"The Internet is simply not ready because of these vulnerabilities. We're not ready to withstand a major attack," said Alan Paller, director of the SANS Institute. The research took on added importance in the wake of the 11 September terrorist attacks on the US.
The list of vulnerabilities - jointly prepared by SANS and the FBI's National Infrastructure Protection Centre (NIPC) and a team of approximately 50 corporate and academic security experts - is more exhaustive than a similar list released last year that was limited to the top 10 problems.
The NIPC, based at FBI headquarters, was formed in 1998 to handle threat assessment, investigations and responses to any attacks on critical US infrastructures.
Citing the recent Code Red and Nimda worms, Paller said: "What many people don't know is that a very small number of vulnerabilities are used over and over in these attacks."
The top 20 list details weaknesses specific to Windows and Unix-based systems, as well as problems common to any system, such as no passwords or weak passwords, large numbers of open ports, nonexistent or incomplete logging, vulnerable CGI programs, unprotected Windows networking shares and information leakage via null session (also known as anonymous log-on) connections.
But fixing these holes would not be enough to improve security at Internet-connected systems, warned John Gilligan, the deputy chief information officer of the US Air Force and chairman of the Federal CIO Council's security committee.
Software makers needed "a new approach to the design and fielding of their products", said Gilligan. "The find and fixed patch race is something that is really starting to drain our resources," he added.
Gilligan said that commercial software should meet higher security standards, reinforced by a contractual or legal expectation.
"We realise that this will cost the industry additional expenses in the development and testing of software; we would gladly pay that cost upfront in the purchase price," he said.
The NIPC, like many security experts, is predicting an increase in cyberattacks related to terrorist activities. Some experts have said they believe such an increase is already underway.
Robert Gerber, chief of analysis and warning at the NIPC, said it was remarkable that the Nimda worm "showed up a week to the day to the hour after the events of 11 September".
Gerber speculated that Nimda might have been created as someone's "perverse desire to commemorate" the tragedy. "But I won't know until the FBI apprehends the person who did it," he said.