Judging by the number of highly targeted attacks in the past year, 2007 will need to see a big increase in the level of protection provided for web and Microsoft office applications if our PCs are to escape the year unscathed.

A report released by the SANS Institute yesterday showed a sharp increase in attacks on all three fronts this year, along with a surge in zero-day attacks and security threats associated with the use of VoIP (voice over IP).

The trends were highlighted in SANS' annual update to its list of top 20 internet security vulnerabilities, which reflects the consensus opinions of more than three dozen security researchers and agencies.

The attack trends suggest a continued shift away from the noisy, attention-grabbing virus and worm attacks of the past to more covert attacks via Trojans and other malware, said Alan Paller, director of research at SANS.

"There has been a large downturn in the number of alerts we have been pushing out" related to traditional bugs, said Roger Cumming, director of the National Infrastructure Security Coordination Centre in the UK. At the same time, there has been a "marked increase" in the amount of Trojan horse attacks typically delivered via email with malicious attachments, he said. Hackers increasingly are "moving towards developing exploit code with a specific purpose", he noted.

Often, those responsible for developing and delivering such malicious code are different from the "sponsors" behind the attacks, Cumming said. "The crime bosses do not themselves have the skills, so they canvass and pay large amounts of money to hackers" willing to develop malware, he explained.

Therefore, from an enterprise standpoint, it's important to focus on risk management practices that emphasise data protection, Cumming said.

Data from more than 10 million network scans shows a surge in vulnerabilities being discovered in Microsoft Office applications and in attacks directed against them, said Amol Sarwate, manager of the vulnerability management lab at security vendor Qualys.

The number of vulnerabilities discovered in Microsoft Office so far this year is triple the amount discovered in 2005, Sarwate said. Out of that number, which SANS did not release, about 45 involved serious and critical vulnerabilities - and nine were zero-day flaws for which no patch was available, according to SANS. Most attacks against Office applications require users to open a malicious Word, Excel or PowerPoint document sent via email.

But many attacks are being carried out through the web, where users can be compromised simply by browsing malicious websites that exploit vulnerable client-side code, Sarwate said. "Hackers are now targeting common users" in such attacks, he said.

A sharp increase in web application attacks this year highlights a need for enterprises to pay particular attention to this area, said Johannes Ullrich, chief technology officer at SANS. The attacks aren't just aimed at the data behind a web application but are designed to use the web server as a platform to launch client-side attacks, he said.

"These applications are the Achilles' heel for a lot of enterprises," because they are often accessible to outsiders, Ullrich said, adding that they are often hastily written, with little attention paid to security.

A marked increase in zero-day attacks that target unpatched vulnerabilities portends problems for users going forward, according to the SANS report. Most of these attacks have been aimed at Microsoft products, particularly Internet Explorer, Word and PowerPoint, and appear to be launched from China. Among the 20 zero-day attacks listed by SANS were five that targeted IE and three that hit PowerPoint. Four zero-day attacks against Apple's Safari Web browser and its Mac OS X operating system were listed.

Making the Sans top 20 list for the first time was human error, which was often exploited in highly targeted spear-phishing attacks. Adding to this problem is the issue of excessive user rights and the prevalence of unauthorised devices on enterprise networks, the SANS report said.