Slashdot Mirror

← Back to Stories (view on slashdot.org)

SANS/FBI Release Top 20 Security Vulnerabilities

Posted by CowboyNeal on from the lock-them-boxes-down dept.

theBraindonor writes "SANS Institute and the FBI have compiled a listing of the The Twenty Most Critical Internet Security Vulnerabilities. The list is broken down into two groups: Windows Systems and Unix Systems." The list of Unix vulnerabilities is also a list of the network programs I (and presumably many others) use most. It's a good thing there's BugTraq.

8 of 268 comments (clear)

  1. Missed a couple of big ones by Anonymous Coward · · Score: 5, Insightful

    They left Outlook and it's derivatives off the Windows list. Nevermind the root VBS cause.

    But they seem to have really had to reach to get 10 for Unix.

    Man... how much did this 'study' cost?

  2. Re:Well, that settles that argument by garcia · · Score: 5, Insightful

    when a vendor installs an application BY DEFAULT on EVERY single version they ship and it is considered at top 10 vundeability I would say that is more important (see previous comment here) than individual applications that are GENERALLY not installed by default on UNIX based OSs.

    Just my worthless .02

  3. Social Engineering by akiy · · Score: 5, Insightful

    They forgot to list one of the most obvious ways of breaching computer security measures: social engineering.

    If you can get the information that you want (eg passwords) from a person who knows the information, all the patches in the world won't protect your network...

    --

    --
    http://www.aikiweb.com - AikiWeb Aikido Information

  4. Not again by The+Bungi · · Score: 5, Insightful
    Item 'W10 Windows Scripting Host' lists the 'solution' to be removing WSH. This is about as useful as removing Perl from a Unix box - it's not viable. The WSH is an important tool and the knee-jerk "let's get rid of it!" reaction will eventually be more trouble than not given how many other Microsoft and third-party software requires it. Also, the WSH is only a hosting implementation. The VBScript and JScript interpreters are not removed when you disable the WSH.

    Plus, you don't even need to spend on AV software from snake oil vendors.

    All that's needed is to make the 'Edit' command the default in the registry for all types of WSH-recognized extensions, such as .js and .wsh. Unfortunately the default is 'Open', which executes the script.

    Once you do this you can simply sit there and watch the script worms hit - the only thing you'll see are instances of Notepad all over the place (with the code, to boot). Quite funny (in a sick sort of way).

  5. Re:Clueless FBI by davidstrauss · · Score: 5, Insightful
    Interesting that all but one of the UNIX probs can also be traced to Windows. Apache runs on on Unix and Windows. FTP, RPC etc etc

    Apache is optimized and was originally designed for Unix. FTP is a standard Internet protocol that likely had its origins in Unix. While the problems you state afflict Windows and Unix alike, they cannot be "traced to Windows." They should be under a generic category for all systems, as HTTP and FTP servers are, in general, large security risks, if caused by nothing more than improper setup.

  6. Missing the most obvious vulnerability... by Zspdude · · Score: 5, Insightful

    The user. Windows OR Unix.

    --
    What's in a Sig?
  7. Re:#8 = Internet Explorer. by flacco · · Score: 5, Insightful
    Yes. If you're not downloading security updates.

    ...which, lately, have come with unacceptable EULA terms and mandatory downloads of other software.

    Software vendors should be required to supply security patches in isolation, and WITHOUT ANY additional licensing requirements.

    --
    pr0n - keeping monitor glass spotless since 1981.
  8. Re:#8 = Internet Explorer. by tqbf · · Score: 5, Insightful
    You say "if I don't surf to your site... then I can't be infected". It almost sounds like you believe you have some control over whether your browser will hit his evil web page. Could it be that you actually think that both Internet routing and the DNS are hard to subvert?

    Clientside security is still a joke. Clients get attention in the places where they "asynchronously" give up control to foreign command, like embedded scripts in email and virtual machines for things like Java. But the overwhelming majority of client code was designed assuming that it interacts in good faith with the rest of the world.

    The flood of server-side vulnerabilities will slow. Desktop environments will get more and more homogenous. The payoff for writing a single exploit will grow. You should expect not only to see more client-targetting attacks, but also more attacks leveraging the ancient and festering weaknesses in global Internet routing and in DNS.

    Consider that today, Internet routing is being subverted with some regularity to play pranks on IRC and to hijack address space for spamming. These are high-risk, low-reward enterprises. It's only a matter of time before smarter people figure out how to use the same tricks to more productive ends.