There are lots of opinions of where the greatest vulnerabilities in computers and networks lie—just read the comments to any security-related post on this blog for an earful. Hard data, however, has generally been lacking. A new study assembled by the SANS Institute, and based on reports from 15,000 organizations surveyed by risk assessment companies Tipping Point and Qualys, ought to cure that.
The results, while not terribly surprising to anyone who has been following the vulnerability scene for the past couple of years, do suggest that many IT professionals should re-examine and probably change their priorities. The analysts found that the biggest risk facing most systems is unpatched vulnerabilities in applications and that applications, not operating systems, have become the primary target of attack.
The problem is that even organizations that are vigilant about patching OS vulnerabilities are often lax about applications, and that flaws in applications go unpatched for much longer than OS holes. “On average,” the report concludes, “major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities. In other words, the highest priority risk is getting less attention than the lower priority risk.”
The second priority, according to the report, is a familiar one: Dealing with vulnerabilities in applications running on Web servers. The survey found that Web server-side applications are the target of more than 60% of all Internet attacks and that “Web application vulnerabilities such as SQL injection and cross-site scripting flaws in open source as well as custom-built applications account for more than 80% of the vulnerabilities being discovered. Despite the enormous number of attacks and despite widespread publicity about these vulnerabilities, most Web site owners fail to scan effectively for the common flaw.”
The combination of these two modes of attack is particularly deadly. Server vulnerabilities let attackers compromise Web sites and these hostile Web pages are then used to exploit application flaws that are used to compromise desktops and laptops. In most cases, the ultimate goal of the attacks is to steal valuable information , not just credit card numbers and other personal data but corporate and government information.
The applications most targeted by attackers are a mixed bag, though they certainly should move us beyond the endless arguments over the relative security of Windows, Macs, and Linux. Two companies that supply software for all three platforms were high on the target list. Adobe has had a variety of problems with holes in its Flash Player and Acrobat Reader software, while Sun Microsystems’ Java has also been open to attack. Of course, Microsoft has a long list of application vulnerabilities, while Apple has had issues with QuickTime.