Microsoft's Outlook e-mail program and peer-to-peer
software have been included for the first time in the Sans
Institute's annual list of the 20 security vulnerabilities most
exploited by attackers.The Sans (System Administration, Networking
and Security) Institute produced its fourth annual top 20 list with
the US Department of Homeland Security and Canadian and British
cybersecurity agencies.
The list is intended to be a guide for
enterprises and government agencies needing a starting point for
fixing their systems, said Alan Paller, director of research at the
SANS Institute.
"You may decide you still do not want to fix
[the vulnerabilities], but at least you've got control and
understand the problem," Paller said. "If you decide to write
reports instead of fixing the vulnerabilities, then you deserve the
attacks you get."
Five of the top 10 Windows vulnerabilities
were new this year to the list, which focuses on the overall
vulnerability of protocols, applications and tools. New items on
the Windows top 10 list were Outlook/Outlook Express, P-to-P file
sharing and Simple Network Management Protocol.
Outlook has been used to send many viruses and
worms, but the 40-plus security experts put it on the list for the
first time this year, said Erik Kamerling, editor of the list.
Paller said Microsoft had responded to
customer pressure to improve security in its software. "There has
been a massive shift at Microsoft," he said. "It is nowhere near
perfect ... but it's been a mind change."
P-to-P technology poses a number of issues for
systems administrators, according to the Sans Institute. These
include legal concerns if a company's computers are used to trade
copyrighted files, technical concerns from remotely exploitable
misconfigurations possible in P-to-P software, and the ease of
distribution of malicious code masquerading as legitimate materials
traded through P-to-P software.
Three new Unix/Linux vulnerabilities were
included on the list this year: clear text services,
misconfiguration of enterprise services and Open Secure Sockets
Layer.
Remaining on the Linux/Unix list were Apache
Web server, Bind (Berkeley Internet Name Domain) and Sendmail,
among others.
Paller urged company and agency leaders to
start with a small list of the most dangerous vulnerabilities their
systems administrators could attack and allow the security team at
least 90 days to make progress before requiring them to report
results.
Asking systems administrators to test for
thousands of vulnerabilities at one time is a recipe for failure,
he added.
Top vulnerabilities to Windows
systems
1 Internet Information Services (IIS)
2 Microsoft SQL Server (MSSQL)
3 Windows Authentication
4 Internet Explorer (IE)
5 Windows Remote Access Services
6 Microsoft Data Access Components (MDAC)
7 Windows Scripting Host (WSH)
8 Microsoft Outlook Express
9 Windows Peer to Peer File Sharing (P2P)
10 Simple Network Management Protocol
(SNMP)
Top vulnerabilities to Unix
systems
1 Bind Domain Name System
2 Remote Procedure Calls (RPC)
3 Apache Web Server
4 General Unix Authentication Accounts with No
Passwords or Weak Passwords
5 Clear Text Services
6 Sendmail
7 Simple Network Management Protocol
(SNMP)
8 Secure Shell (SSH)
9 Misconfiguration of Enterprise Services
NIS/NFS
10 Open Secure Sockets Layer (SSL)
For more details:
http://www.sans.org/top20/
Grant Gross writes for IDG News Service