A security organization, in conjunction with the Department of Homeland Security and security agencies from both the Canadian and British governments, on Wednesday published its fourth annual list of the most commonly exploited Internet vulnerabilities.
The SysAdmin Audit Security Network (SANS) Institute, which first rolled out a list four years ago with the FBI's National Infrastructure Protection Center (NIPC), unveiled a pair of Top 10 lists, one noting vulnerabilities within Windows software, the other tagging the top flaws in Linux and Unix programs.
"The list is a consensus of the knowledge of people around the world who are on the front lines in the battle against cybercrime," said Alan Paller, the director of research at the SANS Institute. Representatives from various federal agencies, security experts from the governments of the U.K. and Singapore, academics, and security professionals from the commercial sector compiled the list and voted on the most egregious vulnerabilities.
The two lists are meant to steer system administrators toward the most widely exploited vulnerabilities, and include details on how they can mitigate risks associated with the vulnerable software.
"Awareness is a huge part of the security struggle against vulnerabilities," said Alfred Huger, the senior director of engineering on Symantec's security response team, in pointing out the value of such lists for their help in prioritizing vulnerabilities for corporate IT and bringing them to the attention of home users. "It's a tough job to prioritize vulnerabilities since there are so many with a potentially severe impact."
The SANS Institute's top vulnerabilities for Windows systems includes a number of new entrants, including first-time appearances by Microsoft's Outlook and Outlook Express e-mail clients, and peer-to-peer (P2P) file sharing programs which run on that operating system.
Outlook and Outlook Express are the most popular e-mail clients used by attackers to spread worms, which often propagate by stealing addresses from those programs and sending messages to unsuspecting users. P2P software has been frequently used by so-called "blended" exploits as one of several methods for infecting systems.
The list ranks Microsoft's Web sever, the Internet Information System (IIS) software, as the leading cause of Windows vulnerabilities.
Also on the Windows list are Microsoft SQL Server (at number 2), Internet Explorer (at number 4), and Windows' remote access services (at number 5). All three have been the target of major attacks and disruptions in 2003, ranging from the Slammer worm's assault on SQL Server to the summer's MSBlaster worm, which exploited vulnerabilities in Windows Remote Procedure Calls (RPC). Most recently, Internet Explorer came under fire for unpatched vulnerabilities that resulted in requests to view major search services such as Google being re-directed to a third-party Web site.
On the Unix and Linux side, the Institute named the Berkeley Internet Domain Name (BIND) software -- which is widely used on domain name servers to match URLs with IP addresses -- as the top problem software. Apache Web server (at number 3) and Sendmail (at number 6) are also on the Unix/Linux list, and have been exploited this year.
"This is well-done, thorough list," agreed Huger. "It matches up really closely with the most dangerous vulnerabilities we think are out there."
Huger did pick a small bone with the list, saying that he would have bumped Internet Explorer a spot or two on the Windows Top 10.
"IE is dangerous because it's so insidious," he said. "Both because it's so popular and because it's so easy to exploit." Symantec, for instance, is seeing a large increase in the use of "botnets," connected connections of Internet Relay Chat (IRC) bots, propagating through Internet Explorer in an attempt to entice Web surfers to malicious sites.
The SANS Institute lists can be viewed on the organization's Web site, where each vulnerability is described in detail and information on how to protect against exploits is offered.