The SANS Institute has released its annual list of the top 20 Internet security vulnerabilities, pinpointing Web servers and services (Windows) and the BIND Domain Name System (Unix) for containing the most dangerous security holes.

For the first time since creating the list five years ago, the SANS Institute (SysAdmin, Audit, Network, Security) split the list in two to identify the top 10 most commonly exploited holes in Windows and Unix systems and warned that the security bugs require urgent attention.

According to the list, the top 10 vulnerabilities to Windows Systems are:


1. Web Servers & Services
2. Workstation Service
3. Windows Remote Access Services
4. Microsoft SQL Server (MSSQL)
5. Windows Authentication
6. Web Browsers
7. File-Sharing Applications
8. LSAS Exposures
9. Mail Client
10. Instant Messaging

The top 10 flaws to Unix Systems are:

1. BIND Domain Name System
2. Web Server
3. Authentication
4. Version Control Systems
5. Mail Transport Service
6. Simple Network Management Protocol (SNMP)
7. Open Secure Sockets Layer (SSL)
8. Misconfiguration of Enterprise Services NIS/NFS
9. Databases
10. Kernel

The top 20 list is described as "a living document" that includes step-by-step instructions and pointers to additional information for correcting the security flaws.

In identifying Web servers and services as the most vulnerable for Windows users, the institute warned that default installations of various HTTP servers and additional components for serving HTTP requests have proven vulnerable to a number of serious attacks over time.

Successful exploits of Web Server flaws include Denial-of-Service attacks , data exposure, malicious code execution and complete server compromise.

The vulnerable HTTP servers include Microsoft's , the open-source Apache project and Sun's iPlanet (SunONE). The institute urged IT administrators to ensure all patches are up to date for the server and that a current version is running.

"In most HTTP server software, the default configuration is rather open leaving large avenues for exploit. Whilst this has been changed to a 'secure by default' posture for IIS 6.0, it is crucial that administrators take the time to fully understand their Web server and adjust the configuration to allow only those features and services required," it added.

On the Unix side, SANS said buffer overflows and cache poisoning throughout 2004 have plagued the Berkeley Internet Name Domain (BIND) package. The BIND domain name system is used to handle the conversion of hostnames into the corresponding IP address but, because of its critical nature, it has been made the target of frequent attack.

"Although the BIND development team has historically been quick to respond to and/or repair vulnerabilities, an excessive number of outdated, misconfigured and/or vulnerable servers still remain in production," the institute warned.

The 2004 list includes detailed explanations of each vulnerability and the corresponding attack vector and provides security information for enterprise IT admins.