Slashdot Mirror

← Back to Stories (view on slashdot.org)

SANS/FBI Release Top 20 Security Vulnerabilities

Posted by CowboyNeal on from the lock-them-boxes-down dept.

theBraindonor writes "SANS Institute and the FBI have compiled a listing of the The Twenty Most Critical Internet Security Vulnerabilities. The list is broken down into two groups: Windows Systems and Unix Systems." The list of Unix vulnerabilities is also a list of the network programs I (and presumably many others) use most. It's a good thing there's BugTraq.

14 of 268 comments (clear)

  1. #8 = Internet Explorer. by garcia · · Score: 5, Interesting

    #8 is listed here.

    If you are using IE, your computer is vunerable to numerous security breaches.

    If this is installed on EVERY Windows computer by default, I believe that this should be rated higher than those vunerabilities in applications that are only installed by default on SOME Windows versions (IIS).

    1. Re:#8 = Internet Explorer. by jasonditz · · Score: 2, Interesting

      When I'm trying to secure a Wintel box the first thing I do is install a firewall program and tell it not to allow IE to do ANYTHING. Then install Mozilla or something similar. Not perfect, but at least the lizard has a verifiable codebase.

    2. Re:#8 = Internet Explorer. by Fjord · · Score: 3, Interesting

      Outlook and IE have different problems, in my mind. Outlook is bad because the attack can be pushed directly to you, but, for the most part, you can prevent the attack through configuration of the server to not pass on attachments with certain extentions or even mostly procedurally by not opening such attachement (though, IIRC, one bug didn't require you to make that mistake). With IE, an attack is harder: you have to control part of the network that the person you want to attack voluntarily goes to, but there is little you can do from a system or procedural perspective beyond keeping up with patches.

      One thing to note is that keeping up with patches is not enough for securely using IE. Microsoft has had a bad track record for not providing a proper patch until the bug is fully exposed, so there are constantly windows where you are vulnerable. For example, there is presently a bug in the certificate software that allows a man-in-the-middle attack on an SSL connection, making the authentication useless (you are just as vulnerable to an attack with or without it). Because of this I wouldn't online bank with it.

      Yet dispite this, Outlook has had a worse track record for security attacks in the wild. Many outlook vectored viruses have done things such as emailing random documents from your disk. It wouldn't take much to take these viruses and modify them to find and send Money or Quicken files to a foreign email address.

      --
      -no broken link
    3. Re:#8 = Internet Explorer. by lazlo · · Score: 2, Interesting

      Well, look also at W5 - anonymous logon null sessions. And, while we're at it, weak LM hashing (W6).

      By default, every windows box has both available. I haven't tried it lately, but there have been times when uninstalling SMB from a windows box has been far more difficult than uninstalling IE. Furthermore, for the most part, IE needs to be used in order to compromise your system. Don't use it, and you're (somewhat) more safe. (Of course, there are a lot of MS applications that will happily use it for you, so you're still screwed...)

      But, if you install NT, 2K, or XP, you've got null sessions available as soon as you boot the box, before you even touch the keyboard.

      Reference SMBDie - QED.

      --
      Pound! Bang! Bin! Bash! is this a shell script or a Batman comic?
  2. Why... by bsDaemon · · Score: 3, Interesting

    ...is Apache listed as #2 under UNIX? It's not exactly bug-rittled doom-ware like IIS. A few mistakes every now and then hardly qualifies for a #2 rateing. it's not like, 50 new exploits are found a month or something. and as for RPC at #1...you get what you ask for.

  3. Re:Well, that settles that argument by sunset · · Score: 4, Interesting
    To restate your point more bluntly:

    Saying that "The Twenty Most Critical Internet Security Vulnerabilities" is the same as the top ten Windows vulnerabilities plus the top ten Unix vulnerabilities, is just plain stupid.

  4. Re:Not again by airrage · · Score: 4, Interesting

    WSH is an important tool, but it's only the command interpreter, it's the code that's sent to it and how it executes that truly the problem.

