SANS list of top vulnerabilities includes Outlook, P-to-P

WASHINGTON -- Microsoft Corp.'s Outlook e-mail program and peer-to-peer (P-to-P) software have been included for the first time on the SANS Institute's annual list of the 20 security vulnerabilities most exploited by attackers on the Internet.

SANS (System Administration, Networking and Security) Institute, along with the U.S. Department of Homeland Security and Canadian and U.K. cybersecurity agencies, announced its fourth annual top 20 vulnerabilities list Wednesday during a news conference here. The list, available at http://www.sans.org/top20, is intended to be a baseline for enterprises and government agencies that want a starting point for fixing their systems, said Alan Paller, director of research at the SANS Institute, in Bethesda, Maryland.

"You may decide you still do not want to fix (the vulnerabilities), but at least you've got control and understand the problem," Paller said. "If you go back and decide, 'Well, I've heard all that and I still am going to go write reports instead of fix the vulnerabilities,' then you deserve the attacks you get."

Five of the top 10 Windows vulnerabilities were new this year to the list, which focuses on the overall vulnerability of protocols, applications and tools. Among the new items on the Windows top 10 list were Outlook/Outlook Express, P-to-P file sharing, and SNMP (Simple Network Management Protocol).

The popular Outlook e-mail application has been used to send many viruses and worms, but the 40-plus security experts that determine the SANS top 20 list put it on the list for the first time this year, said Erik Kamerling, editor of the 2003 top 20 list. He didn't explain the decision to include Outlook in detail during his presentation, and he didn't return later messages asking about Outlook's absence in past years.

The SANS recommendations for securing Outlook include instructions on how to uninstall the program.

"One of Microsoft's goals has been to develop a usable and intuitive e-mail and information management solution," the SANS recommendations said. "Unfortunately, the embedded automation features are at odds with the built-in security controls (often disregarded by end users). This has led to exploitation, giving rise to e-mail viruses, worms, malicious code to compromise the local system, and many other forms of attack."

Microsoft did not return calls asking for comments on the SANS list, but Paller defended the company, saying it has responded to customer pressure to improve security in its software.

"There has been a massive shift at Microsoft," he said. "It is nowhere near perfect ... but it's been a mind change, and I think it is because of customer pressure; it isn't because they said, 'Oh, let's do it for fun.' "

One P-to-P software vendor took exception to P-to-P software being included on the list. "Peer-to-peer software is no more nefarious or vulnerable than Windows or Internet Explorer or e-mail," said Wayne Rosso, president of Grokster Ltd. "It's just silly. Windows and Internet Explorer have way more vulnerabilities than peer-to-peer software."