[ISN] SANS compiles Top 20 security vulns list

[InfoSec News]

http://www.theregister.co.uk/2005/11/22/sans_top_20_vuln_list/

By John Leyden
22nd November 2005 

Bugs in anti-virus scanners and web-based applications joined flaws in 
Microsoft and Cisco networking products in a list of the 20 most 
serious vulnerabilities discovered this year.

The list [1] - compiled by the SANS Institute in co-operation with 
security vendors such as Qualys and government agencies in the UK and 
US - highlights the 20 most critical vulnerabilities currently facing 
organisations. Vulnerabilities that are easy to exploit and where a 
large number of unpatched systems existed were highlighted in the 
report. In addition to identifying vulnerabilities in Windows and UNIX 
systems, this year's Top-20 list also includes cross-platform 
applications and networking products for the first time.

Various flaws in Internet Explorer and Microsoft Windows Services 
(such as Plug and Play) make the top 20 list. These are joined by 
anti-virus product glitches and back-up software. Vulnerabilities to 
Oracle database and application software products also make the SANS 
Top 20 list.

The flaws are all well-documented. The idea of the Top 20 is to draw 
people's attention towards particularly serious problems that might 
have been overlooked. Starting earlier this year, the SANS Institute 
moved from an annual to quarterly update of its list, now into its 
fifth year, to reflect the faster evolution of internet threats. It's 
still doing the annual round-up though with this year's Top 20 
launched in Europe at a high profile event in London on Tuesday 
featuring speakers from SANS, the DTI and the National Infrastructure 
Security Coordination Centre (NISCC) [2]. ®

[1] http://www.sans.org/top20
[2] http://www.niscc.gov.uk/