This week's news that Apple's QuickTime media player contains a new and "extremely dangerous" flaw served as a perfect lead-in to the release of the latest SANS Top 20, which lists client-side vulnerabilities among the most dangerous threats facing end-users.In addition to affecting media players, client-side bugs – often exploited to build armies of botnets – are impacting web browsers, office software and email clients with greater frequency, according to the annual report.
Rohit Dhamankar, senior manager of security research at TippingPoint, said during a conference call today that Microsoft released 32 client-side security bulletins this year, compared to six server-side patches.
"The client-side vulnerabilities are now posing a big risk to the enterprise," he said. "A lot of compromised sites are hosting exploits, which are targeting these flaws."
Experts said attackers are creating more sophisticated techniques to launch malware attacks and evade detection, including code obfuscation and quickly changing variants.
"The bad guys have perfected their business model," Ed Skoudis, a SANS Internet Storm Center handler and founder of Intelguardians Network Intelligence, a network security consultant, said on the call. "They're making money from their malicious code and that gives them incentive to innovate. The longer they can stay on your machine, the more money they can make."
Experts on the call said signatures and heuristics are not enough to deter these malware assaults. As a result, anti-virus companies must create behaviour-based solutions and consider providing in-the-cloud service to customers, they said.
Forty-three IT security experts collaborated on the SANS Top 20, which actually lists 18 top risks.
Another growing threat is spear phishing. Alan Paller, director of research for the SANS Institute, said on the conference call that government agencies and military contractors are particularly vulnerable to this problem. He said attackers who obtain a targeted victim's username and password can employ the credentials to break into a web application and steal sensitive data for purposes such as espionage.
Paller said these entities must implement more hands-on user-awareness training.
"Instead of just telling people [in a training session], they should actually run a benign version of the attack against their employees," he said. "The ones who fall for it get a little education, and that tends to work out very well."
Zero-day attacks were again included on the list, although Dhamankar said the number of these exploits is falling. Skoudis said the reason for the decline is that hackers are having success without them.
"If you can build your botnet out of a couple million machines without a zero-day, why don't you hold on to it until you really need it?" he said.
The report also names as risks server-side vulnerabilities, excessive user rights and unauthorized devices, unencrypted laptops and removable media, instant messaging, peer-to-peer programs and VoIP servers and phones.
Paller said the Top 20 list will help organizations "prioritize their security investment."
"These are the places where the bad guys are getting around your defences," he said.