The Sans (System Administration, Networking and Security) Institute produced its fourth annual top 20 list with the US Department of Homeland Security and Canadian and British cybersecurity agencies.
The list is intended to be a guide for enterprises and government agencies needing a starting point for fixing their systems, said Alan Paller, director of research at the SANS Institute.
"You may decide you still do not want to fix [the vulnerabilities], but at least you've got control and understand the problem," Paller said. "If you decide to write reports instead of fixing the vulnerabilities, then you deserve the attacks you get."
Five of the top 10 Windows vulnerabilities were new this year to the list, which focuses on the overall vulnerability of protocols, applications and tools. New items on the Windows top 10 list were Outlook/Outlook Express, P-to-P file sharing and Simple Network Management Protocol.
Outlook has been used to send many viruses and worms, but the 40-plus security experts put it on the list for the first time this year, said Erik Kamerling, editor of the list.
Paller said Microsoft had responded to customer pressure to improve security in its software. "There has been a massive shift at Microsoft," he said. "It is nowhere near perfect ... but it's been a mind change."
P-to-P technology poses a number of issues for systems administrators, according to the Sans Institute. These include legal concerns if a company's computers are used to trade copyrighted files, technical concerns from remotely exploitable misconfigurations possible in P-to-P software, and the ease of distribution of malicious code masquerading as legitimate materials traded through P-to-P software.
Three new Unix/Linux vulnerabilities were included on the list this year: clear text services, misconfiguration of enterprise services and Open Secure Sockets Layer.
Remaining on the Linux/Unix list were Apache Web server, Bind (Berkeley Internet Name Domain) and Sendmail, among others.
Paller urged company and agency leaders to start with a small list of the most dangerous vulnerabilities their systems administrators could attack and allow the security team at least 90 days to make progress before requiring them to report results.
Asking systems administrators to test for thousands of vulnerabilities at one time is a recipe for failure, he added.
Top vulnerabilities to Windows systems
1 Internet Information Services (IIS)
2 Microsoft SQL Server (MSSQL)
3 Windows Authentication
4 Internet Explorer (IE)
5 Windows Remote Access Services
6 Microsoft Data Access Components (MDAC)
7 Windows Scripting Host (WSH)
8 Microsoft Outlook Express
9 Windows Peer to Peer File Sharing (P2P)
10 Simple Network Management Protocol (SNMP)
Top vulnerabilities to Unix systems
1 Bind Domain Name System
2 Remote Procedure Calls (RPC)
3 Apache Web Server
4 General Unix Authentication Accounts with No Passwords or Weak Passwords
5 Clear Text Services
7 Simple Network Management Protocol (SNMP)
8 Secure Shell (SSH)
9 Misconfiguration of Enterprise Services NIS/NFS
10 Open Secure Sockets Layer (SSL)
For more details: http://www.sans.org/top20/
Grant Gross writes for IDG News Service