The top Windows and Linux vulnerabilities have been compiled in a list of computer vulnerabilities presented by the SANS Institute at a cyberspace security gathering here.
Produced by a combine of research from the United States, Britain, and Singapore, the 10 top Windows vulnerabilities were, in ascending order, instant messaging, email clients, LSAS exposures, file-sharing applications, Internet browsers, Windows authentication, Microsoft SQL Server, Windows Remote Access services, workstation service, and Web servers and services.
The top 10 Linux vulnerabilities, again in ascending order, included kernel, databases, misconfigured enterprise services, open secure sockets layers, simple network management protocol, mail transport services, version control systems, authentication, Web servers, and the BIND domain name system.
Most worms and other successful cyberattacks, SANS said announcing the lists, become possible because of vulnerabilities in a small group of common operating system devices, with attackers opportunistic enough to hit the easiest and most convenient paths to exploit the best known flaws with the best and widest-available tools.
“They count on organizations not fixing the problems, and they often attack indiscriminately, scanning the Internet for any vulnerable systems,” SANS said in their announcement. “The easy and destructive spread of worms, such as Blaster, Slammer, and Code Red, can be traced directly to exploitation of unpatched vulnerabilities.”
Former White House cybersecurity advisor Howard Schmidt called the SANS lists the definitive lists of “the most serious Internet vulnerabilities and security exposures, providing organizations around the world with clear guidance on how to identify, mitigate and eliminate core threats to their network and business.”
The Canadian Cyber Incident Response Centre agreed, and added that a critical key is world cooperation in protecting shared infrastructure. "The SANS Top-20 list of vulnerabilities is an important part of these efforts,” the CCIRC said in a statement. “Initiatives like this help to reinforce our partnerships between governments, industry, and information technology security professionals that are the essential to the continued protection of our critical cyber systems and networks."
Thousands of organizations used the first SANS top 10 critical vulnerabilities four years ago, as also the first expanded-to-top-twenty lists over the following three years. All the vulnerabilities that invited such cyberspace mischief makers as Blaster, Slammer, Code Red, and other worms and bugs, were on the lists.
