The SysAdmin Audit Network Security (SANS) Institute's "Top 20 Vulnerabilities," first published three years ago in collaboration with the FBI's National Infrastructure Protection Center, consists of two lists: the top 10 flaws in Microsoft's operating system and software and the top 10 flaws in Unix systems.
"The (list) defines the set of network security vulnerabilities that are most commonly used by hackers to break into systems," Alan Paller, director of research for the SANS Institute, said in a statement. "They should be addressed by network administrators as quickly as possible."
The lists are intended as a guide for system administrators to check their systems for flawed software. Each description of the 20 vulnerabilities suggests ways to mitigate the risks associated with the particular insecure software.
SANS rated Microsoft's Web server--the Internet Information Service (IIS) software--as the leading cause of vulnerabilities in Windows systems.
Microsoft has issued warnings for more than half a dozen flaws for its IIS Web server software in the last year. In May, the company alerted consumers to four vulnerabilities in the software. Last November, security researchers warned the software giant of other flaws in its Web server. The Code Red worm, which spread widely during July and August 2001, used a flaw in Microsoft's Web servers to infect the machines.
On the Unix side, the Berkeley Internet Name Domain (BIND) domain name system (DNS) software--a widely used program to run Internet databases that match domain names with numerical addresses--is the most problematic program of that family of operating systems, which includes the various flavours of Linux, Sun Microsystems' Solaris and IBM's AIX.
Several flaws have been found in the BIND software in the last year. In March, the Internet Software Consortium released a new version of the software that patched security holes. And in November, security researchers pinpointed another flaw in the software that had to be patched.
Other top flaws on Windows systems included Microsoft's SQL database software, which the Slammer worm exploited, and Windows remote access services such as Microsoft's version of the remote procedure call (RPC) standard, a flaw which the MSBlast worm used to spread.
Top Unix-based software flaws include those in the systems' own RPC service implementations as well as insecure Apache Web server installations.
Yes and the list is like this...
1.) Micro$soft
2.) Micro$soft
3.) Micro$soft
4.) Micro$soft
5.) Micro$soft
need I say more?