The respected SANS Institute has published its latest list "top 20" list of critical Internet security vulnerabilities, which it says companies should patch immediately.

As expected, the list for the first quarter of 2005 is dominated by issues in Microsoft software, but Oracle, Computer Associates, Real Player and a number of anti-virus vendors also feature.

The Top 20 also confirms that it is now the client side of software, rather than the server OS, where the security problems occur most regularly, with the weakness of Internet Explorer and a range of utilities and media players offering attackers the best way into a network.

The organisation has previously reported on an annual basis, but has decided to move to a quarterly format in response to the sheer number of vulnerabilities now being uncovered. The Top 20 list was drawn from a reported total of more than 600 vulnerabilities discovered during the period.

According to Gerhard Eschelbeck of Qualys, one of industry team who helped compile the list, the purpose of the quarterly reports was to help IT staff choose which of the large number of vulnerabilities they should prioritise when patching systems. Currently, it was extremely difficult to determine which holes represented the greatest risk as there was no agreed standard for rating them. With the number of vulnerabilities now fairly constant, what mattered was making a timely decision about what to patch, he said.

"Most of the vulnerabilities are found through diligent research into specific areas," he said by way of explaining why anti-virus software, in particular, had seen a spate of warnings on security in recent weeks. This didn’t mean that these products were any more vulnerable than before, only that greater time was now being taken to find them.

Qualys is one of a number of movers behind the Common Vulnerability Scoring System (CVSS), an industry-wide initiative announced at February’s RSA Show for rating and disclosing security issues using defined criteria. It is hoped that this system will in time become the common means of assessing which vulnerabilities are urgent and which aren’t.

The SANS Institute lists five criteria used to assess the criticality of its Top 20 security issues. These are, the number of users affected by the issue, the likelihood of the hole not having been patched in the majority of systems, the degree to which the issues allow remote control of a system, the fact that attackers are likely to known of an exploit, and how recent the issues are believed to be.

The SANS institute has published details on how the Top 20 issues can be dealt with on its website.