News

Groups Release Consensus List of Security Vulnerabilities

The SANS Institute along with government agencies from the United States, the United Kingdom and Canada on Wednesday released a list of the Top 20 computer security vulnerabilities. The list is broken out into 10 Windows vulnerabilities and 10 Unix/Linux vulnerabilities. Internet Information Services is the top red flag for Windows, according to the groups.

"Hundreds of automated attack programs take advantage of these vulnerabilities, so their elimination is essential as a first line of defense to protect the privacy of information stored on systems and to avoid having systems taken over and used in attacks on other victims," the groups said in a statement.

The SANS Institute has been releasing the list since at least 2000, although usually without as much official fanfare. U.S. and U.K representatives unveiled the list in Washington, D.C., and Canadian officials released it in Ottawa.

Steve Cummings, director of the U.K. National Infrastructure Security Coordination Centre, said in a statement, “Our colleagues at the SANS institute have been undertaking essential work and we have been pleased to add our own expertise. We have helped to produce descriptions and remedial advice.”

Sallie McDonald, director of outreach programs at the U.S. Department of Homeland Security, called the Top 20 project, “a useful example of how the National Strategy for Securing Cyberspace is being implemented. The public/private partnership that created the Top 20 is a central theme of the strategy.”

It is the second year that the list has been organized in two equal parts -- one devoted to Windows vulnerabilities and one devoted to Unix/Linux vulnerabilities. In 2000, the SANS Institute released a general list, and in 2001, there was a general list with a sub-list tacked on containing additional vulnerabilities involving Windows.

The list has evolved in other ways. In 2001, SANS concentrated on technology areas or specific security holes, such as the unicode vulnerability that allowed Web server folder traversal and the ISAPI extension buffer extension. Starting last year, the listed vulnerabilities became much broader -- encompassing entire Microsoft products or services such as IIS, SQL Server and Internet Explorer.

The Windows vulnerabilities

IIS retained the No. 1 position it held in 2002 on the Windows vulnerability list this year, largely due to proven vulnerabilities in the default installation that allow attackers to remotely take control of the Web server, deny service, and view or steal data.

Moving up the vulnerability scale was SQL Server, which went from No. 3 in 2002 to No. 2 this year. The highly damaging SQL Slammer worm that struck in January accounted for SQL Server's slightly higher security profile.

The consensus also considered Windows authentication a more serious problem this year (No. 3) than in previous years. The category rolls up what amounted to three separate entries on the 2002 list -- anonymous logon and null sessions, LAN Manager Authentication and General Windows Authentication -- which were ranked fifth, sixth and seventh.

Internet Explorer went way up the list, from No. 7 in 2002 to No. 4 in 2003. The consensus group's reasoning is simple: If users fall even slightly behind on IE patches, they are left open to critical vulnerabilities.

New to the list this year are three items -- Microsoft Outlook-Outlook Express at No. 8, Windows Peer-to-Peer File sharing at No. 9 and Simple Network Management Protocol at No. 10. The other three items on the list are repeat visitors. Windows Remote Access Services is fifth. Microsoft Data Access Components (MDAC) is sixth, a lower priority than its No. 2 rating last year. Windows Scripting Host rounds out the list at No. 7.

To view the SANS Institute document, which also lists Unix/Linux vulnerabilities, click here..

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.