SANS releases new list of significant vulnerabilities

One of the underappreciated dangers of the Internet is the risk in not securing backup systems, according to security experts.

The SANS Institute of Bethesda, Md., has released its second-quarter list of cybersecurity vulnerabilities, which include weaknesses in Microsoft products, Mozilla and Firefox Web browsers, iTunes and RealPlayer, as well as popular applications from Veritas Software and Computer Associates that back up data.

"These are the [weaknesses] that people can actually exploit and do a lot of damage with," said Alan Paller, director of research at SANS. Patches are available for all the vulnerabilities on the institute's list, but backup systems tend to get overlooked, he added.

"They are a huge part of the market, over 30 percent between Veritas and Computer Associates," said Ed Skoudis of IntelGuardians. "They back up banks, utility companies, government agencies" and other critical industries, Skoudis added.

"The most important thing for people to understand is that backup is just as important to secure as the mainframe," said John Pironti, a principal security consultant with Unisys Corp. "[Backup systems] can't be overlooked. They're even more sensitive, because they have access to everything."

Hackers also are exploiting weaknesses in user applications to enter a system through a desktop, bypassing firewalls in place on servers, said Gerhard Eschelbeck, chief technology officer of Qualys.

One of the Microsoft flaws reported is in Internet Explorer. "With the IE one, we're concerned for everybody," said Jerry Dixon, director of US-CERT, the federal cybersecurity center.

While the institute identified the vulnerabilities it considers most critical, more than 422 new weaknesses were discovered during the second quarter of 2005, an increase of 10.8 percent from the first quarter, and nearly 20 percent higher than the same quarter a year ago.

The list of vulnerable software packages, with details on their weaknesses and instructions for fixing them, can be found at www.sans.org/top20/Q2-2005update.

Patience Wait is a senior writer for Washington Technology's sister publication, Government Computer News.