SANS Institute names Top 20 vulnerabilities

The Unix kernel and databases that run on that operating system, along with security sub-systems and instant messaging that run on Windows, are the newest additions to the SANS Institute's annual list of Top 20 vulnerabilities most exploited by hackers.

The Unix kernel and databases that run on that operating system, along with security sub-systems and instant messaging that run on Windows, are the newest additions to the SANS Institute's annual list of Top 20 vulnerabilities most exploited by hackers.


Core software as security vulnerabilities

Bradner wonders what to do when key parts of an OS are on the list


The list, released last week, highlights the most common holes exploited in software and is used by the SANS Institute to encourage corporations to make the vulnerabilities a priority as they develop patch-management strategies.

"This is the minimal list that organizations need to get their arms around to protect critical IT infrastructure," says Gerhard Eschelbeck, a member of the committee that developed the list and the CTO at Qualys, a supplier of on-demand vulnerability management. Qualys last week also made available at no cost a Web-based service that will scan infrastructure servers for the Top 20 vulnerabilities.

The federally supported Common Vulnerabilities and Exposures project has catalogued 10,000 vulnerabilities. The SANS Institute says that number includes 3,300 known remotely exploitable vulnerabilities and that 200 of them are linked to the Top 20 identified by SANS.

"If a company searches for all vulnerabilities, they'll find thousands and thousands," says Alan Paller, director of research at the SANS Institute. "If you give a report with 10,000 or 20,000 vulnerabilities to the systems staff, they don't know where to start, and they know they'll never get them all done."

The Top 20 list, which does not rank the vulnerabilities, is actually two lists divided into the Unix and Windows platforms. The vulnerabilities are not necessarily within those operating systems or their variants, but can reside in software that runs on those platforms.

For example, the Windows list calls out Web servers and services, including Microsoft's Internet Information Server, Apache and Sun Java System Web Server.

Eschelbeck says research into the Top 20 does not support arguments that Windows is any more or any less secure than Linux or any other operating system.

"Clearly what is happening now [on any platform] is dealing with the sins of the past, which have been a lack of quality and security in the software development process," he says.

Eschelbeck, who did extensive research for the list, including evaluating data gleaned from scans of six million computers, says that every 21 days half of all Internet-facing servers, such as mail or Web servers, are patched to address Top 20 vulnerabilities. For example, if 10,000 machines have a vulnerability, roughly 5,000 will be patched after 21 days. In the next 21 days, another 2,500 will be patched.

"That is pretty good actually, but in contrast, it takes 62 days to patch vulnerabilities on half the vulnerable computers inside a company," says Eschelbeck. He says he hopes that is cut to 40 days within the year.

Top vulnerabilities

Here is a look at a few of the most common software vulnerabilities, which are not ranked in any specific order. The full list and complete explanations are available at www.sans.org.
Unix and Unix-based variants Details
BIND DNS Due to the ubiquity and critical nature of BIND, it has been made the target of frequent attacks such as denial-of-service buffer overflows and cache poisoning.
Version control systems Vulnerabilities seen in Concurrent Versions System configured for remote access.
Open SSL Multiple vulnerabilities exist in the OpenSSL library.
Databases Databases are extremely complex applications and are, often times, difficult to correctly configure and secure.
Kernel Risks from kernel vulnerabilities include Denial of service, execution of arbitrary code with system privileges, unrestricted access to the file system, or root level access.
Windows Details
Web servers and services Default installations of various HTTP servers and additional components for serving HTTP requests
Web browsers Vulnerabilities applicable to Internet Explorer, Mozilla, Firefox, Netscape and Opera.
LSAS exposures Windows Local Security Authority Subsystem Service contains critical buffer overflow that if exploited can lead to full system compromise.
Mail client Outlook and Outlook Express can successfully protect users against viruses, worms, malicious code, if appropriately configured.
Instant messaging Remotely exploitable vulnerabilities in these programs are a growing threat to the integrity and security of networks.
Join the discussion
Be the first to comment on this article. Our Commenting Policies