Patch/Configuration Management, Vulnerability Management

SANS Top 20: OS X, Firefox more frequent targets

Mac OS X and Mozilla Firefox - widely considered safer than mainstream counterpart Microsoft Internet Explorer (IE) - are rapidly becoming new sources for vulnerabilities, according to the latest SANS Institute Top 20 Internet Security Vulnerabilities report.

The six-month rankings, released today, also describe a newfound interest among cybercriminals to target zero-day flaws in IE instead of concentrating on holes in Windows services.

Rohit Dhamankar, project manager of the report, said attackers are beginning to focus on these new avenues as more users flock to them. In the end, he said, the goal remains the same.

"Once you compromise, the whole object of this game is to try to take control of a computer," he said.

SANS listed its top trend as the rapidly increasing vulnerabilities – including a zero-day flaw – appearing in Mac OS X, as the UNIX-based platform grows in popularity.

"The experts involved in the Top 20 update agree that OS X still remains safer than Windows, but its reputation for offering a bullet-proof alternative to Windows is in tatters," according to the Top 20 report. "OS X vulnerabilities are being discovered at a rapid pace, as attackers are increasingly turning their attention to the platform, which could erode this safety in the future."

Anuj Nayar, an Apple spokesman who covers OS X issues, could not be reached for comment.

Following a similar pattern, the open-source Mozilla Firefox browser, a popular alternative to IE, is experiencing a noticeable growth in vulnerabilities. The SANS report said users have had to patch 11 vulnerabilities that could allow an attacker to execute arbitrary code.

"Firefox continues to be seen as somewhat safer than IE, but it is no panacea," according to the report.

A Mozilla spokeswoman said it is company policy not to comment on outside security reports.

The report also stated that SANS is witnessing a decline in the number of critical vulnerabilities affecting Windows services. However, the drop is offset by a growing number of holes in client-side software, notably the Windows metafile vulnerability and IE flaws, which affect web users.

Although other web browsers are targeted more frequently, users of IE remain at high risk for zero-day attacks, Dhamankar said.

"Internet Explorer users continue to be subjected to 'drive-by' attacks when they visit web sites that are set up to exploit vulnerabilities in IE that Microsoft hasn't yet patched or for which the user hasn't installed the patch," the report said. "These vulnerabilities are responsible for many thousands of computers being infected with spyware and adware."

Other notable trends include a jump in critical vulnerabilities that allow access to backup data, a surge in file-based attacks – particularly media and image files – and an influx of spear phishing schemes.

While Dhamankar said it is difficult to predict what is in store for the constantly evolving vulnerability threat landscape, he foresees a continued rise in flaws affecting different file formats.

To protect themselves from all vulnerabilities, users should make sure their systems are updated with the latest safeguards, and they should avoid clicking on unknown links and providing personal information, Dhamankar said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.