Slashdot Mirror

← Back to Stories (view on slashdot.org)

SANS/FBI Release Top 20 Security Vulnerabilities

Posted by CowboyNeal on from the lock-them-boxes-down dept.

theBraindonor writes "SANS Institute and the FBI have compiled a listing of the The Twenty Most Critical Internet Security Vulnerabilities. The list is broken down into two groups: Windows Systems and Unix Systems." The list of Unix vulnerabilities is also a list of the network programs I (and presumably many others) use most. It's a good thing there's BugTraq.

4 of 268 comments (clear)

  1. #8 = Internet Explorer. by garcia · · Score: 5, Interesting

    #8 is listed here.

    If you are using IE, your computer is vunerable to numerous security breaches.

    If this is installed on EVERY Windows computer by default, I believe that this should be rated higher than those vunerabilities in applications that are only installed by default on SOME Windows versions (IIS).

  2. Re:Well, that settles that argument by sunset · · Score: 4, Interesting
    To restate your point more bluntly:

    Saying that "The Twenty Most Critical Internet Security Vulnerabilities" is the same as the top ten Windows vulnerabilities plus the top ten Unix vulnerabilities, is just plain stupid.

  3. Re:Not again by airrage · · Score: 4, Interesting

    WSH is an important tool, but it's only the command interpreter, it's the code that's sent to it and how it executes that truly the problem.

    But the most overlooked part of Windows 2000 and above is Microsoft's implementation of the Windows Management Instrumentation (WMI) API. With this interface an admin can script against any Microsoft Class and has full rights to change, modify, stop, start, etc. The box is yours. And it's installed by default!

    Currently, it's a little under the radar, so many are unaware of it's implementation, but remote scripting is completely available and documented, just need the first exploit to overcome the security context and Houston we have a problem.

    --
    "This isn't a study in computer science, its a study in human behavior"
  4. Their SNMP experts aren't experts... by hardaker · · Score: 4, Interesting

    Here's a note I just sent to their web master (they had no other place to send "comments"):

    Overall the top20 list is a good summary as always.

    However, I can't believe the lack of knowledge about at least the SNMP portion of it. SNMP *used to use* clear-text community strings in the first and second versions of the protocols. The following statement, along with others in the section:

    'SNMP uses an unencrypted "community string" as its only authentication mechanism. Lack of encryption is bad enough...'

    Is spreading simply incomplete information. At a minimum, it should be suggested that all users upgrade their SNMP enabled software to version 3 compliant SNMP agents and to disable the version 1 and version 2 SNMP protocols. All of the major network vendors, as well as software vendors implement the v3 protocol so there is very little excuse for not using it (and, worst case you can deploy v3->v1 proxies near v1-devices to minimize the transmision distance of clear-text v1 community strings). *Please* change the wording to suggest that people upgrade their equipment to SNMPv3 compliant software, which will take care of at least the insecure problems with the protocol.

    --
    The next site to slashdot will be ready soon, but subscribers can beat the rush and start slashdotting it early!