SANS begins quarterly updates to its Top 10 Windows vulnerabilities list

The SANS Institute's annual list of the Top 20 Internet Security Vulnerabilities has become so popular that it decided to begin releasing quarterly updates, starting with this month. In this edition of the IT Locksmith, John McCormick reviews the recent updates to the first half of this list, the Top 10 Windows vulnerabilities.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

The SANS Institute has begun revising its annual Top 20 vulnerabilities list on a quarterly basis and has released its first update for the first quarter of 2005.


The SANS Institute's annual list of the Top 20 Internet Security Vulnerabilities has proven to be so popular that the security education firm has decided to begin releasing quarterly updates to the list. It released the first quarterly update on May 2, 2005.

One of the reasons this list is so highly regarded is because it catalogs vulnerabilities that black hats are currently trying to exploit, and it can help companies stay on top of the latest threats. Another reason this list stands out from the weekly spate of security bulletins and patches and all the rest of the hype from security firms is that SANS compiles its list from actual incident reports.

For security's sake, of course, companies must issue warnings whenever there's a potential threat, but it's difficult to discern whether hackers will actually try to exploit it. While some threats initially appear very serious, it often happens that black hats simply don't try to exploit them—either because vendors quickly patch the flaws or because much bigger and easier targets are already out there.

Many IT managers use the SANS list to prioritize patching, and the new quarterly updates should make the list even more useful. For example, the vulnerabilities listed for the first quarter of 2005 are much more relevant than some of the items in the yearly threat list.

As you might expect, Microsoft exploits lead the list. However, that's not necessarily because these threats are more serious; rather, Redmond's products are present in the majority of organizations, and SANS always begins with them.

In addition, the SANS list now includes a cross-platform category. As usual, due to the size of this list and number of vulnerabilities, I'm dividing the list into Microsoft and non-Microsoft issues. So, tune in next week for the non-Microsoft issues. (However, if Microsoft releases critical threat bulletins or another major threat emerges, I'll delay the second part of this list a week.)

So, without any further ado, let's look at the most recent updates to the SANS Institute's Top 10 most exploited Microsoft platform threats for the first quarter of 2005.

Windows License Logging Service Overflow (Security Bulletin MS05-010)
Patches are available for this highly critical remote code execution threat, which affects Windows NT Server, Windows 2000 Server, and Windows Server 2003 (CAN-2005-0050). This threat falls under SANS' W3 Windows Remote Access Services category.

Microsoft Server Message Block (SMB) Vulnerability (Security Bulletin MS05-011)
This highly critical remote code execution threat affects Windows 2000, Windows XP, and Windows Server 2003 (CAN-2005-0045). Patches are available for affected systems.

Internet Explorer Vulnerabilities (Security Bulletins MS05-014 and MS05-008)
This is a critical threat to systems running Internet Explorer versions 5.01, 5.5, and 6.0—an attack can compromise the system (CAN-2005-0053, CAN-2005-0054, CAN-2005-0055, and CAN-2005-0056). Patches are available from both bulletins. Browser threats are a perennial favorite on this list, falling under SANS' W6 Web Browsers category, and they came in at the sixth position for Windows threats in the last annual report.

Microsoft HTML Help ActiveX Control Vulnerability (Security Bulletin MS05-001)
Patches are available for this highly critical threat that affects all platforms from Windows 98 and later (CAN-2004-1043). Among other exploits, the Phel.A Trojan uses this vulnerability to penetrate vulnerable systems.

Microsoft DHTML Edit ActiveX Remote Code Execution (Security Bulletin MS05-013)
Also affecting all platforms from Windows 98 and later, this highly critical threat is currently under exploit in the wild (CAN-2004-1319). Patches are available.

Microsoft Cursor and Icon Handling Overflow (Security Bulletin MS05-002)
Black hats are currently using this highly critical vulnerability as a path to install adware and spyware on Windows NT, Windows 2000, and Windows XP systems (CAN-2004-1049). Patches are available for vulnerable OS versions.

Microsoft PNG File Processing Vulnerabilities (Security Bulletin MS05-009)
Falling under the W10 Instant Messaging category, SANS gave this IM threat the tenth position in its annual threat list (CAN-2004-1244 and CAN-2004-0597). Patches are available for affected systems, which include Media Player 9, Windows Messenger 5.0, MSN Messenger 6.1 and 6.2, as well as the Windows 98, Windows ME, and Windows SE operating systems.

Mitigating factors

While these vulnerabilities aren't necessarily the biggest threats of the first quarter—other big threats may have been more widely patched—they are definitely serious and require attention. For information on workarounds, patches, and any mitigating factors to these vulnerabilities, check out the various original security bulletins.

Keep in mind that these flaws aren't just theoretical threats—black hats are actively exploiting them. So if you need to prioritize your patching, and you haven't already taken care of these vulnerabilities (and many apparently haven't, or they wouldn't make this list), these threats need to move to the top of your fix-it-now list.

Final word

When you think about it, an annual report is just not fresh enough to provide real guidance to IT security managers. After all, most vendors will recognize a really big threat as such and correct it in a lot of the commercial systems included in SANS reports. So what was big for most of the year may not be much of a threat by the time you see the annual summary of incident reports.

Also watch for …

  • Apple has posted a whopping 20 security patches for both client and server versions of OS X 10.3.9. The overall threat level is highly critical, so those who didn't receive automatic updates on May 3 should check Apple's security site for the appropriate patches.
    The Register reports that unit sales of the Mac OS X operating system have grown by 43 percent over the same quarter last year. Does that popularity portend an increased level of threat from hackers? No one can say for sure, but for those who aren't keeping track, I believe Apple only released version 10.3.9 a few weeks ago. Version OS X 10.4 (Tiger) is available now.
  • And to wrap things up, here's a sobering thought: According to ZDNet Australia, Sophos reports that 4 percent of all e-mail worldwide contains some version of the Sober worm—that's one in every 22 messages—and constitutes nearly 80 percent of all viruses now seen in the wild.

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Editor's Picks

Free Newsletters, In your Inbox