Internet criminals are increasingly targeting popular applications like backup software and Web browsers instead of the operating systems that run them, according to a new report from government and industry security experts.
Attackers are targeting backup and recovery programs, as well as “the antivirus and other security tools that most organizations think are keeping them safe,” according to the SANS Top 20 report for 2005, released today.
At least one Canadian security vendor disagrees with the SANS report.
Oliver Friedrichs, senior manager, security response, Toronto-based Symantec Canada, said while security and backup programs are just as vulnerable, they are no worse than any other applications.
“Security software has always been targeted just like every other type of application, including operating systems such as Windows and Linux. (But) I don’t see a significant trend of attack as necessarily targeting security software more,” said Friedrichs.
The shift toward finding and exploiting vulnerabilities in programs represents a major change from past years, when Windows and other operating systems and Internet services like Web and e-mail servers were the preferred targets.
“A new wave of attacks concentrated on application programs” in 2005, the report states.
Popular software at risk
In addition to holes in security and backup programs, critical vulnerabilities in instant messaging programs, Web browsers, file sharing applications, and media players are all listed among the Top 20.
And those vulnerabilities are drawing all the wrong sorts of attention. According to SANS, unwanted network traffic targeting Symantec Veritas BackupExec rocketed to 500,000 instances within days of an announced security hole in the product, up from a previous maximum of about 50,000 instances.
Symantec wasn’t alone. Microsoft Office, Internet Explorer, Firefox, and AOL Instant Messenger also suffered from serious reported vulnerabilities, as did RealPlayer and iTunes. Also, according to a previous report from the Yankee Group, the number of flaws reported in antivirus and other security programs is increasing at a far faster rate than for Windows.
Symantec’s Friedrichs pointed out that over the past few years more vulnerabilities have been found on Web browsers, such as Internet Explorer and Firefox, but “we are certainly not seeing that frequency of vulnerabilities” in backup and security programs.
“We have seen vulnerabilities in security applications, but we are not necessarily seeing attacks on those application (vulnerabilities),” said the Symantec executive, adding that security tools often have the ability to “update themselves, even more frequently than traditional software.”
Opportunities for criminals
Applications represent an increasingly attractive target because operating systems and Internet services have become more resilient after years of steady attacks. Many programs, on the other hand, lack any means for automatic program updates.
The delay between an announced vulnerability and the time that an administrator or home user manually updates the software represents a window of opportunity for Internet criminals.
New awareness of critical security holes in the network devices that guide Internet traffic represents the second important shift in the Top 20, according to the report.
“Compromises of network devices can provide attackers one of the most fruitful platforms for eavesdropping and launching targeted attacks,” it states.
Government organizations within the United States, the United Kingdom, and Canada all contributed to the report, as did Internet security companies TippingPoint and Qualys.
The SANS Institute has been producing the Top 20 report since 2000.
– With files from Mari-Len De Guzman