GSA unveils list of top 20 vulnerabilities

The top 20 list of Internet security vulnerabilities unveiled Wednesday by the U.S. General Services Administration (GSA) includes those affecting Microsoft Corp.'s Internet Explorer Web browser and Internet Information Services as well as the Apache Web server, which was identified as a source of problems for the Unix and Linux operating systems.

The GSA released the list to a gathering of government chief information officers and IT professionals in Washington, D.C. The list sounds warnings about a number of common Windows components.

Internet Information Services (IIS), which ships with Windows NT Version 4, Windows 2000 Server and Windows XP Professional operating systems was singled out for flaws that make it possible to send malicious code in the form of improperly formatted HTTP (Hypertext Transfer Protocol) requests, or to generate buffer overflows that permit an attacker to place and execute malicious code on remote machines. IIS was previously called Internet Information Server, but Microsoft changed the name with version 6. The GSA list refers to IIS as Internet Information Services.

In addition, Microsoft's decision to include "sample applications" was identified as a major vulnerability. The location and source code of such demonstration applications are commonly known, it was noted. Because the applications were not designed to withstand attacks, they can frequently be commandeered by attackers to view or overwrite files on a remote computer's hard drive.

Regarding Microsoft's popular Internet Explorer (IE) Web browser, which is a standard component of every Windows operating system, nine separate vulnerabilities were listed. It was also noted that "all existing versions of Internet Explorer have critical vulnerabilities."

Among the IE vulnerabilities listed are those that make it possible for attackers to "spoof" legitimate online entities and steal protected information during transactions and execute malicious code using purposely malformed HTML (Hypertext Markup Language) format e-mail messages and buffer overflows.

For companies and individuals using the Unix or Linux operating systems, the GSA list calls attention to the commonly used Apache Web server as a source of security vulnerabilities, despite the common perception that it is a secure alternative to Microsoft's IIS.

Among the security holes noted in Apache is the SSL (Secure Sockets Layer) vulnerability used by the recent Slapper worm to attack hosts worldwide. That worm used a buffer overflow vulnerability in OpenSSL to place and compile source code on remote Apache servers. Once compiled, the worm connected the server to a peer-to-peer network of other infected servers, which could be used in a distributed denial of service (DDoS) attack.

A number of commonly used tools and protocols for Unix and Linux also came under fire in the list. SSH (secure shell), SNMP (Secure Network Management Protocol) and FTP (File Transfer Protocol) were all singled out for vulnerabilities that would allow a malicious party, often within a corporate network, to decrypt secure information being sent between two hosts, or "sniff" passwords and other logon information from sessions.

Other items on the GSA list were more common sense. Both the Unix and Windows operating systems were criticized for not requiring users to maintain "strong" passwords, which use combinations of numbers, letters and special characters, and for not doing enough to secure password files on the operating system.

The top 20 list is compiled each year by the Federal Bureau of Investigation's National Infrastructure Protection Center, the SysAdmin, Audit, Networking and Security (SANS) Institute, and prominent IT security management organizations including Qualys Inc., Foundstone Inc. Advanced Research Corp., Internet Security Systems Inc. and the Nessus organization.

The release of the list was accompanied by announcements from the five security management organizations of new tools that can be used to scan networks for any of the 20 vulnerabilities. While many of those tools are available only to existing customers of those companies, Qualys announced a free network scan for any company interested in testing for the vulnerabilities on the GSA list.

The GSA list represents a consensus opinion among researchers at SANS and at the security management companies about the leading security vulnerabilities that exist on the most common computing platforms: Microsoft's Windows operating systems and the Unix/Linux operating system.

The number of private-sector security vendors that contributed to the list increased this year, according to Dan Ingevaldson, Team Leader of XForce Research and Development at Internet Security Systems Inc. ISS has contributed to previous SANS lists, according to Ingevaldson.

"There was a lot more work involved in building a consensus among the 10 vendors to select the top issues (this year)," said Ingevaldson.

Despite the number of parties whose input was solicited in creating the list, however, Ingevaldson said there was general agreement between the vendors on the 20 vulnerabilities that were finally selected.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

PC World
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?