BETHESDA, Md., May 2, 2005 - More than 600 new Internet security vulnerabilities were discovered during the first quarter of 2005, according to the SANS Institute and a team of experts from industry and government. This group has identified the most critical vulnerabilities disclosed in Q1 that pose critical risks that need to be addressed through patching and other defensive actions. Individuals and organizations that do not correct these problems face a heightened threat that remote, unauthorized hackers will take control of their computers and use them for identity theft, for industrial espionage, or for distributing spam or pornography.
The new report provides a quarterly update to the SANS Top 20 Internet Security Vulnerabilities list (www.sans.org/top20/ ) published annually in October. To be included on the new quarterly update, vulnerabilities must meet five requirements: (1) they affect a large number of users, (2) they have not been patched on a substantial number of systems, (3) they allow computers to be taken over by a remote, unauthorized user, (4) sufficient details about the vulnerabilities have been posted to the Internet to enable attackers to exploit them, and (5) they were discovered or first patched during the first three months of 2005.
Any person or organization running the vulnerable software products should ensure that they or their computer support professionals have corrected the specific problems listed. (The vulnerable software packages are listed at the end of this release and details on each of the vulnerabilities, and instructions on correcting them, may be found at www.sans.org/top20/Q1-2005update )
These critical vulnerabilities are widespread and many of them are being exploited, right now, in our homes and in our offices, according to Alan Paller, director of research for the SANS Institute.
We're publishing this list as a red flag for individuals as well as IT departments. Too many people are unaware of these vulnerabilities, or mistakenly believe their computers are protected.
SANS is not acting alone in drawing attention to these critical vulnerabilities.
Roger Cumming, Director of NISCC, the British Government's Cybersecurity and Critical Infrastructure office, commented on the new list,
This extremely valuable SANS list of critical vulnerabilities highlights the need for administrators of IT systems to stay up to date with patches and advances in security architecture that product vendors have been implementing.
The SANS Top 20 list is a widely recognized benchmark for identifying the most critical security vulnerabilities, said Gerhard Eschelbeck, CTO and VP of Engineering at Qualys.
Threats are evolving at a much faster rate, necessitating regular updates to the list to ensure organizations have the most current information possible on critical security vulnerabilities.
It is important to draw people's attention to these vulnerabilities because they could result in severe consequences if not properly resolved, said Marc Willebeek-LeMair, Chief Technology Officer of 3Com's TippingPoint division.
These critical new vulnerabilities are selected from data compiled for @RISK, the free, authoritative vulnerability summary issued by SANS (and co-authored by experts from TippingPoint and Qualys) each week to more than 100,000 security professionals around the world. They represent only those vulnerabilities first discovered or patched during the first quarter of calendar year 2005.
The team that collaborated to compile the Quarterly Vulnerability Update to the Top20 includes representatives from four key security organizations:
The SANS Institute was established in 1989 and has become the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system - Internet Storm Center. SANS Institute began as a cooperative research and education organization and now reaches more than 165,000 security professionals, auditors, system administrators, network administrators, chief information security officers, and CIOs. At the heart of SANS are the many security practitioners in government agencies, corporations, and universities around the world who invest hundreds of hours each year in research and teaching to help the entire information security community. Further information about SANS is available at http://www.sans.org.