabilities which the Sans Institute has revealed.
They are the most critical flaws among 600 security vulnerabilities discovered by researchers during the first quarter of 2005. Twelve of them rank in the Sans Institute's Top 20 list of the most critical vulnerabilities.
Left unfixed they could be exploited by hackers to run malicious code, read confidential files or gain administrator privileges over unpatched machines.
The institute has advised organisations to check that they have patched the 12 most critical problems, and if not, to do so within two weeks. Research by security supplier Qualys suggests that even the most security conscious organisations have failed to patch between 30% and 70% of known problems.
From this month, the Sans Institute has begun to issue details of the top 20 security vulnerabilities every quarter, rather than annually, reflecting the growing priority of patching for organisations.
"A lot of companies are using the Sans Top 20 as a determinate of whether or not they have checked for critical vulnerabilities," said Alan Paller, research director at the Sans Institute. "We think quarterly is reasonable for companies to go back and make sure people got rid of them."
The vulnerabilities cover a wide range of software packages and operating systems, including Microsoft Internet Explorer, Windows XP Service Packs, and Oracle Application Server 9i and 10g.
Latest critical vulnerabilities in the Sans Institute Top 20
The Sans Institute has added 12 new critical security vulnerabilities to its top 20 list. They include:
These attacks typically require some user action to exploit the vulnerability, such as browsing a website, or opening an e-mail.
- Internet Explorer vulnerabilities (MS05-014 and MS05-008)
- Microsoft HTML help ActiveX control vulnerability (MS05-001)
- Microsoft DHTML Edit ActiveX remote code execution (MS05-013)
- Microsoft cursor and icon handling overflow (MS05-002)
- Microsoft PNG file processing vulnerabilities (MS05-009)
- Media player buffer overflows (Realplayer, Winamp and iTunes).
Some of these vulnerabilities can be triggered by users downloading playlists or other media files infected by malicious code. A hacker, for example could use an overlong URL in a playlist file to trigger a buffer overflow to execute a key logger.
A hacker can exploit the vulnerability by sending a specifically crafted request to the server and take control or to execute programs on the vulnerable system.
Computer Associates Licence Manager buffer overflows
Multiple buffer overflows in Computer Associates Licence Client and Server could allow remote attackers to execute malicious code. The software is used in various Computer Associates products.
Oracle critical patch update
Vulnerabilities have been identified in Oracle Application Server and Oracle Collaboration Suite. These could allow attackers to compromise the system and gain database administration privileges.
Microsoft Windows licence logging service overflow (MS05-010)
The licence logging service does not properly validate the length of messages. It could allow remote attackers to crash machines through denial of service attacks, and possibly execute malicious code.
DNS cache poisoning
Vulnerabilities in various Symantec products may allow hackers to redirect users to malicious web sites, rather than the site they are trying to log on to.
Anti-virus buffer overflow
Some anti-virus products were found to have buffer overflow vulnerabilities in the way they handle compressed files. An attacker could exploit them by delivering a malicious compressed file via e-mail or the web.
More information from www.sans.org
This was first published in May 2005