    But the most overlooked part of Windows 2000 and above is Microsoft's implementation of the Windows Management Instrumentation (WMI) API. With this interface an admin can script against any Microsoft Class and has full rights to change, modify, stop, start, etc. The box is yours. And it's installed by default!

    Currently, it's a little under the radar, so many are unaware of it's implementation, but remote scripting is completely available and documented, just need the first exploit to overcome the security context and Houston we have a problem.

    --
    "This isn't a study in computer science, its a study in human behavior"
  5. Re:Clueless FBI by ianaverage · · Score: 2, Interesting

    Although the *nix exploits may exist in M$ too, it is possible that they decided that the *worst* M$ exploits were the ones listed. So, maybe FTP is on the list--just at #12 or something for M$. I don't know if I agree with that...but it is a thought...

  6. Re:Lather, rinse, repeat by dpilot · · Score: 3, Interesting

    Maybe that's good, that they have to fish all the way to the r* services to flesh out a top-10 list.

    OTOH, I wonder if next year Lindows will be on the list, with our favorite practice of running users as root.

    --
    The living have better things to do than to continue hating the dead.
  7. hmm... by Anonymous Coward · · Score: 1, Interesting

    sort of ironic that something called the "secure shell" is listed as #3 on the FBI's top Unix vulnerability. I did sort of find it interesting that Apache actually listed higher than FTP (wu especially), and sendmail. It strikes me as sort of unfair concluding that Apache is insecure do to CGI, which really Apache can't help you with. If you use/write insecure CGI scripts, you're server is insecure, but that is hardly the fault of Apache more than it is of perl if you don't use warnings and taint mode.

  8. Their SNMP experts aren't experts... by hardaker · · Score: 4, Interesting

    Here's a note I just sent to their web master (they had no other place to send "comments"):

    Overall the top20 list is a good summary as always.

    However, I can't believe the lack of knowledge about at least the SNMP portion of it. SNMP *used to use* clear-text community strings in the first and second versions of the protocols. The following statement, along with others in the section:

    'SNMP uses an unencrypted "community string" as its only authentication mechanism. Lack of encryption is bad enough...'

    Is spreading simply incomplete information. At a minimum, it should be suggested that all users upgrade their SNMP enabled software to version 3 compliant SNMP agents and to disable the version 1 and version 2 SNMP protocols. All of the major network vendors, as well as software vendors implement the v3 protocol so there is very little excuse for not using it (and, worst case you can deploy v3->v1 proxies near v1-devices to minimize the transmision distance of clear-text v1 community strings). *Please* change the wording to suggest that people upgrade their equipment to SNMPv3 compliant software, which will take care of at least the insecure problems with the protocol.

    --
    The next site to slashdot will be ready soon, but subscribers can beat the rush and start slashdotting it early!
  9. Re:Lather, rinse, repeat by carpe_noctem · · Score: 2, Interesting

    Sendmail is still widely used in production mail systems, and over the last few years, its security reputation has improved considerably. I'm personally a qmail guy, but there are a number of commercial plugins available for sendmail that allow it to do virus or spam filtering, which remains the reson why sendmail is still quite prevalent on larger production systems.

    --
    "Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
  10. Re:Ever heard of a UID? by lugonn · · Score: 2, Interesting
    A better thing to blame would be running as administrator (in NT-based Windows systems) full-time, rather than as a non-admin user

    Given that Win doesn't have group ownership for files, it really doesn't matter if your running as admin or guest. You can still use WSH as a guest and be able to fuck with system files, you just can't play with the registry...nice security model, it doesn't exist for files on Win systems.

    Perl on the other hand can't mess with files if the UID for the process doesn't have permission to...ooohhh, file security.

  11. I love W5... by tlambert · · Score: 3, Interesting

    I love W5. It implies that the vulnerability is the leakage of information to an intruder.

    It seems to me that, since it points out the the scans are often run as "System" by the legitimate users, then by properly crafting a response to an inquiry, and puttting my machine out there, the real vulnerability is to the systems, like the domain controllers, which scan (potentially trojaned) remote machine, without dropping "System" priviledge first.

    It seems to me that an exploit using SAMBA source code ought not to be that hard to write...

    -- Terry