SANS Institute Monday updated its list of “Top 20” vulnerabilities discovered in products or types of exploits and attacks that threaten users on the Internet.
The SANS “Spring Update” of its Top 20 Internet Security Vulnerabilities cites a growth in critical vulnerabilities discovered in the Mac OS/X operating systems, as well as vulnerabilities associated with the Mozilla Firefox open-source Web browsers that had to be patched.
Rohit Dhamankar, editor of the SANS Top 20 and manager of security research at 3Com’s TippingPoint division, said the good news is that software patches for the Mozilla Firefox open-source browsers are usually more quickly issued compared with Microsoft’s patch process for its Internet Explorer.
“The [Mozilla Firefox] patches arrive much faster, typically within a week,” said Dhamankar, adding that Microsoft generally waits for its scheduled second Tuesday of the month to issue software patches. He added that so many zero-day exploits have been discovered recently in association with Microsoft Explorer, the browser’s name should be changed to “Internet Exploiter.”
Other trends cited by SANS Institute include SQL injection vulnerabilities and attacks against databases, as well as the “scourge” of successful "spear phishing" attacks, especially against U.S. defense and nuclear-energy sites.
In spear phishing, an attacker sends e-mail pretending to be a trusted source to a targeted victim who turns over sensitive information to the attacker.
While SANS Director of Research Alan Paller declined to reveal the names of specific agencies that had been the target of spear phishing, this type of attack has caused so much concern in the U.S. government, he said, that there’s been a new word coined for such an attack: “exfiltration.”
A play on the word “infiltration,” the word “exfiltration” is “being used a lot around Washington these days,” because of a number of successful spear-phishing attacks, says Paller.