New list of critical vulnerabilities released for Q1 2005

The SANS Institute of Bethesda, Md., has begun updating its top 20 list of Internet vulnerabilities on a quarterly basis in an effort to give administrators more timely data to help prioritize patching.

"Since new Internet threats are discovered daily, user organizations that rely on the top 20 list have been asking for more frequent updates," the organization announced.

The update for the first quarter of 2005, released Monday, includes a dozen vulnerabilities reported in the first three months of the year. Most of the vulnerabilities affect Microsoft operating systems or applications.

The new entries were culled from among more than 600 vulnerabilities reported during January, February and March. To make the cut, the vulnerabilities must affect a large number of users, be unpatched on a substantial number of systems, allow remote exploitation and have enough information available to make an exploit likely.

New vulnerabilities on the list are:

For Microsoft Internet Explorer:

• Microsoft DHTML Edit ActiveX Remote Code Execution


• Microsoft Cursor and Icon Handling Overflow


• Microsoft HTML Help ActiveX Control Cross Domain Vulnerability Vulnerabilities


• included in cumulate updates for Internet Explorer.

• Microsoft PNG File Sharing Vulnerabilities.

• Microsoft Server Message Block Vulnerability.

• Windows License Logging Service Overflow.

• DNS Cache Poisoning Vulnerability.

• Buffer Overflows in decoding files.

• Vulnerability patched in Oracle's January Critical Patch Update.

• CA License Package Buffer Overflow Vulnerabilities.

• Buffer Overflows.