The SANS Institute now revises its annual Top 20 vulnerabilities list on a quarterly basis, and it released the first update for the first quarter of 2005 earlier this month. Due to the size of this list and number of vulnerabilities, I typically divide it into Microsoft and non-Microsoft issues.
I already addressed the top Windows vulnerabilities in a recent column. Now, let's take a look at the top cross-platform threats.
Beginning with this update, SANS has moved from a yearly event to a quarterly release. This change should provide a much better guide for managers to help them determine which threats they need to block first.
In addition to moving to a quarterly release schedule, the SANS quarterly survey has also dropped the Linux/UNIX section in favor of a section for cross-platform threats, which includes Windows, Macintosh, and UNIX flavors. So, let's look at the most recent updates to the SANS Institute's Top 10 most exploited cross-platform threats for the first quarter of 2005.
License Manager Buffer Overflows (CAN-2005-0581, CAN-2005-0582, and CAN-2005-0583)
This is a remote code execution threat. An attacker can execute code with "SYSTEM/root" privileges on systems running any of the vulnerable products.
Affected systems include CA License Package versions 1.53 through 1.61.8 running on AIX, DEC, HP-UX, Linux Intel, Linux s/390, Solaris, Windows, and Apple Macintosh operating systems. A patch is available.
Products Buffer Overflow Vulnerabilities (CAN-2005-0249,
This is also a remote code execution threat, and it affects a variety of antivirus products, including those from Symantec, F-Secure, Trend Micro, and McAfee. For information on available patches, see SANS' alerts for Symantec, F-Secure, Trend Micro, and McAfee.
DNS Cache Poisoning
This flaw can allow an attacker to redirect domain visits, and attackers have used the vulnerability to install malware. Affected versions include Symantec Gateway Security 5400 Series version 2.x; Symantec Gateway Security 5300 Series version 1.0; Symantec Enterprise Firewall version 7.0.x and 8.0 for both Solaris and Windows; VelociRaptor Models 1100, 1200, and 1300 version 1.5; Windows NT, and Windows 2000 prior to Service Pack 3.
Windows 2000 systems with SP3 installed are not vulnerable. However, other Windows DNS servers may be vulnerable.
Patches and various workarounds as specified by the vendors are available. For more information, see the SANS report.
Oracle Critical Patch
These vulnerabilities can allow an attacker to take control of an Oracle server. Oracle released a patch for this vulnerability on Jan. 18, 2005. However, the fact that this flaw made the SANS report for the first quarter indicates that not everyone has installed the patch.
This affects a variety of Oracle products, including some versions of Oracle Database 8 through 10g, some versions of Oracle Application Servers, Oracle Collaboration Suite Release 2 version 184.108.40.206, and Oracle E-Business Suite and Applications Release 11 and 11i. For more details and information about available patches, see the SANS alert for this threat.
Multiple Media Player
Buffer Overflows (CAN-2005-0455, CAN-2005-0611, and CAN-2005-0043)
This vulnerability can allow an attacker to completely compromise a system. Affected applications include Linux RealPlayer 10, Helix Player, iTunes, WinAmp, Windows RealPlayer 10.5 builds 220.127.116.110 through 1056, Windows RealPlayer 10, Windows RealOne Player 2 builds 18.104.22.1683 through 872 and builds 22.214.171.1248 through 840, Windows RealPlayer 1, Windows RealPlayer 8, Windows RealPlayer Enterprise, Mac RealPlayer 10 builds 10.0.0.305 through 325, and Mac RealOne Player.
Patches and upgrades are available. Get more details in the SANS report.
Risk level - Critical
Remember: Attackers are currently exploiting all of these cross-platform threats in the wild—otherwise, they wouldn't have made the list—so the risk level is extremely high.
While the Top 20 designation still applies to this report in various ways, including the URL, you've probably noticed there aren't actually 20 major threats listed. In fact, the first quarterly update included seven Windows-only threats and five cross-platform threats.
I have no additional comments to make about these threats—they wouldn't have made the list if they weren't still viable threats and if companies had patched their systems. Instead, I'd like to throw out a random thought about Web browser security in general.
Does anyone remember just how serious a problem Web security was back in 1995? The reason I ask is because Microsoft based its Internet Explorer technology on that computing era's need for legacy support—not security.
As I recall, Microsoft released IE 1.0 in 1995, and Mozilla released Firefox 1.0 in late 2004. So, could part of the security differences that everyone's debating these days have something to do with the relative decade between the two releases?
I don't remember anyone arguing in 1995 that the Web would become the security threat it is today. On the other hand, you could also make the argument that Microsoft is actually responsible for the surge in security threats because it developed IE with so little concern for security. What do you think?
Also watch for …
Security Advisory (899480), "Vulnerability
in TCP Could Allow Connection Reset": Published May 18, this
advisory discusses a new TCP/IP vulnerability in Windows 2000, Windows XP,
and Windows Server 2003. This threat isn't particularly dangerous because
it only allows an attacker to reset the timeout values, and it doesn't
affect anyone who installed the MS05-019 security update, Windows XP Service Pack 2,
or Windows Server 2003 Service Pack 1. There are no reports of any exploits
in the wild.
Note: Microsoft didn't necessarily announce this because it was urgent—rather, it's a sample of the new Microsoft Security Advisory Service, an e-mail alert service that will include both new low- and high-level threats.
- Look for Microsoft to release the beta version of IE 7 around July of this year.
Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!
John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.