Zero-Day Attacks Top Security Threat List

Microsoft Office SANS Institute

In a departure from tradition, SANS assembled a list of the year's top 20 attack targets for its seventh annual status report on the Internet threat landscape rather than cite the most serious vulnerabilities. "This is a big change," said Alan Paller, the director of research at SANS. "We used to call them Internet vulnerabilities, but now we're seeing the bad guys targeting certain [attack] areas but using lots of different vulnerabilities in each."

The increase in zero-day attacks, Paller and the other security professionals said during a Wednesday conference call with reporters, is part of the continuing move toward smaller, more targeted attacks.

"We've seen quite a marked downturn since 2002 in the number of alerts we've pushed out on traditional types of attacks," said Roger Cumming, the director of the U.K.'s National Infrastructure Security Coordination Centre. "But we've seen a marked increase in the number of attacks delivered by Trojan horses. This 'less worms, more Trojans' trend is moving away from malware code in the sense of nasty attacks to developing exploit code for specific purposes. This is definitely a trend."

Attackers who want to cloak their attacks as long as possible value zero-day vulnerabilities -- bugs for which there are no patches -- because those flaws are exploitable the longest. "The trend has gone toward value-oriented attacks," argued Marc Sachs, the director of the SANS Institute's Internet Storm Center. "They don't want to be noticed and the best way to do that is to use vulnerabilities for which the target has no way to protect itself. The attack can be very successful in the first 24 [hours] or so in a zero-day attack."

Sponsored post

Another trend line that SANS laid out was the big jump in attacks using vulnerabilities in Microsoft's popular Office productivity suite. Those attacks, which began in May with a zero-day assault against Office's word processor, continued throughout the summer, with Microsoft repeatedly patching the suite's applications.

"We saw Office vulnerabilities triple," said Amol Sarwate, the manager of Qualys' vulnerability lab and a collaborator with SANS on its annual lists. "And about 20% of those were zero-day vulnerabilities. The striking thing is that users can get compromised by simply viewing malicious Office files," Sarwate said. "Hackers have shifted their targets to common users, and away from servers administered by sophisticated users."

In its list of top 20 attack targets, SANS spotlighted some of the usual suspects -- including the Internet Explorer browser, Microsoft Windows, and Web applications -- but also noted that threats against newer technologies pose risks.

Voice-over-Internet, dubbed VoIP, is one that researchers are watching. "More sinister than attacks on VoIP phones themselves could be attacks on the traditional phone network," said Rohit Dhamankar, senior manager of security research at 3Com's TippingPoint. "The traditional phone network has never been accessible to hackers directly, but if you can compromise a [VoIP] server, there's a chance you can craft special messages to the traditional network, perhaps crash the network.

"That's one of the fears of VoIP in general. As attacks mount against VoIP, the chance of an attack against the traditional phone system increases."

The Top 20 lists each attack target, briefly spells out its place in the threat world, and offers advice on how to protect computer networks and systems from attack. The report can be viewed online here, or downloaded as a PDF file.

Also on Wednesday, vulnerability management vendor Qualys posted a free network scanner that sniffs out some, though not all, of the SANS top 20 attack targets. The scanner can be launched from the Qualys Web site.