SANS/FBI Release Top 20 Security Vulnerabilities

theBraindonor writes "SANS Institute and the FBI have compiled a listing of the The Twenty Most Critical Internet Security Vulnerabilities. The list is broken down into two groups: Windows Systems and Unix Systems." The list of Unix vulnerabilities is also a list of the network programs I (and presumably many others) use most. It's a good thing there's BugTraq.

The number one vulnerability for Windows boxen is:

[The+Pi-Guy]

IIS!!

Not any particular 'sploit, but on the page, IIS is THE NUMBER ONE vulnerability for Windows boxen.

Like Mr. Valentine said, "[Microsoft's] products are not engineered for security". Or something like that.

--j

#8 = Internet Explorer.

[garcia]

#8 is listed here.

If you are using IE, your computer is vunerable to numerous security breaches.

If this is installed on EVERY Windows computer by default, I believe that this should be rated higher than those vunerabilities in applications that are only installed by default on SOME Windows versions (IIS).

Re:#8 = Internet Explorer.

[Zathrus]

If you are using IE, your computer is vunerable to numerous security breaches

Yes. If you're not downloading security updates.

But the same is true for everything else on the list. Conversely, if you are constantly keeping up to date on security patches then you are considerably less vulnerable.

I believe the point you were trying to make is that it's the only client program on the list - all the others are servers. And I'm honestly surprised that neither Outlook nor Outlook Express made the list - they're considerably more problematic with regards to security IMO (but I'm not a "professional" in this context).

As to why it's not #1 - well, first there's a lot fewer vulnerabilities listed. Additionally the extent of the vulnerabilities are not as large. Relatively few virii/trojans/etc. spread via IE, while there are still IIS servers out there spamming the world with Code Red. Secondly, as a client program it is somewhat more secure than a server by design. I could be running a totally unpatched client that's vulnerable six ways to Sunday, but if I don't surf to your site (or open a local infected file with the client) then I can't be infected. Servers, however, are vulnerable if they're running - I don't have to invite you to break into my system, I left the door open with a lovely "Open House" sign up.

Re:#8 = Internet Explorer.

[flacco]

Yes. If you're not downloading security updates.

...which, lately, have come with unacceptable EULA terms and mandatory downloads of other software.

Software vendors should be required to supply security patches in isolation, and WITHOUT ANY additional licensing requirements.

Re:#8 = Internet Explorer.

[tqbf]

You say "if I don't surf to your site... then I can't be infected". It almost sounds like you believe you have some control over whether your browser will hit his evil web page. Could it be that you actually think that both Internet routing and the DNS are hard to subvert?

Clientside security is still a joke. Clients get attention in the places where they "asynchronously" give up control to foreign command, like embedded scripts in email and virtual machines for things like Java. But the overwhelming majority of client code was designed assuming that it interacts in good faith with the rest of the world.

The flood of server-side vulnerabilities will slow. Desktop environments will get more and more homogenous. The payoff for writing a single exploit will grow. You should expect not only to see more client-targetting attacks, but also more attacks leveraging the ancient and festering weaknesses in global Internet routing and in DNS.

Consider that today, Internet routing is being subverted with some regularity to play pranks on IRC and to hijack address space for spamming. These are high-risk, low-reward enterprises. It's only a matter of time before smarter people figure out how to use the same tricks to more productive ends.

Lather, rinse, repeat

[devphil]

Two years ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Thousands of organizations used that list, and the expanded Top Twenty, which followed a year later, to prioritize their efforts so they could close the most dangerous holes first.

And if memory serves, the Unix list is exactly the same, with perhaps the exception of Apache. The r* services, sendmail, yep, all still there. Who in their right mind uses r* and sendmail on anything connected to the public internet?

Anyone correct me on whether the others have changed? They all look familiar to me.

Re:Lather, rinse, repeat

[sporty]

Who in their right mind uses r* and sendmail on anything connected to the public internet?

