Slashdot Mirror
The Web's 20 Worst Security Flaws
XsynackX writes "The SANS Institute released its Top-20 list of the biggest vulnerabilities on the web today. The SANS Top 20 Internet Security Vulnerabilities list is actually a compilation of two lists--the top 10 Windows vulnerabilities and the top 10 Unix vulnerabilities. The list goes into almost more detail than any one person could ever take in on individual security flaws, but provides a wealth of knowledge for those who like to get in-depth. Interestingly enough, the browser section of the Windows vulnerabilities lists everyone's favorite browser Internet Explorer with 15 flaws and Mozilla with only 7."
These flaws cover more then just "the web".
They include things like week passwords and non-web network threats.
---- join dshield.org Distributed Intrusion Detec
Fortunately for now, security through obscurity prevails for Firefox, since most exploits will likely target IE users. However, Firefox's development model is inherently better than IE's with regards to security, since the status of these vulnerabilities is known to all and they are fixed much more quickly. Why Microsoft is still in the browser game with their lame, few-and-far-between updates is beyond me.
Is slashdotting a vulnerability?
...Internet Explorer with 15 flaws and Mozilla with only 7
Err... at this point, does it really matter? It's useful to compare BIND against djbdns (many security flaws vs. none), or Linux against OpenBSD (many security flaws vs. one remote hole in 8 years), but 15 flaws vs. 7 flaws? To me, that just says that both browsers are horribly insecure, and slightly more effort has been put into finding flaws in MSIE.
Tarsnap: Online backups for the truly paranoid
...seems to feel that posting a link to it on slashdot is a vunerability.
How many computers are too many?
I'm a fool for not using the & lt;.
Windows with 95% has 10 of the top 20 vulnerabilities
Unix with 5% also has 10 of the top 20 vulnerabilities.
I think the stats speak for themselves in which is more secure. If Win boxes can take such a phenomenal market share and still only have the same number of 'top' vulnerabilities, that's putting it 19 times more secure.
RST
Doesn't everyone that reads /. know that MS IE is a gaping security vulnerability by now. Do we *really* need to keep harping on it like a bunch of smug self-righteous motherfuckers?
I've always said that spyware was caused due to Internet Explorer being so popular.... If firefox keeps the rate of growth its doing I don't think it will be that long into we see spy/malware targeting Firefox as well....
Loading Please Wait....
Interestingly enough, the browser section of the Windows vulnerabilities lists everyone's favorite browser Internet Explorer with 15 flaws and Mozilla with only 7.
Don't think I'm trolling but this is like saying the USA has 27,000 nuclear weapons whereas Russia has only 13,000.
Banu
Maybe it's the fact that their browser has been the dominant browser for years, and still is? It's just that simple. Compared to firefox, their browser looks bad, but that's always the case. There's (nearly) always some small project in the wings that's better than the one that controls the market.
Because Microsoft wants to be in EVERY game, win or lose. They started out as an OS company, then later became an Word processing, database, browser making, video game company. M$ management is the classic "I want that Feature, because I said so" type.
Top Vulnerabilities to UNIX Systems
1. A fool with root access.
I think the stats speak for themselves in which is more secure. If Win boxes can take such a phenomenal market share and still only have the same number of 'top' vulnerabilities, that's putting it 19 times more secure. From the summary:
"The SANS Top 20 Internet Security Vulnerabilities list is actually a compilation of two lists--the top 10 Windows vulnerabilities and the top 10 Unix vulnerabilities."
The two lists are not competeting with each other, it is simply the top 10 win vulns, and the top 10 unix vulns, its not a top 20 list where there happen to be 10 vulnerabilities of each OS.
She's built like a steak house, but she handles like a bistro....
Either he's an idiot or he's funny, I prefer to give people the benefit of the doubt :-)
What are the major threats against Mac OS X? Granted a lot of the underpinnings of Mac OS X are BSD userland cousins, but the default install locks down the OS quite a bit. Is my Safari going to let me "owned" like IE? Should I be paying attention to the threats on Linux userland apps? Or is it all "Don't Worry, Be Happy" for Mac users?
