Article

Buffer overflows top list of exploitable vulnerabilities

Edward Hurley, SearchSecurity.com News Writer

The hundreds of new vulnerabilities discovered each month could leave system administrators' heads spinning, but a new list by Internet Security Systems Inc. will offer some guidance on the issue.

Dubbed the Catastrophic Risk Index (CRI), the list includes 31 exploitable vulnerabilities that companies should focus on. The number of items on the list can increase or decrease over time as threats develop. "With 200 or 300 new vulnerabilities coming out a month, it's hard to know where even to start to fix them," said Chris Rouland, vice president of ISS' X-Force.

Of the 31 flaws on the CRI, 29 are buffer overflows. About 58% of the vulnerabilities are found in commercial software compared with 19% in open-source applications. The flaws are found in a variety of software including Web servers, enterprise resource planning (ERP) applications and database servers. For example, the buffer overflow in the Sendmail address parser made the list. So did the Windows 2000/XP PPTP packet buffer overflow.

The list, which will be updated quarterly, is available to the public on the ISS Web site.

Rouland doesn't see the CRI as a competitor to other security vulnerability lists, such as the SANS/FBI Top 20 Internet Security Vulnerabilities List. In fact, items from that list are included in the CRI, he said.

"We felt companies needed a way to quickly access risks that could be catastrophic to their organizations," Rouland said. The SANS/FBI list

    Requires Free Membership to View

tends to focus more on general technologies, such as Microsoft's Internet Information Services, and on policy issues, such as the enforcement of rules about appropriate password length.

"Our index lays off discrete items to fix," Rouland said. "In other words, it offers the [security] practitioner a menu of remotely exploitable vulnerabilities to address."

All 31 items on the CRI are remotely exploitable flaws. Lesser vulnerabilities that could allow denial-of-service attacks are not included. All vulnerabilities on the list have exploit code associated with them. ISS gauges whether to put a flaw on the list by looking at how much it's being exploited. In other words, a flaw that looks really bad in the lab but which isn't being exploited in the wild probably wouldn't be on the list, Rouland said.

The market penetration of an application or platform also influences whether a vulnerability appears on the list. Generally, a flaw that occurs in less popular software, even if it were very severe, probably wouldn't make the list. "The hackers think the same way. They go after the software with a lot of market penetration," Rouland said.

FOR MORE INFORMATION:

SearchSecurity.com news exclusive "SANS, FBI identify top 20 Windows, Unix vulnerabilities"

SearchSecurity.com news exclusive: "Buffer overflows likely to be around for another decade"

SearchSecurity.com technical tip: "Defining and preventing buffer overflows"

ISS' Catastrophic Risk Index (in PDF format)

FEEDBACK: Are lists like this one helpful to system and network administrators?
Send your feedback to the SearchSecurity.com news team.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: