New list of critical vulnerabilities released for Q1 2005
Connecting state and local government leaders
SANS Institute to issue Internet vulnerability warnings more frequently.
The SANS Institute of Bethesda, Md., has begun updating its top 20 list of Internet vulnerabilities on a quarterly basis in an effort to give administrators more timely data to help prioritize patching.
'Since new Internet threats are discovered daily, user organizations that rely on the top 20 list have been asking for more frequent updates,' the organization announced.
The update for the first quarter of 2005, released Monday, includes a dozen vulnerabilities reported in the first three months of the year. Most of the vulnerabilities affect Microsoft operating systems or applications.
The new entries were culled from among more than 600 vulnerabilities reported during January, February and March. To make the cut, the vulnerabilities must affect a large number of users, be unpatched on a substantial number of systems, allow remote exploitation and have enough information available to make an exploit likely.
New vulnerabilities on the list are:
For Microsoft Internet Explorer:
- Microsoft DHTML Edit ActiveX Remote Code Execution
- Microsoft Cursor and Icon Handling Overflow
- Microsoft HTML Help ActiveX Control Cross Domain Vulnerability
- Microsoft PNG File Sharing Vulnerabilities.
- Microsoft Server Message Block Vulnerability.
- Windows License Logging Service Overflow.
- DNS Cache Poisoning Vulnerability.
- Buffer Overflows in decoding files.
- Vulnerability patched in Oracle's January Critical Patch Update.
- CA License Package Buffer Overflow Vulnerabilities.
- Buffer Overflows.
For Microsoft Windows NT server 4.0 Service Pack 6a and Terminal Server Edition Service Pack 6, Windows 2000 Server Service Pack 3 and 4, and Windows Server 2003:
For Microsoft Windows NT and Windows 2000 (prior to SP3) DNS servers, and Symantec Gateway Security, Enterprise Firewall and VelociRaptor:
For antivirus products from Symantec, F-Secure, TrendMicro and McAfee:
For Oracle Application Server 9I and 10g, and Oracle Collaboration Suite release 2:
For Computer Associates Products running License Manager:
For RealPlayer, iTunes and WinAmp media players:
NEXT STORY: DOD wants unique ID tags on all products