Strange women lying in ponds distributing swords is no basis for a system of government.
If not ...
The article separately lists the top 10 Windows and top 10 Unix vulnerabilities. In this case, Top 10 plus Top 10 does not necessarily equal Top 20.
Sort of like if you considered the Top 10 fastest race cars at a Nascar race and the Top 10 fastest race cars at a soapbox derby race - the resulting list wouldn't be the Top 20 fastest race cars.
Oh yea I feel so much safer after reading about all these security flaws :(
roamingfeet
The number of vulnerabilities is far less important than the impact of these vuln.
btw, I reported this news yesterday^Wthis morning... but was ignored.
I thought they started out as a language company.
Shows what I know.
Writers imply. Readers infer.
Interestingly enough, the browser section of the Windows vulnerabilities lists everyone's favorite browser Internet Explorer with only 15 flaws and Mozilla with 7!!!"
I thought it was well known that MS copied the ASN.1 parser from OpenSSL and was vulnerable to the same flaws.
Excellent campaign-trail mathematics! Karl Rove has a job waiting for you.
Shop as usual. And avoid panic buying.
Its more like "We haven't come up with anything innovative since Windows 95, but still want to make wads of cash".
That's why they jump on anything that looks like it might be taking off. IE: their own music store, game console, etc.
1) Does Windows XP count as 1 flaw or 10?
2) I suppose it can't be more than 5 'cause it has to make room for Windows 2003
3) Where's Didio of yankem grope to tell us all that those *nix flaws are really SCO Unix flaws that they've copied over?
4) FLAWS? I'm all for FLOSS -- ask Perens!
5) ESR waves hand -- "These are not the ports you're looking for."
6) Security Flaws? Ha! Here in Redmond, we call it Innovation(TM) Why do you think we call it Trashwor...um, Trustworthy Computing?
Number 1 in flaws that is.
They list peer to peer as a Windows vulnerability?! That makes about as much sense as saying me taking a sledgehammer to your computer is a Unix vulnerability.
1.) Being Slashdotted
I don't think you know shit about Microsoft management.
Interestingly enough, the browser section of the Windows vulnerabilities lists everyone's favorite browser Internet Explorer with 15 flaws and Mozilla with only 7."
Huh? When was the last time you heard of somebody getting infected through a Mozilla hole?
Cry "security through obscurity" all you want, it still doesn't excuse the fact that they can in no way be counted as some of "the web's worst security flaws". They'd actually have to have a widespread effect on people to even make the short-list.
Ah, yes - Slashdotting: The Original DOS Attack
Accept no substitutes.
Nope. Traffic light controller programming. The Gates III lifted the source for BASIC from the trash, his mommy arranged for him to sell an OS (MSDOS) to IBM (which Gates III then had to rush out and buy from someone else).
Microsoft began as a language company (BASIC interpreters for microcomputers) in 1975. Microsoft .
well it ended up being insightful, but usually the explain-the-obvious-joke posts are moded informative.
...everyone's favorite browser Internet Explorer with 15 flaws and Mozilla with only 7.
I don't think security flaws in something as commonly used as a web browser should ever be noted as "only" a certain number. Sure Mozilla beat IE, but the point still remains that it had 7 too many. I'll have to read this list when I get a chance and see how many of those were really windows issues and mozilla just passed the data on.
(And yes I know you'll never have bug free software)
can't sleep slashdot will eat me
The entire 56 page report is available in pdf. Lets be sure to slashdot both their servers:
http://files.sans.org/top20.pdf (351KB)
Several reasons:
1. They wove IE into the OS for political reasons, and it's probably impractical to extract it.
2. XUL is threatening what Netscape once threatened, namely getting rid of the applications barrier to entry that preserves the OS monopoly.
3. MS can't be perceived as ever having lost. The image of the invincible monolith must be preserved.
This has to be one of the least funny posts on /. in, well, days. Considering the crap that gets posted here, you can truly feel special.
Well now.. Of course IE has more known security issues than mozilla. IE is used on 94% of all PC's (IIRC). Mozilla-based browsers thus account for less than 6% (Seem to remember Opera being two percent, which brings Mozilla to max 4%).
