Hackers focus attacks against applications

Update: The SANS Institute has accused software vendors of putting users at risk by neglecting security

Computer users are at increasing risk of attack as malicious hackers are turning away from operating systems and concentrating on finding vulnerabilities in applications, a study published on Tuesday morning warned.

The SANS Institute, an independent research group, said that the IT industry has been "set back years", because software vendors have neglected security.

"A large component of the cyberthreat shifted during 2005," said SANS.

"Last year the most critical vulnerabilities in the announcement were associated with Windows and UNIX/Linux operating systems. This year, more than one-third are in applications — some of them security and back-up applications that people thought kept them safe," the group claimed. "This heralds a big increase in the threat because many of the application vendors do not provide automated patching."

SANS cited the discovery earlier this year of a flaw in Veritas's NetBackup storage product, which exposed companies to remote attackers.

SANS compared the situation to the days when Microsoft was heavily criticised for not making more efforts to secure Windows.

"We're in exactly the same position as six years ago — the user community just hasn't noticed it yet," according to Alan Paller, director of the SANS Institute, speaking at the launch of the report this morning.

SANS unveiled the findings at the Department of Trade and Industry where it called on application developers to give security a much higher priority.

The group cited Microsoft's development of regular monthly patch updates as an example of good practice, although this took several years to develop.

However, these automatic updates have bred complacency, SANS warned, because they have encouraged users to neglect their own patching and leave it in Microsoft's hands.

Robert Chapman, chief executive of The Training Camp, which runs courses for IT professionals, said the SANS report underlined the need for tight security.

"The news that hackers are now targeting unprotected applications, such as back-up software, will not come as a shock to IT security professionals. The fact is that hackers are constantly seeking new ways to attack our systems, as evidenced by the vicious war waged against unprotected wireless devices," said Chapman.

"In the long term the responsibility for making applications less vulnerable lies with the vendor, but in the interim it is vital that IT staff defend their companies' desktops," he added.