SANS Lists Top 20 Critical Vulnerabilities

Critical software vulnerabilities are increasing being found — not in the operating system — but in applications and major databases.

The information comes out of a new quarterly report, the Top 20 Internet Security Vulnerabilitiesfrom the SANS Institute, a major source of security training and certification based in Bethesda, Md. Analysts from SANS had been releasing the report annually. This is the first of what will become quarterly releases, according to Alan Paller, director of research at the SANS Institute.

”Along with help from the FBI, the White House and the British government, we had done the Top 20 list annually since 2000,” says Paller. ”We do it to give people a targeted list of vulnerabilities that really need to be corrected. Recently, we’ve been getting a lot of reports that people and their auditors have been using the Top 20 as a bench mark to make sure they’re closing the right vulnerabilities, and we decided that annually wasn’t frequent enough.”

And Paller says what he found most interesting about this first quarterly report is the number of bugs being found in applications.

”The most interesting thing about the list is the number of bugs that are not in operating systems, but are in databases, security products and storage products. That’s a major trend that started 18 months ago and it has accelerated. Virus writers used to attack just the operating system and now they’re attacking higher up.”

Products from Microsoft, Symantec, Computer Associates and ITunes all have made the SANS list. A SANS spokesperson notes that if the listed vulnerabilities go unpatched, companies face a ‘heightened threat that remote, unauthorized hackers will take control of their computers and use them for identity theft, industrial espionage or for distributing spam or pornography’.

”These critical vulnerabilities are widespread and many of them are being exploited, right now, in our homes and in our offices,” says Paller. ”We’re publishing this list as a red flag for individuals, as well as IT departments. Too many people are unaware of these vulnerabilities, or mistakenly believe their computers are protected.”

Paller says he is disturbed by the number of vulnerabilities being found in security products.

”They need to do better,” he adds. ”The problem with the risk in the security applications is that when an attack takes over a computer using an application, it gets the rights that the security application has, and security applications have very high rights. If you use a virus checker to take over the computer, you have more power than if you use a word processor.”