Actually, as the article pointed out, sendmail hasn't had any serious problems in the past 2 years. Quite frankly, it's quite powerful and its default install is kinda simple to use except (except!) for that stupid map command to build virtual users, access tables and the likes.

It's not the end of the world if you use it, just like it's not the end of the world if you use proftpd.

Missed a couple of big ones

They left Outlook and it's derivatives off the Windows list. Nevermind the root VBS cause.

But they seem to have really had to reach to get 10 for Unix.

Man... how much did this 'study' cost?

Re:Well, that settles that argument

[garcia]

when a vendor installs an application BY DEFAULT on EVERY single version they ship and it is considered at top 10 vundeability I would say that is more important (see previous comment here) than individual applications that are GENERALLY not installed by default on UNIX based OSs.

Just my worthless .02

Social Engineering

[akiy]

They forgot to list one of the most obvious ways of breaching computer security measures: social engineering.

If you can get the information that you want (eg passwords) from a person who knows the information, all the patches in the world won't protect your network...

Not again

[The+Bungi]

Item 'W10 Windows Scripting Host' lists the 'solution' to be removing WSH. This is about as useful as removing Perl from a Unix box - it's not viable. The WSH is an important tool and the knee-jerk "let's get rid of it!" reaction will eventually be more trouble than not given how many other Microsoft and third-party software requires it. Also, the WSH is only a hosting implementation. The VBScript and JScript interpreters are not removed when you disable the WSH.

Plus, you don't even need to spend on AV software from snake oil vendors.

All that's needed is to make the 'Edit' command the default in the registry for all types of WSH-recognized extensions, such as .js and .wsh. Unfortunately the default is 'Open', which executes the script.

Once you do this you can simply sit there and watch the script worms hit - the only thing you'll see are instances of Notepad all over the place (with the code, to boot). Quite funny (in a sick sort of way).

Re:Not again

[airrage]

WSH is an important tool, but it's only the command interpreter, it's the code that's sent to it and how it executes that truly the problem.

But the most overlooked part of Windows 2000 and above is Microsoft's implementation of the Windows Management Instrumentation (WMI) API. With this interface an admin can script against any Microsoft Class and has full rights to change, modify, stop, start, etc. The box is yours. And it's installed by default!

Currently, it's a little under the radar, so many are unaware of it's implementation, but remote scripting is completely available and documented, just need the first exploit to overcome the security context and Houston we have a problem.

Now if only ...

[rhysweatherley]

... the script kiddie who's been banging on my firewall for the last two weeks would just give up and go away, I'd be a happy camper.

Free Clue: if you didn't get in on the first 2000 tries, go waste someone else's bandwidth!

Re:Now if only ...

[derF024]

have some fun with ipchains and the "mirror" directive. all of a sudden, to him, your machine will appear to be an exact duplicate of his. maybe he'll even root his own machine in the process :-P

version number hiding is not the way to go.

[MavEtJu]

Version number hiding is not the way to go. And let me explain why: Nimda / Code Red. ISS only. Certain versions of ISS only. And do you think that the virus checks for the HTTP Server-string before it sends it payload? No way. Brute force. Just send the exploit and check later if it was successfull. I have the logs of my Apache webservers to show this behaviour.

Same with the bugbear[sp] worm at this moment. "Check all the shares on the system. Found one! Let's copy to there." Zwoooosh there goes another sheet of paper through the printer.

For administrative purposes, being able to find out what version of software is running is essential. In a company with tens of locations and thousands of computers, nobody will be able to keep a list of software installed on all these things, let alone keep track of the versions.
A weekly scan by the corperate IT department and they know what MTAs and versions are there, what FTP servers and version, what DNS servers and versions are there. An update is released? Just inform the right people (i.e. the LAN administrators, not the people who own these servers). An exploit has become known? At least you know how vulnerable you are instead of panicing and trying to get (obsolete) lists from all over the place.

So yeah, version number hiding doesn't reduce the attackrate but does reduce the ability to act.

