X

FBI names most wanted security flaws

The bureau and a prestigious computer-security research group announce the 20 most serious security flaws affecting both Windows and Unix systems.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
See full bio
Robert Lemos
2 min read
With an eye toward taking the ease out of hacking, the FBI and a prestigious computer-security research group have announced the 20 most serious security vulnerabilities affecting both Windows and Unix systems.

The two Top Twenty Internet Security Vulnerabilities for 2002 lists, announced Wednesday, outline the software features most often used by hackers to circumvent computer security and break into Windows and Unix systems. The FBI's partner in the venture is the SysAdmin, Audit, Networking and Security (SANS) Institute , a research and education organization made up of government, corporate and academic experts.

As part of the announcement, the U.S.'s General Services Administration, the body that oversees the functioning of federal agencies, urged those agencies to test their networks for systems with any of the listed risks.

"This will go a long way to help prevent more serious computer security incidents," said Sallie McDonald, assistant commissioner for information assurance and critical infrastructure protection for the GSA's Federal Technology Service.

Along with the GSA, the U.S.'s Federal Computer Incident Response Center (FedCIRC), the U.K.'s National Infrastructure Security Coordination Centre (NISCC) and Canada's Office of Critical Infrastructure Protection and Emergency Preparedness (OCIPEP) announced support for the initiative.

As previously reported by CNET News.com, the SANS Institute was also planning a weekly critical vulnerability analysis mailing list. That list was announced Wednesday and will rely on a committee of 15 security professionals to decide which of the dozens of vulnerabilities found each week should receive special attention.

In addition, sources told News.com that the SANS Institute intends to develop a broader list of potential security problems to give companies further guidance on the security of their networks.

Topping the Windows list of vulnerabilities were weaknesses in Microsoft's Web-server software, Internet Information Server (IIS); Microsoft's Data Access Components (MDAC)--Remote Data Services, and the company's SQL database server.

The most problematic Unix vulnerabilities include remote procedure calls (RPC), software slipups in the Apache Web server, and issues with a popular secure communications protocol known as secure shell (SSH).