The respected SANS Institute has identified the sudden rise in ‘zero day’ attacks as the most important threat trend in its 2006 Top Twenty Vulnerabilities list.
In the last year or so, the zero day attack had gone from a phenomenon talked about in the abstract to something that was now a regular occurrence in everyday applications, the organisation said.
Such vulnerabilities in Microsoft Office had tripled from last year , with 45 serious or critical vulnerabilities – 9 of which were zero day attacks - discovered in the suite.
Overwhelmingly, the attacks originated in China, which the report says could be down to the wide availability of source code without normal copyright restrictions or effective policing in that locale.
If previous year’s lists featured a conventionally dry list of security holes, this year’s announcement makes clear that computer security has grown into a global megatrend of significance beyond the computing world.
As well as attempting to exploit security vulnerabilities for extortion of information theft, criminals are also actively targeting military and other public systems in countries such as the US, the UK and Canada, the organisation said.
The report identifies a number of specific trends beyond the targeting of Microsoft, including a rise in sophisticated targeted attacks, and the exploitation of VoIP in a way that could lead to a crash of the conventional PSTN on which so many third-party systems depend. Web-based attacks on databases, using such hacks as SQL injection, have also risen.
The organisation has even had to give its report a new name to better underline the nature of the problem. From now on the Top 20 Security Vulnerabilities list will be known by the more menacing title of the Top 20 Internet Attack Targets so as to better explain the nature of the threats now faced.
The SANS Report has acquired a degree of credibility because it identifies specific threats in detail and is seen as just about the only multi-party analysis of threats from one year to the next. In addition to SANS staff, contributors to this year’s report included Gerhard Eschelbeck, now of Webroot, Amol Sarwate of Qualys, and Rohit Dhamankar of 3Com TippingPoint.