The top 20 list of Internet security vulnerabilities unveiled Wednesday by the U.S. General Services Administration (GSA) includes those affecting Microsoft Corp.'s Internet Explorer Web browser and Internet Information Services as well as the Apache Web server, which was identified as a source of problems for the Unix and Linux operating systems.
The GSA released the list to a gathering of government chief information officers and IT professionals in Washington, D.C. The list sounds warnings about a number of common Windows components.
Internet Information Services (IIS), which ships with Windows NT Version 4, Windows 2000 Server and Windows XP Professional operating systems was singled out for flaws that make it possible to send malicious code in the form of improperly formatted HTTP (Hypertext Transfer Protocol) requests, or to generate buffer overflows that permit an attacker to place and execute malicious code on remote machines. IIS was previously called Internet Information Server, but Microsoft changed the name with version 6. The GSA list refers to IIS as Internet Information Services.
In addition, Microsoft's decision to include "sample applications" was identified as a major vulnerability. The location and source code of such demonstration applications are commonly known, it was noted. Because the applications were not designed to withstand attacks, they can frequently be commandeered by attackers to view or overwrite files on a remote computer's hard drive.
Regarding Microsoft's popular Internet Explorer (IE) Web browser, which is a standard component of every Windows operating system, nine separate vulnerabilities were listed. It was also noted that "all existing versions of Internet Explorer have critical vulnerabilities."
Among the IE vulnerabilities listed are those that make it possible for attackers to "spoof" legitimate online entities and steal protected information during transactions and execute malicious code using purposely malformed HTML (Hypertext Markup Language) format e-mail messages and buffer overflows.
For companies and individuals using the Unix or Linux operating systems, the GSA list calls attention to the commonly used Apache Web server as a source of security vulnerabilities, despite the common perception that it is a secure alternative to Microsoft's IIS.
Among the security holes noted in Apache is the SSL (Secure Sockets Layer) vulnerability used by the recent Slapper worm to attack hosts worldwide. That worm used a buffer overflow vulnerability in OpenSSL to place and compile source code on remote Apache servers. Once compiled, the worm connected the server to a peer-to-peer network of other infected servers, which could be used in a distributed denial of service (DDoS) attack.
A number of commonly used tools and protocols for Unix and Linux also came under fire in the list. SSH (secure shell), SNMP (Secure Network Management Protocol) and FTP (File Transfer Protocol) were all singled out for vulnerabilities that would allow a malicious party, often within a corporate network, to decrypt secure information being sent between two hosts, or "sniff" passwords and other logon information from sessions.
Other items on the GSA list were more common sense. Both the Unix and Windows operating systems were criticized for not requiring users to maintain "strong" passwords, which use combinations of numbers, letters and special characters, and for not doing enough to secure password files on the operating system.
The top 20 list is compiled each year by the Federal Bureau of Investigation's National Infrastructure Protection Center, the SysAdmin, Audit, Networking and Security (SANS) Institute, and prominent IT security management organizations including Qualys Inc., Foundstone Inc. Advanced Research Corp., Internet Security Systems Inc. and the Nessus organization.
The release of the list was accompanied by announcements from the five security management organizations of new tools that can be used to scan networks for any of the 20 vulnerabilities. While many of those tools are available only to existing customers of those companies, Qualys announced a free network scan for any company interested in testing for the vulnerabilities on the GSA list.
The GSA list represents a consensus opinion among researchers at SANS and at the security management companies about the leading security vulnerabilities that exist on the most common computing platforms: Microsoft's Windows operating systems and the Unix/Linux operating system.
The number of private-sector security vendors that contributed to the list increased this year, according to Dan Ingevaldson, Team Leader of XForce Research and Development at Internet Security Systems Inc. ISS has contributed to previous SANS lists, according to Ingevaldson.
"There was a lot more work involved in building a consensus among the 10 vendors to select the top issues (this year)," said Ingevaldson.
Despite the number of parties whose input was solicited in creating the list, however, Ingevaldson said there was general agreement between the vendors on the 20 vulnerabilities that were finally selected.