Misconfiguration

[Kris+Warkentin]

Not only is Apache very widely deployed, it is also quite easy to misconfigure it. If you read the article, they're not talking about software insecurities alone: they're talking about misconfiguration and bad management of machines. For example, weak/non-existant passwords is on both lists.

They're not saying that Apache is insecure but rather that it is a potential risk if the admin is not sufficiently competent.

Re:Well, that settles that argument

[sunset]

To restate your point more bluntly:

Saying that "The Twenty Most Critical Internet Security Vulnerabilities" is the same as the top ten Windows vulnerabilities plus the top ten Unix vulnerabilities, is just plain stupid.

I am disappointed...

[funwithBSD]

the "Slashdot Effect" DOS did not make the top 20.

Re:Clueless FBI

[davidstrauss]

Interesting that all but one of the UNIX probs can also be traced to Windows. Apache runs on on Unix and Windows. FTP, RPC etc etc

Apache is optimized and was originally designed for Unix. FTP is a standard Internet protocol that likely had its origins in Unix. While the problems you state afflict Windows and Unix alike, they cannot be "traced to Windows." They should be under a generic category for all systems, as HTTP and FTP servers are, in general, large security risks, if caused by nothing more than improper setup.

Missing the most obvious vulnerability...

[Zspdude]

The user. Windows OR Unix.

Their SNMP experts aren't experts...

[hardaker]

Here's a note I just sent to their web master (they had no other place to send "comments"):

Overall the top20 list is a good summary as always.

However, I can't believe the lack of knowledge about at least the SNMP portion of it. SNMP *used to use* clear-text community strings in the first and second versions of the protocols. The following statement, along with others in the section:

'SNMP uses an unencrypted "community string" as its only authentication mechanism. Lack of encryption is bad enough...'

Is spreading simply incomplete information. At a minimum, it should be suggested that all users upgrade their SNMP enabled software to version 3 compliant SNMP agents and to disable the version 1 and version 2 SNMP protocols. All of the major network vendors, as well as software vendors implement the v3 protocol so there is very little excuse for not using it (and, worst case you can deploy v3->v1 proxies near v1-devices to minimize the transmision distance of clear-text v1 community strings). *Please* change the wording to suggest that people upgrade their equipment to SNMPv3 compliant software, which will take care of at least the insecure problems with the protocol.

Re:Am I the only one that noticed...

[lugonn]

...the fact that only one(u10) Unix vulnerablity has to do with the OS itself, and the rest are program related. All of which can easily be removed without harm to your boxen.

However, 4(w4, w5, w7, w10) of the Win vulnerabilities are integral parts of the OS so you can't remove/fix them without hosing your PC.

Gee, which OS is more secure...looks like *nix again. So no, they are completely different.

meaningful typo

[darkonc]

In the article, it says:
Nearly all Linux systems and many other Unix systems come with Apache installed and often by fault enabled.

Although I presume that they meant to say 'by default enabled', I (like many others) feel that it is an error to have most facilities enabled by default. Thus the default is IMHO a fault.

I would much rather have various facilities disabled by default, with easily-accessible tools which enable those facilities (and give appropriate security warnings). Manufacturers, like sun, who ship machines with everything and their dogs enabled should be hung by their toes and beaten mercilessly with burnt-out '286s.
The standard defence that most of these systems ship to sites with well-traind sysadmins who know what to disable is silly. If a site has well-trained sysadmins, then they should know how to enable the required facilities. Sites without well trained sysadmins probably don't have good security, either, and most desparately need to have all of those holes covered when the system ships.

For admins who care more about getting a system running easily than they do about security, vendors like sun could have a program (named 'goahead-shootme') that enables all facilities just like the old (de)fault had it. Better yet, of course, would be a simple menu-driven / GUI program that allowed you to turn on/of various facilites and daemons (and possibly even provided an explanation of why). -- Bastille Linux comes to mind...