The deluge of new vulnerabilities has forced security research group SANS to change its annual 'Top 20 Internet Security Vulnerabilities' list to a quarterly update. (As reported in SC Magazine here).
"Threats are evolving faster than ever this year," said Gerhard Eschelbeck, CTO of Qualys. "We've had a mix of new vulnerabilities this year. Everyone has anti-virus and now even that is affected."
More than 600 internet security vulnerabilities have emerged in the first quarter of 2005. In the early part of 2005 a trend for non-Microsoft (the traditional home of many) vulnerabilities has emerged. Holes in Apple's iTunes, CA licensing software and some anti-virus products have added to the scale of the list.
To qualify for the new quarterly list, vulnerabilities must meet five requirements.
(1) They affect a large number of users.
(2) They have not been patched on a substantial number of systems.
(3) They allow computers to be taken over by a remote, unauthorized user.
(4) Sufficient details about the vulnerabilities have been posted to the Internet to enable attackers to exploit them.
(5) They were discovered or first patched during the first three months of 2005.