SANS Identifies Top 20 Vulnerabilities in Windows and Unix

New list pinpoints critical security holes in popular software programs.

The SANS Institute in conjunction with the Federal Bureau of Investigation and National Infrastructure Protection Center released a list of the top 20 software vulnerabilities facing organizations today.

The report, which is the second major update to the original list released in July 2000, is designed to help users prioritize security holes so they can eliminate their most dangerous vulnerabilities first. It was compiled using data from dozens of security experts in both the public and private sectors as well as university-based security programs. The list of vulnerabilities is included below.

In the past, vulnerabilities that led to such notable security breaches as the Solar Sunrise Pentagon attack and the Code Red and NIMDA worms have been on the SANS/FBI Top Twenty. This year’s list includes a vulnerability found in the Apache Web Server software, which has been exploited by the recent spread of the Apache/mod_ssl Worm, code-named Slapper.

According to SANS, the Slapper worm serves as an important example to enterprises looking to deploy secure platforms. Whereas Code Red and NIMDA targeted Microsoft’s Internet Information Server, Slapper has wreaked havoc on Apache—a platform that has been positioned by many industry insiders as a secure alternative to IIS

Alan Paller, director of research for SANS, says the Slapper worm will go a long way toward dispelling the myth that Apache is 100 percent secure.

“A lot of people have been talking about ‘You should use Apache instead of IIS.’ But now we’re on more even ground,” he says. “Nobody’s perfect.”

The 2002 iteration of the SANS/FBI Top Twenty is the first time a vulnerability in Apache has been specifically pointed to. However, Jeff Campione, project leader for the list, says that doesn’t take anything away from Apache’s solid reputation for security. In fact, he says, the Slapper worm wasn’t created to attack Apache. It was, he says, designed to exploit a vulnerability in the security protocol SSL, which happens to be contained within Apache. The lesson to be learned from the Slapper worm is that “regardless of what you’re running, you have to stay on top of the latest vulnerabilities.”

Originally, the SANS vulnerability list included just the top 10 vulnerabilities. When the first update was released in October 2001, it was expanded to 20 items and split into three different categories—General Vulnerabilities, Unix Vulnerabilities, and Windows Vulnerabilities. This year’s update remains at 20 items but only has categories for Unix and Windows.

Paller says SANS decided to limit the list to Unix and Windows because it didn’t want to overwhelm users. “The list could have gone way beyond 20, but we didn’t want to bury people,” he says.

SANS expects to release a supplement in early 2003 with vulnerabilities for other platforms, including Cisco and Oracle. That list, Paller says, will be based on data provided to SANS by major software security scanning vendors.

These vendors played a primary role in helping build this year’s SANS/FBI Top Twenty, says Paller. “They informed the process,” submitting their top vulnerabilities to be used as a comparative tool by the voting committee. In addition, Paller says every major scanning vendor was invited this year to provide tools for users to scan their systems for the vulnerabilities highlighted by the SANS/FBI Top Twenty.

Five vendors—Qualys Inc., Internet Security Systems, Foundstone, Nessus Organization, and Advanced Research Corporation—have accepted the invitation. Qualys is offering a free, Web-based scan, while Nessus and Advanced Research are contributing free, open-source tools, and ISS and Foundstone are providing pay-for-use software.

Ultimately, the SANS/FBI Top Twenty is intended to be an industry-wide project for pinpointing the most critical software vulnerabilities. In the past, Paller says, a number of organizations have compiled their own lists. But, he notes, SANS has been pretty successful so far in bringing all that data together into a single list. “This cleans up the mess of all the lists having a slightly different view of the elephant.”

Furthermore, Campione says the list helps non-security experts assign importance to specific vulnerabilities. He says the average IT administrator gets a ton of vulnerability warnings every week and can’t really be expected to know which ones pose serious threats to their network and which ones don’t.

“If we did it right, which we think we did,” says Campione. “We can provide that level of prioritization.”

To see the SANS/FBI Top Twenty document in its entirety, please visit


Unix Systems

1. Remote Procedure Calls
2. Apache Web Server
3. Secure Shell
4. Simple Network Management Protocol
5. File Transfer Protocol
6. R-Services – Trust Relationships
7. Line Printer Daemon
8. Sendmail
10. General Unix Authentication – Accounts with No Passwords or Weak Passwords

Windows Systems

1. Internet Information Services
2. Microsoft Data Access Components
3. Microsoft SQL Server
4. NETBIOS – Unprotected Windows Networking Shares
5. Anonymous Logins – Null Sessions
6. LAN Manager Authentication – Weak LM Hashing
7. General Windows Authentication – Accounts with No Passwords or Weak Passwords
8. Internet Explorer
9. Remote Registry Access
10. Windows Scripting Host

About the Author

Matt Migliore is regular contributor to He focuses particularly on Microsoft .NET and other Web services technologies. Matt was the editor of several technology-related Web publications and electronic newsletters, including Web Services Report, ASP insights and MIDRANGE Systems.