The SANS Institute now revises its annual Top 20
vulnerabilities list on a quarterly basis, and it released the first update for
the first quarter of 2005 earlier this month. Due to
the size of this list and number of vulnerabilities, I typically divide it into
Microsoft and non-Microsoft issues.

I already addressed the top Windows
vulnerabilities in a recent column
. Now, let’s take a look at the top
cross-platform threats.


Beginning with this update, SANS has moved from a yearly
event to a quarterly release. This change should provide a much better guide
for managers to help them determine which threats they need to block first.

In addition to moving to a quarterly release schedule, the
SANS quarterly survey has also dropped the Linux/UNIX section in favor of a
section for cross-platform threats, which includes Windows, Macintosh, and UNIX
flavors. So, let’s look at the most recent updates to
the SANS Institute’s Top 10 most
exploited cross-platform threats
for the first quarter of 2005.

Computer Associates
License Manager Buffer Overflows
(CAN-2005-0581, CAN-2005-0582, and CAN-2005-0583)
This is a remote code execution threat. An attacker can execute code with
“SYSTEM/root” privileges on systems running any of the vulnerable

Affected systems include CA License Package versions 1.53
through 1.61.8 running on AIX, DEC, HP-UX, Linux Intel, Linux s/390, Solaris,
Windows, and Apple Macintosh operating systems. A
patch is available.

Multiple Antivirus
Products Buffer Overflow Vulnerabilities
and CAN-2005-0644)
This is also a remote code execution threat, and it affects a variety of
antivirus products, including those from Symantec, F-Secure, Trend Micro, and
McAfee. For information on available patches, see SANS’ alerts for Symantec,
, and McAfee.

DNS Cache Poisoning

This flaw can allow an attacker to redirect domain visits, and attackers have
used the vulnerability to install malware. Affected versions include Symantec
Gateway Security 5400 Series version 2.x; Symantec Gateway Security 5300 Series
version 1.0; Symantec Enterprise Firewall version 7.0.x and 8.0 for both
Solaris and Windows; VelociRaptor Models 1100, 1200, and 1300 version 1.5; Windows
NT, and Windows 2000 prior to Service Pack 3.

Windows 2000 systems with SP3 installed are not vulnerable. However,
other Windows DNS servers may be vulnerable.

Patches and various workarounds as specified by the vendors
are available. For more information, see the SANS report.

Oracle Critical Patch
These vulnerabilities can allow an attacker to take control of an Oracle server.
Oracle released a patch for this vulnerability on Jan. 18, 2005. However, the
fact that this flaw made the SANS report for the first quarter indicates that
not everyone has installed the patch.

This affects a variety of Oracle products, including some
versions of Oracle Database 8 through 10g, some versions of Oracle Application
Servers, Oracle Collaboration Suite Release 2 version, and Oracle E-Business
Suite and Applications Release 11 and 11i. For more details and information
about available patches, see the
SANS alert for this threat

Multiple Media Player
Buffer Overflows
(CAN-2005-0455, CAN-2005-0611, and CAN-2005-0043)
This vulnerability can allow an attacker to completely compromise a system. Affected applications include Linux
RealPlayer 10, Helix Player, iTunes, WinAmp, Windows RealPlayer 10.5 builds through 1056, Windows RealPlayer 10, Windows RealOne Player 2
builds through 872 and builds through 840, Windows
RealPlayer 1, Windows RealPlayer 8, Windows RealPlayer Enterprise, Mac
RealPlayer 10 builds through 325, and Mac RealOne Player.

Patches and upgrades are available. Get more details in the
SANS report.

Risk level – Critical

Remember: Attackers are currently exploiting all of these
cross-platform threats in the wild—otherwise, they wouldn’t have made the list—so
the risk level is extremely high.

Final word

While the Top 20
designation still applies to this report in various ways, including the URL,
you’ve probably noticed there aren’t actually 20 major threats listed. In fact,
the first quarterly update included seven Windows-only
and five cross-platform threats.

I have no additional comments to make about these threats—they
wouldn’t have made the list if they weren’t still viable threats and if
companies had patched their systems. Instead, I’d like to throw out a random
thought about Web browser security in general.

Does anyone remember just how serious a problem Web security
was back in 1995? The reason I ask is because Microsoft based its Internet Explorer
technology on that computing era’s need for legacy support—not security.

As I recall, Microsoft released IE 1.0 in 1995, and Mozilla
released Firefox 1.0 in late 2004. So, could part of the security differences
that everyone’s debating these days have something to do with the relative
decade between the two releases?

I don’t remember anyone arguing in 1995 that the Web would
become the security threat it is today. On the other hand, you could also make
the argument that Microsoft is actually responsible for the surge in security
threats because it developed IE with so
little concern for security. What do you think?

Also watch for …

  • Microsoft
    Security Advisory (899480), “Vulnerability
    in TCP Could Allow Connection Reset”
    : Published May 18, this
    advisory discusses a new TCP/IP vulnerability in Windows 2000, Windows XP,
    and Windows Server 2003. This threat isn’t particularly dangerous because
    it only allows an attacker to reset the timeout values, and it doesn’t
    affect anyone who installed the MS05-019 security update, Windows XP Service Pack 2,
    or Windows Server 2003 Service Pack 1. There are no reports of any exploits
    in the wild.
    Note: Microsoft didn’t necessarily announce this because it was urgent—rather,
    it’s a sample of the new Microsoft
    Security Advisory Service
    , an e-mail alert service that will include
    both new low- and high-level threats.
  • Look
    for Microsoft to release the beta version of IE 7 around July of this

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter
, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.