SANS begins quarterly updates to its Top 10 cross-platform vulnerabilities list

by John McCormick | May 23, 2005 5:46:00 PM

Tags: SECURITY, Operating systems, Patches, UNIX, John McCormick, SANS Institute, Microsoft Windows, Symantec Corp., cross-platform threat, vulnerability, IT Locksmith Newsletter

Takeaway: Beginning with this month, the SANS Institute has started releasing its list of the Top 20 Internet Security Vulnerabilities on a quarterly basis. In this edition of the IT Locksmith, John McCormick reviews the recent updates to the second half of this list, the Top 10 cross-platform vulnerabilities. (If you missed the first half of this list, which addressed Windows vulnerabilities, click here.)

The SANS Institute now revises its annual Top 20 vulnerabilities list on a quarterly basis, and it released the first update for the first quarter of 2005 earlier this month. Due to the size of this list and number of vulnerabilities, I typically divide it into Microsoft and non-Microsoft issues.

I already addressed the top Windows vulnerabilities in a recent column. Now, let's take a look at the top cross-platform threats.

Details

Beginning with this update, SANS has moved from a yearly event to a quarterly release. This change should provide a much better guide for managers to help them determine which threats they need to block first.

In addition to moving to a quarterly release schedule, the SANS quarterly survey has also dropped the Linux/UNIX section in favor of a section for cross-platform threats, which includes Windows, Macintosh, and UNIX flavors. So, let's look at the most recent updates to the SANS Institute's Top 10 most exploited cross-platform threats for the first quarter of 2005.

Computer Associates License Manager Buffer Overflows (CAN-2005-0581, CAN-2005-0582, and CAN-2005-0583)
This is a remote code execution threat. An attacker can execute code with "SYSTEM/root" privileges on systems running any of the vulnerable products.

Affected systems include CA License Package versions 1.53 through 1.61.8 running on AIX, DEC, HP-UX, Linux Intel, Linux s/390, Solaris, Windows, and Apple Macintosh operating systems. A patch is available.

Multiple Antivirus Products Buffer Overflow Vulnerabilities (CAN-2005-0249, CAN-2005-0350, and CAN-2005-0644)
This is also a remote code execution threat, and it affects a variety of antivirus products, including those from Symantec, F-Secure, Trend Micro, and McAfee. For information on available patches, see SANS' alerts for Symantec, F-Secure, Trend Micro, and McAfee.

DNS Cache Poisoning Vulnerability
This flaw can allow an attacker to redirect domain visits, and attackers have used the vulnerability to install malware. Affected versions include Symantec Gateway Security 5400 Series version 2.x; Symantec Gateway Security 5300 Series version 1.0; Symantec Enterprise Firewall version 7.0.x and 8.0 for both Solaris and Windows; VelociRaptor Models 1100, 1200, and 1300 version 1.5; Windows NT, and Windows 2000 prior to Service Pack 3.

Windows 2000 systems with SP3 installed are not vulnerable. However, other Windows DNS servers may be vulnerable.

Patches and various workarounds as specified by the vendors are available. For more information, see the SANS report.

Oracle Critical Patch Update (CAN-2005-0298)
These vulnerabilities can allow an attacker to take control of an Oracle server. Oracle released a patch for this vulnerability on Jan. 18, 2005. However, the fact that this flaw made the SANS report for the first quarter indicates that not everyone has installed the patch.

This affects a variety of Oracle products, including some versions of Oracle Database 8 through 10g, some versions of Oracle Application Servers, Oracle Collaboration Suite Release 2 version 9.0.4.2, and Oracle E-Business Suite and Applications Release 11 and 11i. For more details and information about available patches, see the SANS alert for this threat.

Multiple Media Player Buffer Overflows (CAN-2005-0455, CAN-2005-0611, and CAN-2005-0043)
This vulnerability can allow an attacker to completely compromise a system. Affected applications include Linux RealPlayer 10, Helix Player, iTunes, WinAmp, Windows RealPlayer 10.5 builds 6.0.12.1040 through 1056, Windows RealPlayer 10, Windows RealOne Player 2 builds 6.0.11.853 through 872 and builds 6.0.11.818 through 840, Windows RealPlayer 1, Windows RealPlayer 8, Windows RealPlayer Enterprise, Mac RealPlayer 10 builds 10.0.0.305 through 325, and Mac RealOne Player.

Patches and upgrades are available. Get more details in the SANS report.

Risk level - Critical

Remember: Attackers are currently exploiting all of these cross-platform threats in the wild—otherwise, they wouldn't have made the list—so the risk level is extremely high.

Final word

While the Top 20 designation still applies to this report in various ways, including the URL, you've probably noticed there aren't actually 20 major threats listed. In fact, the first quarterly update included seven Windows-only threats and five cross-platform threats.

I have no additional comments to make about these threats—they wouldn't have made the list if they weren't still viable threats and if companies had patched their systems. Instead, I'd like to throw out a random thought about Web browser security in general.

Does anyone remember just how serious a problem Web security was back in 1995? The reason I ask is because Microsoft based its Internet Explorer technology on that computing era's need for legacy support—not security.

As I recall, Microsoft released IE 1.0 in 1995, and Mozilla released Firefox 1.0 in late 2004. So, could part of the security differences that everyone's debating these days have something to do with the relative decade between the two releases?

I don't remember anyone arguing in 1995 that the Web would become the security threat it is today. On the other hand, you could also make the argument that Microsoft is actually responsible for the surge in security threats because it developed IE with so little concern for security. What do you think?

---

Also watch for …

• Microsoft Security Advisory (899480), "Vulnerability in TCP Could Allow Connection Reset": Published May 18, this advisory discusses a new TCP/IP vulnerability in Windows 2000, Windows XP, and Windows Server 2003. This threat isn't particularly dangerous because it only allows an attacker to reset the timeout values, and it doesn't affect anyone who installed the MS05-019 security update, Windows XP Service Pack 2, or Windows Server 2003 Service Pack 1. There are no reports of any exploits in the wild.
  Note: Microsoft didn't necessarily announce this because it was urgent—rather, it's a sample of the new Microsoft Security Advisory Service, an e-mail alert service that will include both new low- and high-level threats.
• Look for Microsoft to release the beta version of IE 7 around July of this year.

---

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Print/View all Posts Comments on this article

Microsoft concerned about security? john.mckean@... | 05/23/05

Is it really cut and dry? Tech Locksmith | 05/23/05

Yes it is. jmgarvin | 05/23/05

tangential? Tech Locksmith | 05/24/05

To an extent, I agree. lastchip | 05/25/05

Yes, tangental jmgarvin | 05/26/05