Application Vulnerabilities Are Not New

This morning I read the new @RISK: The Consensus Security Alert from SANS and friends. It begins with this comment:

"Prediction: This is the year you will see application level attacks mature and proliferate. As hackers focus more on applications, Oracle may start competing with Microsoft as the vendor delivering software with the most critical vulnerabilities."

I hear this focus on "applications" constantly, but this is old news. First look at the problem by separating the operating system (OS) kernel from the OS applications. If we look at vulnerabilities in this respect, "applications" have been under attack for decades. Perusing the CERT Advisories list (transitioned to the US-CERT's Technical Cyber Security Alerts in 2004), we see warnings about application vulnerabilities since 1988. For example, in December 1998 we have CA-1988-01: ftpd Vulnerability.

You might say that my separation of OS kernel and OS applications doesn't capture the spirit of SANS' "prediction." You might think that their new warning means we should focus on applications that don't ship with the "OS." In other words, look at widely deployed applications that aren't bundled with an OS installation CD. Using that criteria, "application attacks" are still old news. Check out this July 2001 advisory, CA-2001-16: Oracle 8i contains buffer overflow in TNS listener. That was followed a month later by CA-2001-24: Vulnerability in OpenView and NetView and three months later by CA-2001-29: Oracle9iAS Web Cache vulnerable to buffer overflow.

Maybe my background as a history major is at work here, but I think "hackers" have been attacking applications for years.