GSA unveils list of top 20 vulnerabilities

The top 20 list of Internet security vulnerabilities unveiled Wednesday by the U.S. General Services Administration (GSA) includes those affecting Microsoft Corp.'s Internet Explorer Web browser and Internet Information Services as well as the Apache Web server, which was identified as a source of problems for the Unix and Linux operating systems.

The GSA released the list to a gathering of government chief information officers and IT professionals in Washington, D.C. The list sounds warnings about a number of common Windows components.

Internet Information Services (IIS), which ships with Windows NT Version 4, Windows 2000 Server and Windows XP Professional operating systems was singled out for flaws that make it possible to send malicious code in the form of improperly formatted HTTP (Hypertext Transfer Protocol) requests, or to generate buffer overflows that permit an attacker to place and execute malicious code on remote machines. IIS was previously called Internet Information Server, but Microsoft changed the name with version 6. The GSA list refers to IIS as Internet Information Services.

In addition, Microsoft's decision to include "sample applications" was identified as a major vulnerability. The location and source code of such demonstration applications are commonly known, it was noted. Because the applications were not designed to withstand attacks, they can frequently be commandeered by attackers to view or overwrite files on a remote computer's hard drive.

Regarding Microsoft's popular Internet Explorer (IE) Web browser, which is a standard component of every Windows operating system, nine separate vulnerabilities were listed. It was also noted that "all existing versions of Internet Explorer have critical vulnerabilities."

Among the IE vulnerabilities listed are those that make it possible for attackers to "spoof" legitimate online entities and steal protected information during transactions and execute malicious code using purposely malformed HTML (Hypertext Markup Language) format e-mail messages and buffer overflows.

For companies and individuals using the Unix or Linux operating systems, the GSA list calls attention to the commonly used Apache Web server as a source of security vulnerabilities, despite the common perception that it is a secure alternative to Microsoft's IIS.

Among the security holes noted in Apache is the SSL (Secure Sockets Layer) vulnerability used by the recent Slapper worm to attack hosts worldwide. That worm used a buffer overflow vulnerability in OpenSSL to place and compile source code on remote Apache servers. Once compiled, the worm connected the server to a peer-to-peer network of other infected servers, which could be used in a distributed denial of service (DDoS) attack.

A number of commonly used tools and protocols for Unix and Linux also came under fire in the list. SSH (secure shell), SNMP (Secure Network Management Protocol) and FTP (File Transfer Protocol) were all singled out for vulnerabilities that would allow a malicious party, often within a corporate network, to decrypt secure information being sent between two hosts, or "sniff" passwords and other logon information from sessions.

Other items on the GSA list were more common sense. Both the Unix and Windows operating systems were criticized for not requiring users to maintain "strong" passwords, which use combinations of numbers, letters and special characters, and for not doing enough to secure password files on the operating system.

The top 20 list is compiled each year by the Federal Bureau of Investigation's National Infrastructure Protection Center, the SysAdmin, Audit, Networking and Security (SANS) Institute, and prominent IT security management organizations including Qualys Inc., Foundstone Inc. Advanced Research Corp., Internet Security Systems Inc. and the Nessus organization.

The release of the list was accompanied by announcements from the five security management organizations of new tools that can be used to scan networks for any of the 20 vulnerabilities. While many of those tools are available only to existing customers of those companies, Qualys announced a free network scan for any company interested in testing for the vulnerabilities on the GSA list.

The GSA list represents a consensus opinion among researchers at SANS and at the security management companies about the leading security vulnerabilities that exist on the most common computing platforms: Microsoft's Windows operating systems and the Unix/Linux operating system.

The number of private-sector security vendors that contributed to the list increased this year, according to Dan Ingevaldson, Team Leader of XForce Research and Development at Internet Security Systems Inc. ISS has contributed to previous SANS lists, according to Ingevaldson.

"There was a lot more work involved in building a consensus among the 10 vendors to select the top issues (this year)," said Ingevaldson.

Despite the number of parties whose input was solicited in creating the list, however, Ingevaldson said there was general agreement between the vendors on the 20 vulnerabilities that were finally selected.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

PC World
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?