Hackers focus attacks against applications

Summary:Update: The SANS Institute has accused software vendors of putting users at risk by neglecting security

Computer users are at increasing risk of attack as malicious hackers are turning away from operating systems and concentrating on finding vulnerabilities in applications, a study published on Tuesday morning warned.

The SANS Institute, an independent research group, said that the IT industry has been "set back years", because software vendors have neglected security.

"A large component of the cyberthreat shifted during 2005," said SANS.

"Last year the most critical vulnerabilities in the announcement were associated with Windows and UNIX/Linux operating systems. This year, more than one-third are in applications — some of them security and back-up applications that people thought kept them safe," the group claimed. "This heralds a big increase in the threat because many of the application vendors do not provide automated patching."

SANS cited the discovery earlier this year of a flaw in Veritas's NetBackup storage product, which exposed companies to remote attackers.

SANS compared the situation to the days when Microsoft was heavily criticised for not making more efforts to secure Windows.

"We're in exactly the same position as six years ago — the user community just hasn't noticed it yet," according to Alan Paller, director of the SANS Institute, speaking at the launch of the report this morning.

SANS unveiled the findings at the Department of Trade and Industry where it called on application developers to give security a much higher priority.

The group cited Microsoft's development of regular monthly patch updates as an example of good practice, although this took several years to develop.

However, these automatic updates have bred complacency, SANS warned, because they have encouraged users to neglect their own patching and leave it in Microsoft's hands.

Robert Chapman, chief executive of The Training Camp, which runs courses for IT professionals, said the SANS report underlined the need for tight security.

"The news that hackers are now targeting unprotected applications, such as back-up software, will not come as a shock to IT security professionals. The fact is that hackers are constantly seeking new ways to attack our systems, as evidenced by the vicious war waged against unprotected wireless devices," said Chapman.

"In the long term the responsibility for making applications less vulnerable lies with the vendor, but in the interim it is vital that IT staff defend their companies' desktops," he added.

Topics: Tech Industry

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.