"Individuals and organizations that do not correct these problems face a heightened threat that remote, unauthorized hackers will take control of their computers and use them for identity theft, for industrial espionage, or for distributing spam or pornography," the group warned.
The list includes vulnerabilities in products from Microsoft, Symantec, Oracle, and Computer Associates. It is the first quarterly update to the SANS Top 20 Internet Security Vulnerabilities list, which is published annually in October.
Details on the vulnerabilities and tips for fixing them are at www.sans.org/top20/Q1-2005update.
In order to be included on the quarterly update, vulnerabilities had to meet certain requirements, including affecting a large number of users, not being patched on many systems, and allowing remote attackers to take over computers.
"These critical vulnerabilities are widespread and many of them are being exploited, right now, in our homes and our offices," Alan Paller, SANS director of research, said in a statement. "We're publishing this list as a red flag for individuals as well as IT departments. Too many people are unaware of these vulnerabilities, or mistakenly believe their computers are protected."
The team that published the update included researchers from 3Com's TippingPoint division, Qualys, and the British Government's National Infrastructure Security Co-Ordination Centre.