SANS compiles the Top 20 list to help computer-security professionals set priorities about which problems to address first. The list incorporates the input of six other organizations, including U.S. Department of Homeland Security's U.S. Computer Emergency Response Team, the British government's National Infrastructure Security Co-Ordination Centre and Canada's Cyber Incident Response Centre. Included are high-severity vulnerabilities that continue to afflict large numbers of computer systems and that can be fairly easily attacked because their details have circulated broadly online.

The proliferation of application vulnerabilities is particularly troubling because they can expose millions of home and office PCs to attack, a much larger number of systems than would be the case with flawed server software, says Gerhard Eschelbeck, chief technology officer of vulnerability management firm Qualys Inc. They also shift more of the burden of security to often ill-prepared home users.

SANS said no application vulnerabilities made its Top 20 list last year, but software flaws in such programs made up nearly half the list for 2005. Among the programs on the list are backup, antivirus, database, file-sharing, media- player, instant-messaging and Web-browsing software made by a long list of companies.

"You look for the soft underbelly, and the desktop applications are the soft underbelly now," says former White House cybersecurity advisor Howard Schmidt. Makers of many of these programs have not instituted the kind of rigorous software-development practices to root out security holes now used by the software giants that have been in hackers' crosshairs, he says.

"It's not about developing better patching mechanisms," Schmidt says. "The long-term answer is you just write better code."

Products from Symantec Corp. (SYMC) (SYMC), a top maker of backup and antivirus software, were among several products from a number of security software makers that SANS warned contained security vulnerabilities that could give attacks full control of computers. Symantec (SYMC) said it is quick to deliver security patches to its customers and distributes some using its automated patching systems. It said its software undergoes rigorous quality testing, including for any security weaknesses.

In its report, SANS also listed several serious security flaws in networking equipment, suggesting the routers and switches that form the backbone of the Internet could become a bigger target in the future. No networking-gear flaws were included in the 2004 list.

"The bad guys have learned that owning routers gives them leverage in observing and other malicious activity," says Marty Lindner, an Internet security analyst at US-CERT. "This is becoming a more popular attack vector."

Security experts also fear that attacks designed to cause networking equipment to crash could become more common and more damaging as services like telephony and video move onto the Internet protocol network.

The list highlighted several vulnerabilities found in Cisco Systems Inc. (CSCO) ( CSCO) gear in the last year, including its standard operating system software, which lies behind 85% of the global Internet backbone. It also noted flaws in routers made by Juniper Networks Inc. (JNPR) (JNPR) and virtual private networking software from Check Point Software Technologies Ltd. (CHKP) (CHKP) and Symantec (SYMC).

Cisco said it has a well established process for helping its customers apply fixes for security flaws and urges them to take steps to ensure they're protected from attack.

-By Riva Richmond, Dow Jones Newswires; 201-938-5670; riva.richmond@ dowjones.com

(END) Dow Jones Newswires

11-22-05 0015ET

  Copyright (c) 2005 Dow Jones & Company, Inc.
   
© 2005 Dow Jones & Company, Inc.  All Rights Reserved.