In-Depth

SANS Top Vulnerability List Gets Quarterly Updates

List helps prioritize vulnerability patching

• By Mathew Schwartz
• 05/11/2005

Which vulnerabilities should security managers patch first?

To help answer that question, many rely upon the SANS Institutes’s annual list of the year’s top 20 vulnerabilities, compiled by a large group of security experts and released every October.

The list aims to drastically decrease the number of critical vulnerabilities that remain unpatched. Think of it as improving the overall information security ecosystem since, as SANS notes, “the easy and destructive spread of worms, such as Blaster, Slammer, and Code Red, can be traced directly to exploitation of unpatched vulnerabilities.”

Now, in addition to that annual list of vulnerabilities, SANS announced it will produce quarterly updates. “Threats are evolving at a much faster rate, necessitating regular updates to the list to ensure organizations have the most current information possible on critical security vulnerabilities,” says Gerhard Eschelbeck, chief technology officer and vice president of engineering at Qualys.

Eschelbeck is responsible for coining the “Laws of Vulnerabilities.” Based on his research, the average half-life of a vulnerability, or the time it takes 50 percent of affected organizations to patch it, is 21 days for external systems, and 62 days for internal systems. Significantly, most attackers exploit a known vulnerability within the first half-life period or two. That’s one incentive driving the SANS quarterly updates: to decrease the time it takes organizations to patch, thus better protecting their networks from the bulk of attacks.

“We’re publishing this list as a red flag for individuals as well as IT departments. Too many people are unaware of these vulnerabilities, or mistakenly believe their computers are protected,” says Alan Paller, director of research for the SANS Institute.

The updates are compiled by a team that draws members from four organizations: the SANS Internet Storm center, Qualys, 3Com’s TippingPoint division, and the British Government’s National Infrastructure Security Coordination Centre.

To qualify for inclusion on the list of top vulnerabilities for the first quarter of 2005, vulnerabilities had to meet several criteria. For example, they must affect a large number of users and not have been patched on a large number of systems. Furthermore, the vulnerabilities must be subject to remote exploitation, have been detailed sufficiently on public forums so attackers know how to exploit them, and have been discovered during the first three months of 2005.

Naming Names

The top vulnerabilities for the first quarter of 2005 include seven Microsoft vulnerabilities, buffer overflows affecting Computer Associates’ license management, plus buffer overflows in antivirus and media player software. Also making the list: a DNS cache poisoning vulnerability and a critical Oracle patch.

Note that patches have been released for all of the vulnerabilities on the list.

1. Microsoft Internet Explorer Vulnerabilities

Multiple vulnerabilities can allow attackers to install spyware, or Trojan software such as remote-control software and keystroke loggers, onto a user’s PC when the user visits a malicious Web site. To prevent such drive-by downloads, SANS recommends organizations patch per these Microsoft security bulletins: Microsoft DHTML Edit ActiveX Remote Code Execution (MS05-013), Microsoft Cursor and Icon Handling Overflow (MS05-002), Microsoft HTML Help ActiveX Control Cross Domain Vulnerability (MS05-001), and Vulnerabilities in Internet Explorer (MS05-014 and MS05-008).

2. Microsoft PNG File Processing Vulnerability

Microsoft Windows Media Player, Windows Messenger, and MSN Messenger are affected by a vulnerability relating to how the programs process PNG files. “Computers with these vulnerabilities can be taken over if the user downloads a malicious media file from a Web site or opens a malicious picture while using MSN or Windows Messenger,” notes SANS.

3. Microsoft Server Message Block (SMB)

Thanks to an SMB vulnerability, “an attacker running a malicious server,” says SANS, could completely compromise a user’s machine. Windows 2000 Service Pack 3 and 4, Microsoft Windows XP (both service packs), and Windows Server 2003 are affected.

4. Windows License Logging Overflow

“Computers with this vulnerability can be completely taken by a malicious user who sends special packets to the machine,” says SANS. Windows NT Server 4.0 Service Pack 6a, NT Terminal Server Edition Service Pack 6, Windows 2000 Server Service Pack 3 and 4, and Microsoft Windows Server 2003 are affected.

5. DNS Cache Poisoning

Attackers can cause Web sites to reroute users to other sites, where the attacker could then initiate a drive-by download by using known Internet Explorer vulnerabilities. Windows NT and Windows 2000 (SP2 or earlier) Domain Name Service servers are affected, as is Symantec’s Gateway Security, Enterprise Firewall, and VelociRaptor products.

6. Antivirus Program Buffer Overflows

Antivirus software from F-Secure, McAfee, Trend Micro, and Symantec is vulnerable to buffer overflows because of how they scan certain file types. A remote attacker could use this vulnerability to take control of a PC.

7. Media Player Buffer Overflows

A Web site serving malicious code can automatically infect users of such media players as iTunes, RealPlayer, and WinAmp, via a buffer overflow vulnerability, when users visit a malicious Web site.

8. Oracle Vulnerabilities

In January 2005, Oracle issued a Critical Patch Update to prevent remote attackers from taking advantage of vulnerabilities in Oracle’s Database Server, Application Server, E-business Suite, and Collaboration Suite. Using the vulnerabilities, an attacker could “gain control of databases and get access to information,” says SANS.

9. CA License Buffer Overflow

Attackers could remotely compromise and take control of any computers running Computer Associates’ license manager, thanks to a buffer overflow.

Related Articles:

Q&A: How to Assess Pharming Threats
ww.xxx.comhttp://www.esj.com/Security/article.aspx?EditorialsID=1363

Q&A: Security Best Practices Include Automated Remediation
http://www.esj.com/Security/article.aspx?EditorialsID=1348

Which Bugs Will Bite? Vulnerability Predictions for 2004
http://www.esj.com/security/article.aspx?EditorialsID=810