July 25, 2005 — -- It's been years since a major online computer virus or worm such as Nimda or Red Alert has crippled millions of computers across the Internet.
But don't breathe a sigh of relief just yet. There are plenty of dangers out there, and many of the newest target popular programs like iTunes or RealPlayer.
The threats to computer and Internet users are still there and they are growing by the day, according to a new report compiled by experts at the SANS Institute, an Internet security research and education organization in Bethesda, Md.
SANS researchers, along with other experts from various technology and government security groups, note that more than 422 new computer vulnerabilities were discovered during the second quarter of 2005 -- a nearly 11 percent increase from the first three months of the year. And compared to the numbers of just a year ago, the number of new threats has grown nearly 20 percent.
"You can view this through optimistic glasses and say a 10 percent uptick is modest … water under the bridge," says Ed Skoudis, an instructor at SANS. "But the number of vulnerabilities keeps going up. We're spending all this money and attention on security and we're still finding all these problems. It's disheartening news."
But security experts such as Skoudis aren't just frustrated over the increase in software glitches that could lead to the next big Internet attack. They're also concerned about where those flaws are increasingly being found.
Since SANS began tracking the so-called Top 20 Internet vulnerabilities in the fall of 2001, most of the online weaknesses were found in operating system software and "server applications" -- programs that distribute Web pages and e-mails across the Net, for example.
But as organizations heed security warnings and became more vigilant in patching, or fixing, these software loopholes, hackers and online criminals are beginning to exploit weakness in "client applications," or individual programs installed on a personal computer connected to the Internet.
In the updated Top 20 Most Critical Internet Vulnerabilities List issued by SANS today, researchers note some of the most dangerous flaws involve computer programs such as Apple's popular iTunes, RealNetwork's media players and assorted programs that "back-up" or archive copies of corporate data.
Security experts believe hackers and online criminals have turned to exploiting weaknesses in these programs for a number of reasons.
First, since programs such as iTunes and RealNetwork's RealPlayer are designed to retrieve entertaining content from the Net, the files retrieved and used by these programs are not normally considered a security threat. And hackers can exploit this false sense of security to their advantage.
For example, the iTunes flaw highlighted in the SANS report supposedly allows hackers to gain control of a computer with a cleverly designed file that can be downloaded from the Internet like any other digital music file. The file is constructed in such a way that when it's accessed by the iTunes program, it overwhelms the music software, leaving iTunes -- and the PC -- vulnerable to other programs that can be installed by the hacker.
"With the iTunes flaw, all they [hackers] have to do is invite a person to download the file or post it on a Web site and it will trigger the problem and let hackers have control," says Rohit Dhamankar, manager of TippingPoint, a maker of online intrusion detection systems in Austin, Texas.
What's more, while past online security attacks have conditioned Internet users to regularly update their usual Internet applications -- e-mail programs and Web browsers -- the same can't be said of these other popular applications.
"I don't know how many people go out and update their RealNetworks' player regularly," says Dhamankar, who was one of the security experts who helped compile the recent SANS report. "If you're a typical person, or a Grandma, you just launch RealPlayer or iTunes to get your music, not go searching for updates to fix itself [from these security flaws]."
And other security experts note that even security-conscious users could still be waylaid -- victimized by their own cleverness.
SANS' Skoudis notes, for example, that since experts have been deriding Microsoft's Internet Explorer for years, millions of Net surfers have switcher over to alternative Web browsers such as Mozilla or Firefox. However, both of these client programs have their own vulnerabilities -- a few of which made it onto the current Top 20 list.
"Some people will argue that if you use something other than IE, you're safer off," says Skoudis. "That may be true. But in the end, you still have to keep up with the patches."
Although no computer connected to the Internet is completely safe from hackers and viruses, experts say following these simple steps religiously can help reduce the danger:
If you use the Microsoft Windows operating system, you can set your computer to automatically notify -- and even self-install -- any new patches or fixes. If you use other programs that access the Internet regularly, such as Apple's iTunes, you should visit the manufacturer's Web site to find and install updates.
Install complete versions of anti-virus and firewall software. Most large Internet service providers will offer such protection programs as part of your subscription, but check to make sure you're using the latest versions. Also install so-called "anti-spyware" -- programs that help detect malicious programs hiding in your computer. And remember that most anti-virus and anti-spyware program require frequent updates -- and an annual subscription -- to keep on top of the latest online threats.
Some links may take you to Web sites that try to "hijack" your computer. Others may take you to a site that looks like a well-known site, such as eBay, but is actually a clever clone designed to steal personal information or other illicit purposes. If you open an e-mail that appears to be from a common Web site -- such as eBay or PayPal or Yahoo! -- asking to verify personal information, don't reply. Instead, go directly to the Web site by typing its address in your Web browser yourself.
Certain unscrupulous Web sites -- online pornography sites, illegal file sharing sites -- harbor hidden dangers. Some will download spyware to track what you do online or other hidden programs to watch what you do and clandestinley snag personal information.
Security groups, such as the SANS Institute, post news about the latest threats regularly. The list of Top 20 critical flaws -- and their fixes -- is posted by the SANS Institute on a quarterly basis.