Friday, January 21, 2005

Application Vulnerabilities Are Not New

This morning I read the new @RISK: The Consensus Security Alert from SANS and friends. It begins with this comment:

"Prediction: This is the year you will see application level attacks mature and proliferate. As hackers focus more on applications, Oracle may start competing with Microsoft as the vendor delivering software with the most critical vulnerabilities."

I hear this focus on "applications" constantly, but this is old news. First look at the problem by separating the operating system (OS) kernel from the OS applications. If we look at vulnerabilities in this respect, "applications" have been under attack for decades. Perusing the CERT Advisories list (transitioned to the US-CERT's Technical Cyber Security Alerts in 2004), we see warnings about application vulnerabilities since 1988. For example, in December 1998 we have CA-1988-01: ftpd Vulnerability.

You might say that my separation of OS kernel and OS applications doesn't capture the spirit of SANS' "prediction." You might think that their new warning means we should focus on applications that don't ship with the "OS." In other words, look at widely deployed applications that aren't bundled with an OS installation CD. Using that criteria, "application attacks" are still old news. Check out this July 2001 advisory, CA-2001-16: Oracle 8i contains buffer overflow in TNS listener. That was followed a month later by CA-2001-24: Vulnerability in OpenView and NetView and three months later by CA-2001-29: Oracle9iAS Web Cache vulnerable to buffer overflow.

Maybe my background as a history major is at work here, but I think "hackers" have been attacking applications for years.


Anonymous said...

Hi Richard,

My comments are at

Does blogger support trackback yet? :)

Anonymous said...

Like in the previous comment, I think you miss the point concerning SANS prediction about application level attacks. IMHO what SANS states here is that application level attacks will develop much more this year and be much more used. I think it's clear for everybody that this type of attacks has existed for years.

Richard Bejtlich said...

Thanks as always for reading and commenting. However, just because the public is waking up to the realities of intrusions doesn't mean anything new is happening. Five years ago three citizens of Kazakhstan were arrested for allegedly breaking into Bloomberg L.P.’s ("Bloomberg") computer system in Manhattan in an attempt to extort money from Bloomberg. Four years ago SANS itself partnered with the FBI to warn of Eastern European organized crime that had "stolen credit card and other data from at least 40 domestic e-commerce and e-banking sites." Three years ago I performed an incident response involving $10 million in fraudulent product orders gained via application attacks. These sorts of attacks and their motivations "matured" years ago.

Richard Bejtlich said...

I forgot to mention that the Romanian organized crime incident response I did in 2002 was the end of an intrusion that started in 1999 -- six years ago. The intruder took advantage of an application vulnerability and proceeded to cash in on his exploitation of the victim company.