News

Groups Release Consensus List of Security Vulnerabilities

• By Scott Bekker
• 10/08/2003

"Hundreds of automated attack programs take advantage of these vulnerabilities, so their elimination is essential as a first line of defense to protect the privacy of information stored on systems and to avoid having systems taken over and used in attacks on other victims," the groups said in a statement.

The SANS Institute has been releasing the list since at least 2000, although usually without as much official fanfare. U.S. and U.K representatives unveiled the list in Washington, D.C., and Canadian officials released it in Ottawa.

Steve Cummings, director of the U.K. National Infrastructure Security Coordination Centre, said in a statement, “Our colleagues at the SANS institute have been undertaking essential work and we have been pleased to add our own expertise. We have helped to produce descriptions and remedial advice.”

Sallie McDonald, director of outreach programs at the U.S. Department of Homeland Security, called the Top 20 project, “a useful example of how the National Strategy for Securing Cyberspace is being implemented. The public/private partnership that created the Top 20 is a central theme of the strategy.”

It is the second year that the list has been organized in two equal parts -- one devoted to Windows vulnerabilities and one devoted to Unix/Linux vulnerabilities. In 2000, the SANS Institute released a general list, and in 2001, there was a general list with a sub-list tacked on containing additional vulnerabilities involving Windows.

The list has evolved in other ways. In 2001, SANS concentrated on technology areas or specific security holes, such as the unicode vulnerability that allowed Web server folder traversal and the ISAPI extension buffer extension. Starting last year, the listed vulnerabilities became much broader -- encompassing entire Microsoft products or services such as IIS, SQL Server and Internet Explorer.

The Windows vulnerabilities

IIS retained the No. 1 position it held in 2002 on the Windows vulnerability list this year, largely due to proven vulnerabilities in the default installation that allow attackers to remotely take control of the Web server, deny service, and view or steal data.

Moving up the vulnerability scale was SQL Server, which went from No. 3 in 2002 to No. 2 this year. The highly damaging SQL Slammer worm that struck in January accounted for SQL Server's slightly higher security profile.

The consensus also considered Windows authentication a more serious problem this year (No. 3) than in previous years. The category rolls up what amounted to three separate entries on the 2002 list -- anonymous logon and null sessions, LAN Manager Authentication and General Windows Authentication -- which were ranked fifth, sixth and seventh.

Internet Explorer went way up the list, from No. 7 in 2002 to No. 4 in 2003. The consensus group's reasoning is simple: If users fall even slightly behind on IE patches, they are left open to critical vulnerabilities.

New to the list this year are three items -- Microsoft Outlook-Outlook Express at No. 8, Windows Peer-to-Peer File sharing at No. 9 and Simple Network Management Protocol at No. 10. The other three items on the list are repeat visitors. Windows Remote Access Services is fifth. Microsoft Data Access Components (MDAC) is sixth, a lower priority than its No. 2 rating last year. Windows Scripting Host rounds out the list at No. 7.

To view the SANS Institute document, which also lists Unix/Linux vulnerabilities, click here..