MAC OSX security in tatters, Firefox holes grow: SANS

Stan Beer
Monday, 01 May 2006 23:29

Business IT - Security

Mac users had heaps to say about:
Mac, welcome to the virus zone
Security research organisation, The SANS Institute, has singled out MAC OSX, Firefox and Internet Explorer as having serious security issues in its latest report announcing updates to the Top 20 Internet Security Vulnerabilities. The 2006 Spring Update reflects the most important new vulnerabilities that attackers are exploiting to take over computers and steal sensitive or valuable information. Eight major trends are listed in the update:

1.    Rapid growth in critical vulnerabilities being discovered in Mac OS/X including a zero-day vulnerability (OS/X still remains safer than Windows, but its reputation for offering a bullet-proof alternative to Windows is in tatters.)

2.    Substantial decline in the number of critical vulnerabilities in Windows Services, offset by flaws in client-side software, including the WMF vulnerability and Internet Explorer flaws, listed in Trend #3.
 
3.    Continuing discovery of multiple zero-day vulnerabilities in Internet Explorer.

4.    Rapid growth in critical Firefox and Mozilla vulnerabilities.

5.    Surge in commodity zero-day attacks used to infiltrate systems for profit motives.

6.    Rapid growth in three types of critical vulnerabilities allowing direct access to databases, data warehouses, and backup data (Oracle, Veritas Back-Up and SQL Injection attacks).

7.    A continuing surge in file-based attacks, especially using media and image files, Microsoft Excel files, and more.

8.    A rapidly spreading scourge of successful spear-phishing attacks, especially among defense and nuclear energy sites.

Several of the world’s top cyber security experts joined forces to produce the report, including:

•    Rohit Dhamankar, Editor, @RISK and the SANS Top 20, and Manager, Security Research, TippingPoint Division of 3Com
•    Dr. Johannes Ullrich, Chief Technology Officer, SANS Internet Storm Center
•    Gerhard Eschelbeck, Chief Technology Officer, Webroot
•    Amol Sarwate, Manager, Vulnerability Management Lab, Qualys
•    Ed Skoudis, SANS “Hacking Exploits” Course Director and Senior Security Analyst, Intelguardians
•    Alan Paller, Director of Research, the SANS Institute

Among the findings:

During the past few months, Apple Safari browser users faced their first zero-day attack. A zero-day attack is one that causes damage to users even before the vendor makes a patch available.  In this case, Safari users who just browsed a malicious web site found their computers automatically downloading and executing a malicious file. The user made no error other than to visit the web site. Apple patched Safari to fix this flaw, but almost immediately had to issue a second patch to stop another attack involving email attachments.  The experts agree that OS/X still remains safer than Windows; but its reputation for offering a bullet-proof alternative to Windows is in tatters.

Internet Explorer users continue to be subjected to “drive-by” attacks when they visit web sites set up to exploit vulnerabilities in IE that Microsoft hasn’t yet patched, or for which the user hasn’t installed the patch.  These vulnerabilities are responsible for many thousands of computers being infected with spyware and adware.

Users of Firefox and Mozilla have had to patch eleven vulnerabilities that can be exploited by a malicious webpage to execute arbitrary code on a user's system as well as several more critical vulnerabilities.  Firefox continues to be seen as somewhat safer than Internet Explorer, but it is no panacea.

The report goes on to detail attacks against file systems and the Government agencies of the US, Britain and Canada.
Here's another you might like?
Mac, welcome to the virus zone