I don't use IE. I don't like IE. But this is like comparing apples and oranges. The number of security flaws found in mozilla would probably be a lot higher if it had the same installed user-base. Why can't people get this simple fact? Why are we so dependent on bashing "the great enemy"? Get a life people...
However, Firefox's development model is inherently better than IE's with regards to security, since the status of these vulnerabilities is known to all and they are fixed much more quickly
Unfortunately, not all Firefox vulnerabilities are known to all, and nor are they fixed "quickly".
In cases where the bug is made public, this is true. For cases where they sweep the bug in the rug and keep it from showing publicly in the bug database while they argue amongst themselves if they're really going to fix it, vulnerabilities have been left in the code for years.
I find it interesting how there are 13 ports that are most exploited and are specific to Microsoft products. Is it me, or does that sound like a really good reason not to run Microsoft Windows?
...that Mozilla isn't half bad! :)
This thread is veering way off topic, and I realize this, but there are a couple of important issues here that need to be addressed. (Please don't mod me down.
1) Firefox is about as secure and obscure as any of the less. There are a multitude of different browsers out there now, and undeniably companies like Espial and Opera have lost a lot of ground to the popularity of Firefox. Hackers have the implicit goal of doing something because they can. Exploiting holes in a piece of software starts as a "I will see if I can do this" and may eventually turn into a "Let's see who I can #$%^ over" plan. It varies. If Firefox had the most number of seats it could still be a target.
2) MS is a business, and businesses try to make wads of cash anywhere they can. Every MS success technical success also has a large number of accompanying failures. Businesses have focus changes; some are successful and some are not. The free market (voting with dollars) decides who will be around.
Cases in point:
a) Sun started losing ground in the server market, so they started looking to Java as their next savior.
b) SGI started losing ground the in the graphics workstation market and got behind OpenGL as a standard.
c) Be, Inc changed focus from their operating system to Information Appliances and it wound them up filing for bankruptcy.
d) Apple gave up on the Pippin and the Newton, but
they started doing iPods because they wanted to have a me-too with the Rios and Creative Nomads.
e) Sony for walked right in and created its own games console when Nintendo and Sega were making cash hand over fist. It paid off for them.
f) Many companies created Doom knockoffs in the 90s and everyone and their brother now are trying to make silly bowling games for cell phones. Businesses are copycats. If they see success in an area, it is much easier to imitate (and litigate) than to innovate.
The point behind all of these stories is that you have to diversify and change directions in order to stay afloat in business; With or without any implied innovation. MS, as well as any big business has a lot of potential to stagnate, and diversifying markets is not a bad idea. MS is just one target of stagnation out of many.
Your insider knowledge is quite amazing. How on earth do you know that what you say is true? Can you quantify your allegations? If so, provide proof please. Otherwise, please keep your paranoia to yourself.
I thought it was well known that MS copied the ASN.1 parser from OpenSSL and was vulnerable to the same flaws.
Because it is nowhere near the top ten for Windows.
1. Microsoft
2. Microsoft
3. Microsoft
4. Microsoft
5. Microsoft
6. Microsoft
7. Microsoft
8. Microsoft
9. Microsoft
10. Microsoft
11. Microsoft
12. Microsoft
13. Microsoft
14. Microsoft
15. Microsoft
16. Evil virus writers
17. Microsoft
18. Microsoft
19. Microsoft
20. Microsoft
Traf-O-Data wasn't MS.
Bill and Paul chasing bugs in the Computer Center Corporation wasn't MS.
IBM wanted to buy CP/M from Digital but Kildall wouldn't come to terms.
MS did, and purchased a CP/M-like OS that they then rewrote for IBM.
Writers imply. Readers infer.
The mods understood. Well, two of them. I've no idea why I was modded insightful.
Be, inc went out of business because of Microsoft's unethical and illegal business practices. Palm eventually won that law suit a received a tidy settlement from Microsoft.
Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
Microsoft did indeed have anticompetitive practices that they conceded to by paying out for the lawsuit. However, it is not the sole reason. (NetPositive still has the least number of exploits around. ;))
You cannot blame Microsoft for the fact that as a company they "shifted focus" and sent out press releases stating so. Having a business is a gamble. Microsoft took the blame because they were the biggest monopolist around.
It could have just as easily been Apple that the lawsuit was targeted at.
... because I always believed that it was impossible that MS gathered all the insecure developers nor undervalued security that much. I believe that secure code is hard to write, period.
So when I run a Windows emulator under Linux, do I get all 20 of them?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
In cases where the bug is made public, this is true. For cases where they sweep the bug in the rug and keep it from showing publicly in the bug database while they argue amongst themselves if they're really going to fix it, vulnerabilities have been left in the code for years.
You are saying this in regards to Firefox, but we know that Microsoft has done just such things in IE. Do you have any proof of this as regards Firefox?
And by "tidy" you mean a miniscule kissoff of $23Million.
Go into the registry to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\NetBT\Parameters
You'll see a string value called "TransportBindName". The default value for that string is "\Devices\". Delete \Devices\ and reboot. Port 445 will close.
If you have a new version of Mozilla/Firefox you are not susceptible to any of the flaws. Whereas if you have a completely patched Windows machine and are running IE, you are still susceptible to 10 of the bugs, unless you set some settings in your preferences.
But the Criminal Monopoly simply don't care either about other people's security, or about their browser, which was only intended to kill Netscape. As that has been more or less accomplished, they are simply not interested any more. What is more, in common with other Monopoly products, the underlying codebase has probably become such a mess that it would be better to throw it away and start again, but the paranoid megalomaniac Bill would have too many tantrums if someone was brave enough to tell him the truth.
The first 'vulnerability' listed is "Web Servers/ Web Services." While these can be implemented insecurely, they are not implicitly security weaknesses. A more useful list would have stated implicit examples of the most common mistakes implementing the most commonly used technologies- things like open SMTP relays, DNS servers that accept false dns responses, etc.
This article is some proof showing that the security 'industry' is infected by a lot of frauds who don't even understand it's terminology.
The parent poster is actually correct. I'm not going to go to the trouble of digging up the links right now, but if you go back and look at the past few Firefox vulnerability Slashdot stories you'll see the links to Bugzilla that state that many of the problems (for instance, the shell: exploit) have not only been known for years before being fixed, but only had their status changed from "confidential" to "public" soon after the fix was released.
"Outlook Express (OE) is a basic email & contact management client, bundled with Internet Explorer since the earliest versions - which itself has been an integral part of all versions of Microsoft Windows starting with Windows 95"
Didn't MS start bundling IE with Windows 98 ?
wtf?????????? this shit is trolling, it's not even funny. somebody mod this idiot down.
Uh, isn't anyone else a little bothered by the fact that Internet Explorer, used by like 95% of the web, has 15 vulnerabilities, but Mozilla which is only in the 1% or so percentile (according to Zeitgeist when it was back up) already has 7 major vulnerabilities? You'd think such a relatively less-used program compared to IE wouldn't have close to half of IE's vulnerabilities already. It really hasn't been good for Mozilla/Firefox lately.
To date no security exposures have been identified in IIS 6.0
TROLL
TROLL
TROLL
rebeka thomas is a TROLL
http://shit.slashdot.org/article.pl?sid=04/10/09/1 728243
ONLY 7?
The higher the technology, the sharper that two-edged sword.
..that one big time.
Actually, the original post was marked Interesting with no children when I replied, and I thought to myself, "That can't be right! It probably should be Funny!" So I spent too long typing, and ended up with Insightful. If I type any worse, I'm going to have GREAT karma without trying.
This is slashdot. Nobody knows shit about anything here. The trick is to make it look like you know slightly less shit than the person you're arguing with.
And Traf-O-Data was just smoke and mirrors, anyway. Turns out that the Gatester's widely-reported first foray into computer services never made a dime - the $20,000 contract reported in most biographies turned out to be a bit of "feature enhancement".
Personally, I'm startled by the idea that you would continue to post here when you obviously hate Slashdot, its clientelle, and every it stands for.
