Security Experts Issue Update Of SANS Top 20 Most Critical Internet Vulnerabilities List

The new report provides a quarterly update to the SANS Top 20 Internet Security Vulnerabilities list (www.sans.org/top20/ ) published annually in October. To be included on the new quarterly update, vulnerabilities must meet five requirements: (1) they affect a large number of users, (2) they have not been patched on a substantial number of systems, (3) they allow computers to be taken over by a remote, unauthorized user, (4) sufficient details about the vulnerabilities have been posted to the Internet to enable attackers to exploit them, and (5) they were discovered or first patched during the first three months of 2005.

Any person or organization running the vulnerable software products should ensure that they or their computer support professionals have corrected the specific problems listed. (The vulnerable software packages are listed at the end of this release and details on each of the vulnerabilities, and instructions on correcting them, may be found at www.sans.org/top20/Q1-2005update )

These critical vulnerabilities are widespread and many of them are being exploited, right now, in our homes and in our offices, according to Alan Paller, director of research for the SANS Institute. We're publishing this list as a red flag for individuals as well as IT departments. Too many people are unaware of these vulnerabilities, or mistakenly believe their computers are protected.

SANS is not acting alone in drawing attention to these critical vulnerabilities.

Roger Cumming, Director of NISCC, the British Government's Cybersecurity and Critical Infrastructure office, commented on the new list, This extremely valuable SANS list of critical vulnerabilities highlights the need for administrators of IT systems to stay up to date with patches and advances in security architecture that product vendors have been implementing.

The SANS Top 20 list is a widely recognized benchmark for identifying the most critical security vulnerabilities, said Gerhard Eschelbeck, CTO and VP of Engineering at Qualys. Threats are evolving at a much faster rate, necessitating regular updates to the list to ensure organizations have the most current information possible on critical security vulnerabilities.

It is important to draw people's attention to these vulnerabilities because they could result in severe consequences if not properly resolved, said Marc Willebeek-LeMair, Chief Technology Officer of 3Com's TippingPoint division.

These critical new vulnerabilities are selected from data compiled for @RISK, the free, authoritative vulnerability summary issued by SANS (and co-authored by experts from TippingPoint and Qualys) each week to more than 100,000 security professionals around the world. They represent only those vulnerabilities first discovered or patched during the first quarter of calendar year 2005.

The team that collaborated to compile the Quarterly Vulnerability Update to the Top20 includes representatives from four key security organizations:

• Representing the intrusion prevention expert community, and leading the Quarterly Vulnerability Update effort, was Rohit Dhamankar of TippingPoint, a division of 3Com. TippingPoint tracks all critical vulnerabilities as an essential element in its continuously updating of its intrusion prevention products with protection against new threats. The analysis done by TippingPoint provides deep understanding of how the critical vulnerabilities work and how they can be exploited.
• Representing the vulnerability management expert community is Gerhard Eschelbeck of Qualys. Qualys tracks all new vulnerabilities as an essential element of its process of checking more than 2,000,000 computers each week to see whether any vulnerabilities are present. Qualys provided valuable information that helped determine that these vulnerabilities were still widespread. The company also offers a free network scanning service to help companies find and eliminate the vulnerabilities highlighted in the SANS Top 20 list, available at https://sans20.qualys.com
• Representing the government community is the British Government's National Infrastructure Security Co-Ordination Centre (NISCC). NISCC sets the standard among governments around the world for proactive information security - identifying key security vulnerabilities early and ensuring users and vendors work together to correct them.
• Representing the SANS Internet Storm center community are Marcus Sachs and Johannes Ullrich. SANS Internet Storm Center monitors the Internet using more than 6,000 sensors managed by volunteers around the world, providing early warning of worms and other widespread cyber attacks. It also monitors attacks through voluntary reporting and nightly analysis to help illuminate new types of attacks appearing on the Internet.

