Microsoft's Security Problems Multiply

By CIOinsight  |  Posted 11-16-2006

Yesterday the SANS Institute released its 2006 Annual Update to the Top 20 Internet Security Attack Targets. It's one of the most trusted sources of IT security vulnerabilities in the world. And the news is not good. Especially for Microsoft.

Some of the news is downright terrifying. For example, the report states that we are in the midst of a cybercrime epidemic, driven by attacks from Eastern Europe. Some banks have reported increases of 400 percent in losses to cyber fraud over 2005. Cyber criminals are also starting to make inroads into British, U.S. and Canadian military and military contractor sites in an attempt to steal information.

Many of the new vulnerabilities come from the widespread adoption of Web applications, which offer fast and direct access to information that formerly resided behind corporate firewalls. Dr. Johannes Ullrich, Chief Technology Officer at the SANS Internet Storm Center, said in a statement, "Web application vulnerabilities are so dangerous and wide spread because of the unique challenge they present to developers. The only thing that separates a hacker from access to data is the diligence of the web developer who coded the application."

But nowhere was the news worse than in Redmond. The SANS experts are reporting triple the number of Microsoft Office vulnerabilities from a year ago. There were 45 serious and critical vulnerabilities discovered in Office alone. And the problem is spreading rapidly throughout the entire suite. Internet Explorer used to be the problem child of the Microsoft set, but the experts are noticing a sharp uptick in exploits in Word, PowerPoint, even Excel. "In 2006 we've seen a significant rise in attacks that take advantage of zero-day vulnerabilities," said Marc Sachs, director of the SANS Internet Storm Center, in a statment. "The focus of these attacks is Microsoft products."

The stepping up of attacks on Microsoft products is having an affect on IT purchasing. In a research study of high level IT executives, CIO Insight found that 30 percent have moved systems off of Windows to reduce their overall security risk. And Internet Explorer has also taken it on the chin, with users switching to Firefox, Opera, and Safari.

There were some new areas of vulnerability to show up on the SANS list this year as well. Voice over IP made the list for the first, because of concerns that hackers can gain access to the traditional phone network through the IP network that is now integrated. "The most disastrous consequence can be bringing down the old phone network," said Rohit Dhamankar, senior manager of security research at Tipping Point.

The SANS Web site has an extensive list of vulnerabilities and tips on how to remediate them.