Why don't you go post on a pro-M$ site. I'm sure you'll find you get a much warmer reception there.
Be went out of business because no-one bought their OS. One of the main reasons no-one bought their OS was because it never made it out of beta.
...are:
1) Sun's default echo '+ +' > ~/.rhosts
2) NIS
3) NFS
these things led to massive compromises
I think it's pretty telling that the #3 issue on *nix is about how to make good passwords. That's a completely meat-space issue, not code. In fact, a solid half of the *nix list is just good administration practices.
Acts 17:28, "For in Him we live, and move, and have our being."
Great pun, but seriously, this reminds me of one story. There was a web-based service to conveniently change personal pages of people working in the lab (photo, bio, links to projects) where everyone were usually logged-in permanently with never-expiring cookies (much like Slashdot). One day some students defeced the info page of one professor changing his photo to goatse.cx picture. I have done the investigation (eventually leading to expelling said students and further prosecution for sexual molesting--it was a public network with unfiltered access from the library used by minors) and what I have found out was that they broke into the account by sniffing a password from HTTP traffic while the victim was changing it for security reasons! I checked it and she was the only person who kept changing her password. The password was a random string of 32 alphanumeric characters, changed every morning. Other people had passwords like "pass," "clit" or "arse" (I kid you not!) but those accounts were not broken into since those passwords were not changed periodically via HTTP, effectively remaining secret. The only person paying attention to security was the least secure one. Interesting, is it not? Since that very incident I always keep saying that security layers are like the layers of onion indeed, but it is a rotten onion.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
It wasn't sent over SSL but of course it wasn't a simple:
Set-Cookie: LOGGED_USER=name; ...
but instead included enough information about the client encrypted and signed by the server that simply sending the same data by anyone else wouldn't work.
As an example please consider this simplified idea: the server verifies the password during the login and has to set the session cookie but instead of setting SESSION=username it sets the cookie to SESSION=$session where $session is:
$session = "$username:$signature";
while the $signature is:
$signature = md5_hex("$username:$ip:$secret");
With the $ip being the client's IP address and $secret being some secret string. Now, every time the client sends such a cookie, the server computes the $signature and compares it with the one in the cookie itself, thus making it impossible to use the cookie with someone connecting from a different IP. Of course I am greatly simplifying, but even such a poor man's digital signature using MD5 with a secret value can be quite effective, especially when more info is used.
Of course if the attackers were smarter they would try to invalidate the sessions of other logged-in users, thus forcing them to reauthenticate with their passwords, trying a monkey-in-the-middle attack, hijacking their TCP sessions, etc. but if they were smarter, they wouldn't insert pornography into public websites, now would they?
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Firefox may be relatively obscure, as far as a browser goes, but the ways in which it attempts to be secure are not obscure. The source code is there for all to read. Oh... maybe you meant security through obfuscation?
Little used or no, (again, I'm seeing the share of it going *up*) that has absolutely *nothing* to do with the fact that IE has more security holes than Mozilla.
John_Chalisque
MS can't be perceived as having lost, so why not remind everyone that their database is called Access in order to cover up an older program.
Don't read my journal. I don't post there, honest guv.
Urine1diot, don't you have anything better to do?
Still trolling anonymously, Urine1diot? Wow, your webserver globally represents the worldwide web. Can't argue with that kind of research.
I'm sure he or she does, whoever he or she is bonch. Don't you have anything better to do (like trolling slashdot with yet another troll account)?
It's certainly more substantial than the numbers you pulled out of your ass, bonch. Why don't you give it up?
First you thought it was Disevidence that was following you and now you thinks its Urine1diot? You might take a look at this list for more likely suspects. Moron.
That's a lot like saying 25% of road accidents are caused by drunk drivers, therefore 75% of accidents must be caused by sober drivers, and therefore you're safer driving drunk than sober.
"Give it up?" This coming from the person who denies that he has two other troll accounts? Whose said troll accounts are now all posting at -1? Give it up?
Seriously, dude, you need to get a life.
(posted by someone who is NOT Disevidence or Urine1diot or anyone else on this list.)