The SANS Institute was established in 1989 and has become the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system - Internet Storm Center. SANS Institute began as a cooperative research and education organization and now reaches more than 165,000 security professionals, auditors, system administrators, network administrators, chief information security officers, and CIOs. At the heart of SANS are the many security practitioners in government agencies, corporations, and universities around the world who invest hundreds of hours each year in research and teaching to help the entire information security community. Further information about SANS is available at http://www.sans.org.

Summary List of the SANS Quarterly Vulnerability Update for Q1 2005.

Details may be found at www.sans.org/top20/Q1-2005update and in the vendor advisories provided at that site.

Software affected: Microsoft Internet Explorer
Systems affected: Desktops, laptops, and servers running any version of Windows
Vulnerabilities: (material in parentheses refers to the relevant Microsoft security bulletin)

• Microsoft DHTML Edit ActiveX Remote Code Execution (MS05-013)
• Microsoft Cursor and Icon Handling Overflow (MS05-002)
• Microsoft HTML Help ActiveX Control Cross Domain Vulnerability (MS05-001)
• Vulnerabilities in Internet Explorer patched by MS05-014and MS05-008

Risk: Computers with these vulnerabilities can have spyware, keystroke loggers, and remote control software installed on their systems when the user visits any web sites that have been programmed to exploit the vulnerabilities.

Software affected: Microsoft Windows Media Player, Windows Messenger, and MSN Messenger
Systems affected: Windows desktops and laptops.
Vulnerability: Microsoft PNG File Processing (MS05-009)
Risk: Computers with these vulnerabilities can be taken over if the user downloads a malicious media file from a Web site or opens a malicious picture while using MSN or Windows Messenger.

Software affected: Microsoft Windows XP Service Pack 1 and 2, Windows 2000 Service Pack 3 and 4, and Windows Server 2003
Systems affected: Laptops, desktops, and servers on Windows networks.
Vulnerability: Microsoft Server Message Block (SMB) (MS05-011)
Risk: Computers with this vulnerability can be completely compromised by an attacker running a malicious server.

Software affected: Microsoft Windows Server 2003, Windows 2000 Server Service Pack 3 and 4. Windows NT Server 4.0 Service Pack 6a, and NT Terminal Server Edition Service Pack 6
Systems affected: Servers on Windows networks.
Vulnerability: Windows License Logging Service Overflow (MS05-010)
Risk: Computers with this vulnerability can be completely taken by a malicious user who sends special packets to the machine.

Software affected: Windows NT and Windows 2000 (SP2 or earlier) Domain Name Service servers; Symantec Gateway Security, Enterprise Firewall, and VelociRaptor Products
Systems affected: Directly, certain servers running address-resolution service; indirectly, any computer on the network using the service.
Vulnerability: DNS Cache Poisoning
Risk: Attackers can direct users to malicious websites. These websites, in turn, can exploit Internet Explorer vulnerabilities to install spyware programs.

Software affected: Anti-virus Products from Symantec, F-Secure, TrendMicro and McAfee
Systems affected: Desktops, laptops, and servers running certain anti-virus software.
Vulnerability: Buffer overflows in decoding certain types of files
Risk: Remote attackers can take complete control of computers running these security products.

Software affected: RealPlayer, iTunes and WinAmp Media Players
Systems affected: Desktops and laptops.
Vulnerability: Buffer Overflows
Risk: Users of these applications can be infected by simply visiting a web site that has been infected with malicious code.

Software affected: Oracle Database Server, Oracle Application Server, Oracle E-business Suite and Oracle Collaboration Suite
Systems affected: Multiple Oracle servers
Vulnerability: Vulnerabilities patched in Oracle's January 2005 Critical Patch Update
Risk: Remote hackers can possibly exploit these vulnerabilities to gain control of databases and get access to information.

Software affected: Computer Associates Products Running License Manager
Systems affected: Computers running Computer Associates software
Vulnerability: CA License Package Buffer Overflow
Risk: Remote users can take complete control of computers running various CA products.