8 October 2002 Four-fifths of the most serious software security flaws identified in a US Federal Bureau of Investigation (FBI) ‘hit list’ published last week were identified more than a year ago.

“Sixteen of the top 20 are problems that have been known widely and been easily remedied for over a year. Two of the remaining four are addressed by reasonable administrative diligence and two are new and require some tactical patching,” said Jon McCown, senior technical director at security services vendor TruSecure.

The hit list – and the ease with which the problems can be solved – highlight the lack of technical and security expertise of many systems administrators and their lackadaisical approach to securing their systems. “In fact, some of the vulnerabilities on the list are about to have their third birthday – and still [some] people haven’t fixed them,” added McCown.

Organisations that ignore such widely publicised threats are at particular risk because malicious hackers are rarely the first to uncover vulnerabilities.

Instead, they usually learn about software security flaws from public lists, including the detailed advisories published by security groups such as BugTraq and the SANS Institute. They then use that knowledge to break into systems of organisations that have been slow to install the appropriate security patches.

Indeed, the FBI’s list also includes links to freely-available scanners that organisations – and hackers – can use to test for the vulnerabilities.

The release of the FBI’s top 20 security flaws hit list was supported by the UK’s National Infrastructure Security Coordination Centre (NISCC) and Canada’s Office of Critical Infrastructure Protection and Emergency Preparedness (OCIPEP).

Links:
Sans/FBI Top 20 List