washingtonpost.com
Hackers Skip Windows to Embed New Infections

By Jonathan Krim
Washington Post Staff Writer
Tuesday, July 26, 2005

The online security climate continues to deteriorate, as computer hackers are targeting an increasing number of popular programs such as the iTunes music service and software that makes backup copies of data, according to an Internet safety study released yesterday.

Flaws in software that can be exploited by hackers are on the rise, said the report by the SANS Institute of Bethesda, a cyber-security research and education center.

The report, issued quarterly, is unwelcome news for consumers and businesses hoping for relief as software makers such as Microsoft Corp. work to improve the security of the operating systems that power individual machines and computer networks.

Hackers now often bypass operating systems, staying one step ahead in the ongoing cat-and-mouse warfare between those trying to protect computer systems and those trying to infiltrate or damage them.

For example, worms, viruses and spyware can now infect machines when users simply visit certain Web sites, rather than requiring victims to click on a malicious e-mail or file. Individual songs delivered via trusted programs such as the RealNetworks media player or iTunes can be vehicles for malicious code that can cripple machines or open them up to remote control by hackers.

Once able to penetrate a machine, hackers can steal personal data or use it as a "zombie" to launch attacks on other machines.

Even programs designed in part as a safer alternative to Microsoft, such as the increasingly popular Web browser Firefox, are being hacked, the report said.

"The rate of growth of vulnerabilities is actually increasing . . . and that's enabling more identity theft," said Alan Paller, director of research at SANS.

Overall, SANS reported 422 new flaws discovered in the second quarter of this year, a 10.8 percent increase over the first quarter and a nearly 20 percent rise from the second quarter of last year.

Vendors of the software have issued "patches," or fixes, for all of the flaws, but they often are not installed rapidly enough by businesses and consumers, the report said.

Of particular worry to the researchers are weaknesses in software for backing up data, an essential for most businesses and many consumers. The study reported flaws in software made by Computer Associates International Inc. and Symantec Corp., which together account for about 30 percent of the market.

The primary vehicle for attack remains Microsoft's Internet Explorer Web browser, the study said.

Amy Roberts, head of product management in Microsoft's security division, said the company continues to work to stay ahead of the hackers.

She said a more secure version of Internet Explorer will be part of Microsoft's new operating system, Windows Vista, that is scheduled to be released for testing next month.

© 2005 The Washington Post Company