GSA unveils list of top 20 vulnerabilities

The top 20 list of Internet security vulnerabilities unveiled Wednesday by the U.S. General Services Administration (GSA) includes those affecting Microsoft Corp.'s Internet Explorer Web browser and Internet Information Services as well as the Apache Web server, which was identified as a source of problems for the Unix and Linux operating systems.

The GSA released the list to a gathering of government chief information officers and IT professionals in Washington, D.C. The list sounds warnings about a number of common Windows components.

Internet Information Services (IIS), which ships with Windows NT Version 4, Windows 2000 Server and Windows XP Professional operating systems was singled out for flaws that make it possible to send malicious code in the form of improperly formatted HTTP (Hypertext Transfer Protocol) requests, or to generate buffer overflows that permit an attacker to place and execute malicious code on remote machines. IIS was previously called Internet Information Server, but Microsoft changed the name with version 6. The GSA list refers to IIS as Internet Information Services.

In addition, Microsoft's decision to include "sample applications" was identified as a major vulnerability. The location and source code of such demonstration applications are commonly known, it was noted. Because the applications were not designed to withstand attacks, they can frequently be commandeered by attackers to view or overwrite files on a remote computer's hard drive.

Regarding Microsoft's popular Internet Explorer (IE) Web browser, which is a standard component of every Windows operating system, nine separate vulnerabilities were listed. It was also noted that "all existing versions of Internet Explorer have critical vulnerabilities."

Among the IE vulnerabilities listed are those that make it possible for attackers to "spoof" legitimate online entities and steal protected information during transactions and execute malicious code using purposely malformed HTML (Hypertext Markup Language) format e-mail messages and buffer overflows.

For companies and individuals using the Unix or Linux operating systems, the GSA list calls attention to the commonly used Apache Web server as a source of security vulnerabilities, despite the common perception that it is a secure alternative to Microsoft's IIS.

Among the security holes noted in Apache is the SSL (Secure Sockets Layer) vulnerability used by the recent Slapper worm to attack hosts worldwide. That worm used a buffer overflow vulnerability in OpenSSL to place and compile source code on remote Apache servers. Once compiled, the worm connected the server to a peer-to-peer network of other infected servers, which could be used in a distributed denial of service (DDoS) attack.

A number of commonly used tools and protocols for Unix and Linux also came under fire in the list. SSH (secure shell), SNMP (Secure Network Management Protocol) and FTP (File Transfer Protocol) were all singled out for vulnerabilities that would allow a malicious party, often within a corporate network, to decrypt secure information being sent between two hosts, or "sniff" passwords and other logon information from sessions.

Other items on the GSA list were more common sense. Both the Unix and Windows operating systems were criticized for not requiring users to maintain "strong" passwords, which use combinations of numbers, letters and special characters, and for not doing enough to secure password files on the operating system.

The top 20 list is compiled each year by the Federal Bureau of Investigation's National Infrastructure Protection Center, the SysAdmin, Audit, Networking and Security (SANS) Institute, and prominent IT security management organizations including Qualys Inc., Foundstone Inc. Advanced Research Corp., Internet Security Systems Inc. and the Nessus organization.

The release of the list was accompanied by announcements from the five security management organizations of new tools that can be used to scan networks for any of the 20 vulnerabilities. While many of those tools are available only to existing customers of those companies, Qualys announced a free network scan for any company interested in testing for the vulnerabilities on the GSA list.

The GSA list represents a consensus opinion among researchers at SANS and at the security management companies about the leading security vulnerabilities that exist on the most common computing platforms: Microsoft's Windows operating systems and the Unix/Linux operating system.

The number of private-sector security vendors that contributed to the list increased this year, according to Dan Ingevaldson, Team Leader of XForce Research and Development at Internet Security Systems Inc. ISS has contributed to previous SANS lists, according to Ingevaldson.

"There was a lot more work involved in building a consensus among the 10 vendors to select the top issues (this year)," said Ingevaldson.

Despite the number of parties whose input was solicited in creating the list, however, Ingevaldson said there was general agreement between the vendors on the 20 vulnerabilities that were finally selected.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

PC World
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?