Internet criminals are increasingly targeting popular applications like backup software and web browsers instead of the operating systems that run them, according to a new report from government and industry security experts.
Attackers are targeting backup and recovery programmes, as well as "the antivirus and other security tools that most organisations think are keeping them safe," according to the SANS Top 20 report for 2005, released yesterday. The shift toward finding and exploiting vulnerabilities in programmes represents a major change from past years, when Windows and other operating systems and internet services like web and email servers were the preferred targets.
"A new wave of attacks concentrated on application programs" in 2005, the report states.
Popular software at risk
In addition to holes in security and backup programmes, critical vulnerabilities in instant messaging programmes, web browsers, file sharing applications, and media players are all listed among the Top 20.
And those vulnerabilities are drawing all the wrong sorts of attention. According to SANS, unwanted network traffic targeting Symantec Veritas BackupExec rocketed to 500,000 instances within days of an announced security hole in the product, up from a previous maximum of about 50,000 instances.
Symantec wasn't alone. Microsoft Office, Internet Explorer, Firefox, and AOL Instant Messenger also suffered from serious reported vulnerabilities, as did RealPlayer and iTunes. Also, according to a previous report from the Yankee Group, the number of flaws reported in antivirus and other security programs is increasing at a far faster rate than for Windows.
Opportunities for criminals
Applications represent an increasingly attractive target because operating systems and internet services have become more resilient after years of steady attacks. Many programs, on the other hand, lack any means for automatic programme updates. The delay between an announced vulnerability and the time that an administrator or home user manually updates the software represents a window of opportunity for internet criminals.
New awareness of critical security holes in the network devices that guide internet traffic represents the second important shift in the Top 20, according to the report.
"Compromises of network devices can provide attackers one of the most fruitful platforms for eavesdropping and launching targeted attacks," it states.
Government organisations within the United States, the United Kingdom, and Canada all contributed to the report, as did internet security companies TippingPoint and Qualys. The SANS Institute has been producing the Top 20 report since 2000.