SANS top vulnerabilities include Outlook, P-to-P

Microsoft Corp.’s Outlook e-mail program and peer-to-peer (P2P) software have been included for the first time on the System Administration, Networking and Security (SANS) Institute’s annual list of the 20 security vulnerabilities most exploited by attackers on the Internet.

SANS Institute, along with the U.S. Department of Homeland Security and Canadian and U.K. cybersecurity agencies, announced its fourth annual top 20 vulnerabilities list Wednesday during a news conference in Washington, D.C. The list, available at, is intended to be a baseline for enterprises and government agencies that want a starting point for fixing their systems, said Alan Paller, director of research at the SANS Institute, in Bethesda, Md.

“You may decide you still do not want to fix (the vulnerabilities), but at least you’ve got control and understand the problem,” Paller said. “If you go back and decide, ‘Well, I’ve heard all that and I still am going to go write reports instead of fix the vulnerabilities,’ then you deserve the attacks you get.”

Five of the top 10 Windows vulnerabilities were new this year to the list, which focuses on the overall vulnerability of protocols, applications and tools. Among the new items on the Windows top 10 list were Outlook/Outlook Express, P2P file sharing and Simple Network Management Protocol.

The popular Outlook e-mail application has been used to send many viruses and worms, but the 40-plus security experts that determine the SANS top 20 list put it on the list for the first time this year, said Erik Kamerling, editor of the 2003 top 20 list. He didn’t explain the decision to include Outlook in detail during his presentation, and he didn’t return later messages asking about Outlook’s absence in past years.

The SANS recommendations for securing Outlook include instructions on how to uninstall the program. “One of Microsoft’s goals has been to develop a usable and intuitive e-mail and information management solution,” the SANS recommendations said. “Unfortunately, the embedded automation features are at odds with the built-in security controls (often disregarded by end users). This has led to exploitation, giving rise to e-mail viruses, worms, malicious code to compromise the local system, and many other forms of attack.”

Microsoft did not return calls asking for comments on the SANS list, but Paller defended the company, saying it has responded to customer pressure to improve security in its software. “There has been a massive shift at Microsoft,” he said. “It is nowhere near perfect…but it’s been a mind change, and I think it is because of customer pressure; it isn’t because they said, ‘Oh, let’s do it for fun.'”

One P2P software vendor took exception to P2P software being included on the list. “Peer-to-peer software is no more nefarious or vulnerable than Windows or Internet Explorer or e-mail,” said Wayne Rosso, president of Grokster Ltd. “It’s just silly. Windows and Internet Explorer have way more vulnerabilities than peer-to-peer software.”

Among the vulnerabilities systems administrators should worry about with P2P software are the legal concerns if a company’s computers are used to trade copyrighted files, technical concerns from remotely exploitable misconfigurations possible in P2P software, and the ease of distribution of malicious code masquerading as legitimate materials traded through P2P software, Kamerling said.

A P2P user at one U.S. federal agency recently opened his hard drive to other users trading pornography, Paller added, making the agency part of a “porn-sharing operation.”

But Rosso said such exposures and reports of P2P users sharing the entire contents of their hard drives with others happen when P2P software is misconfigured or misused. “The potential for people’s hard drives to be exposed only exists if they don’t pay attention,” he said.

Windows Internet Information Server, Microsoft SQL Server and Internet Explorer remain on the list from 2002. The five Windows vulnerabilities that were bumped from the 2002 list were combined into two new items: Windows remote access and Windows authentication.

Three new Unix/Linux vulnerabilities were included on the list this year: clear text services, misconfiguration of enterprise services and Open Secure Sockets Layer. Remaining on the Linux/Unix list were Apache Web server, Berkeley Internet Name Domain (BIND) and Sendmail, among others.

Paller urged company and agency leaders to start with a small list of the most dangerous vulnerabilities their systems administrators could attack and allow the security team at least 90 days to make progress before requiring them to report results. Asking systems administrators to test for thousands of vulnerabilities at one time is a recipe for failure, he added.

“That is a dangerous thing to do to a systems administrator,” Paller said of requiring thousands of checks at once. That way, executives could set up systems administrators for failure. “You’re creating (a situation of saying), ‘I can demonstrate you’re incompetent, and you can never demonstrate I’m wrong.’ If that’s your goal, it’s fine, it just doesn’t improve security. What you want is an environment where you say, ‘I can demonstrate we’ve got things to fix, and you can demonstrate we can fix them, and then we’ll work together.'”