Security group names top software risks

The SANS Institute publishes its to-do list of vulnerable software that system administrators need to fix. Two top risks: Microsoft's IIS and Unix BIND.

Robert Lemos Staff Writer, CNET News.com

Robert Lemos

covers viruses, worms and other security threats.

See full bio

Robert Lemos

Oct. 8, 2003 5:16 p.m. PT

2 min read

A security organization published its fourth annual list of the most vulnerable software Wednesday, putting network administrators on notice that they need to check their systems.

The SysAdmin Audit Network Security (SANS) Institute's "Top 20 Vulnerabilities," first published three years ago in collaboration with the FBI's National Infrastructure Protection Center, consists of two lists: the top 10 flaws in Microsoft's operating system and software; and the top 10 flaws in Unix systems.



		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

"The (list) defines the set of network security vulnerabilities that are most commonly used by hackers to break into systems," Alan Paller, director of research for the SANS Institute, said in a statement. "They should be addressed by network administrators as quickly as possible."

The lists are intended to guide system administrators in checking their systems for flawed software. Each description of the 20 vulnerabilities suggests ways to mitigate the risks that are associated with the particular insecure software.

SANS rated Microsoft's Web server--the Internet Information Service (IIS) software--as the leading cause of vulnerabilities in Windows systems.

Microsoft has issued warnings for more than half a dozen flaws for its IIS Web server software in the last year. In May, the company alerted consumers to four vulnerabilities in the software. Last November, security researchers warned the software giant of other flaws in its Web server. The Code Red worm, which spread widely during July and August 2001, used a flaw in Microsoft's Web servers to infect the machines.

On the Unix side, the Berkeley Internet Name Domain (BIND) domain name system (DNS) software--a widely used program for running Internet databases that match domain names with numerical addresses--is the most problematic program of that family of operating systems, which includes the various flavors of Linux, Sun Microsystems' Solaris and IBM's AIX.

Several flaws have been found in the BIND software in the last year. In March, the Internet Software Consortium released a new version of the software that patched security holes. And in November, security researchers pinpointed another flaw in the software that had to be patched.

Other top flaws on Windows systems included Microsoft's SQL database software, which the Slammer worm exploited, and Windows remote access services such as Microsoft's version of the remote procedure call (RPC) standard, a flaw which the MSBlast worm used in order to spread.

Top Unix-based software flaws include those in the systems' own RPC service implementations as well as insecure Apache Web server installations.