SANS stands for SysAdmin, Audit, Network, Security. The
Institute, based in Maryland, is a leading source for information
security training and certification. Its latest research was
compiled with a team of experts from industry and government.
Together they found over 600 new vulnerabilities.
These included flaws found in both Windows and UNIX products,
anti-virus products from Symantec, F-Secure, TrendMicro and McAfee
and in RealPlayer, iTunes and WinAmp Media Players.
The top vulnerability in Windows systems was in the default
installation of web servers and additional components for web
services that expose organisations to denial of service attacks and
data theft.
For UNIX systems, the top vulnerability was in the Berkeley
Internet Name Domain (BIND) package, the world's most widely used
implementation of the Domain Name Service, or
DNS
, the
system that converts names such as OUT-LAW.COM into a corresponding
IP address.
According to the SANS Institute, too many
DNS
servers are outdated or mis-configured – and therefore vulnerable,
not just to denial of service attacks, but also to
DNS
cache poisoning. With such poisoning, internet users entering the
correct address for their bank's web site can unwittingly be
directed to a hacker-controlled web site.
The SANS Institute warned:
"Individuals and organisations that do not correct these
problems face a heightened threat that remote, unauthorised hackers
will take control of their computers and use them for identity
theft, for industrial espionage, or for distributing spam or
pornography."
The list, which is normally published annually, will now be
revised on a quarterly basis to reflect the ever-changing nature of
internet threats.
