Security professionals just can’t say it enough: Download those patches.
The latest warning comes from the SANS Institute, a non-profit organization that provides information security training and certification. The institute ranked the most critical Internet vulnerabilities of the more than 600 new problems discovered in the first quarter of this year.
SANS uses five criteria to rank the vulnerabilities: they affect many users; although a patch is available, they remain unpatched on a substantial number of systems; they allow computers to be taken over by a remote, unauthorized user; details about how to exploit them the have been posted to the Internet; and they were discovered or first patched in the first quarter.
SANS uses Qualys, which scans more than 2 million computers every week to discover what has and has not been patched, Alan Paller, director of research, SANS, told TechNewsWorld.
While many of the top 20 security holes are found within Windows, Internet Explorer and other Microsoft software, Johannes Ullric, SANS chief research officer, said that most of the problems are easily resolved with patches already released by Microsoft.
The problem often comes from forgetfulness, ignorance about the patching system or because enterprises and individuals have disabled (or failed to enable in Windows before Service Pack 2) automatic updates.
“UNIX systems are attacked pretty hard, too,” Ullric said. “They’re higher value systems. You go after Microsoft if you want lots and lots of home users, but with the same effort you can hit a much more valuable UNIX system.”
The goal of publishing the report is increasing awareness among home users. Armed with the report, enterprise IT departments may have an easier time explaining to the rest of the company why they are so busy.
“For a more sophisticated setting, it helps them prioritize and justify time spent on fixing vulnerabilities,” Ullric said.
Paller also noted a change in malware attacks.
“The big shift is toward vulnerabilities in applications, (Oracle, storage, media players, etc.) where three years ago the vast majority of vulnerabilities were found in the operating systems,” he said in an e-mail to TechNewsWorld today.