Businesses should urgently check their systems for up to 15 critical security vulnerabilities which could enable hackers to access their networks.
The vulnerabilities are among 600 new software defects discovered over the past three months in a wide range of operating systems and widely-used applications.
US security research body the Sans Institute, which released details of the vulnerabilities yesterday, advised businesses to fix the 15 most critical problems immediately.
“These vulnerabilities are widespread and many of them are being exploited right now,” said Allan Paller, director of research at the Sans Institute. “Too many people are unaware of these vulnerabilities, or mistakenly believe their computers are protected.”
Although the vulnerabilities have been publicised over recent weeks, even the most security conscious businesses have failed to remedy between 30% and 70% of the problems, research by vulnerability management specialist Qualys revealed.
Organisations that have automatic Microsoft and anti-virus updates turned on will have been protected against some of the critical vulnerabilities, but most organisations still have a lot of work to do, said Gerhard Eschelbeck, chief technology officer at Qualys.
“There is no way you can patch every vulnerability. They key is to prioritise,” he said.
The critical vulnerabilities published in a “red flag” list yesterday cover a wide range of applications and systems, including Microsoft Internet Explorer, Windows XP Service Packs, Oracle Application Server 9i and 10g.
Music and video playing software, such as Realplayer, iTunes, and Winamp – applications that are often overlooked by IT departments as a source of risk – could be used as access points by hackers, the Sans list revealed.
“Most media players are still vulnerable,” said Paller.
Other weaknesses, including a DNS cache poisoning vulnerability in unpatched Windows DNS Servers and Symantec Gateway Security products, can be exploited by hackers to create phishing sites and spoof websites for stealing users’ bank and credit card details.