Security Vulnerabilities Rising: Cisco

Channel partners, take heed! Cisco warns in a new report that more blended and virtualization attacks are occurring.

Channel partners need to be aware that IT security is being threatened by increasingly vulnerabilities, including more blended and virtualization attacks, networking giant Cisco (NASDAQ:CSCO) warns in a new report.

According to the company, through this October, nearly 6,000 IT vulnerabilities had been tallied, a year-over-year increase of 11.5 percent over the 5,353 vulnerabilities reported for 2007. Cisco also reported a year-over-year increase of 90 percent in the volume of attacks that come from legitimate domains.

"Even though we were aware of the severity of the threats on the web and in particular the attacks on legitimate Web sites, the ferocity and volume of those attacks in 2008 was very much of a shock,"  said Patrick Peterson, Cisco Fellow and chief security researcher. "It really defied all of our worst case scenarios."

Cisco's report claims that exploited web sites in 2008 were responsible for 87 percent of all Web-based threats. Overall Cisco reported that Buffer overflow, Denial of Service (DoS) and Cross Site Scripting (XSS) attacks led the total vulnerability count.

Peterson noted that volume of reported vulnerabilities is not the same as volume of attacks. Peterson noted that attacks on Web sites in 2008 were primarily by way of SQL injection . BusinessWeek Online was among the sites attacked by SQL injection in 2008.

Peterson also pointed the finger at web browser add-ons, which he argued were easy to exploit in 2008. If attackers want to take advantage of an add-on vulnerability, all they have to do is get the browser to visit a web page with a malicious code Flash object on it. He added that the problem with add-on vulnerability often stems from the fact that users aren't always running the most up to date versions of the software.

"Add-on patching and updates don't seem to have the same kind of rigor or delivery vehicle as more standard apps," Peterson said. "I just installed Windows Update, but when it comes to something like Flash, the way it gets updated, it doesn't seem to have the same kind of rigor. It leads people to have an OS {operating system} that is patched but some kind of browser plugin that is not patched and they don't even know how to get the patch."

Eric Lawrence, security program manager for Microsoft's (NASDQ:MSFT) Internet Explorer team, has made a similar argument: that browser add-on security is an issue that exists with the add-on vendors.

Lawrence made his add-on comment during a discussion this year on clickjacking, which is a new attack vector that was not included in Cisco's report. Peterson explained that details on clickjacking emerged after Cisco began to put together its report.

In a clickjacking attack an attacker hides an object underneath a legitimate object or button, such that a user is completely unaware of what they might be clicking. Peterson said he doesn't believe that clickjacking is currently a widespread attack but that it is a very clever and scary attack vector.

Perhaps more surprising, DNS -related attacks did not happen in a widespread manner in 2008. Security researcher Dan Kaminksy revealed that most DNS servers were at risk from a cache poisoning attack that could have redirected users to arbitrary sites.

Peterson noted that when the flaw was first revealed in July he anticipated massive DNS hacking activities. That didn't happen. Instead, from Peterson's point of view, the aggressive patching effort that culminated in Kaminsky's full disclosure in August likely averted any widespread DNS hacking activity.

In fact, Peterson sees the Kaminsky attack as a new type of positive trend for the IT security community.

(This article was adapted from


TAGS: Windows,Microsoft,virtualization,Internet Explorer,Cisco

Security News Solutions

Comment and Contribute

    (Maximum characters: 1200). You have 1200 characters left.



    Security News| Contact Sean Michael Kerner | Back to top

    Click the Join button below to sign up to our newsletter!