Slashdot Mirror
The Web's 20 Worst Security Flaws
XsynackX writes "The SANS Institute released its Top-20 list of the biggest vulnerabilities on the web today. The SANS Top 20 Internet Security Vulnerabilities list is actually a compilation of two lists--the top 10 Windows vulnerabilities and the top 10 Unix vulnerabilities. The list goes into almost more detail than any one person could ever take in on individual security flaws, but provides a wealth of knowledge for those who like to get in-depth. Interestingly enough, the browser section of the Windows vulnerabilities lists everyone's favorite browser Internet Explorer with 15 flaws and Mozilla with only 7."
These flaws cover more then just "the web".
They include things like week passwords and non-web network threats.
---- join dshield.org Distributed Intrusion Detec
I think your interpretation is not quite correct. This was simple a pair of top 10 lists jammed together. It has nothing to do with instance or severity outside of their respective platforms.
Openbsd'd claim is for holes in a default install. Virtually no services are running in a default install.
Add open ssh, your ftp daemon of choice, apache etc and the amount holes look about the same as Linux. Both OSs do, after all, run mostly the same software.
Comparing MSIE vs Mozilla is useful, as both do the same job and are exposed to the internet in the same way.
Crack sites and (my friend told me this) some pron sites used to have XPI install spyware (but you had to click ok to install it).
This was fixed by the mozilla dev team's implementation of a XPI installer website whitelist consisting of (by default) just mozdev.org. The user can add other sites though, should they want to.
How many computers are too many?
I thought it was well known that MS copied the ASN.1 parser from OpenSSL and was vulnerable to the same flaws.
The numbers may not matter, but the response to the threats from both organizations matters very much. Of the 7 flaws in Mozilla, all have been fixed as of Moz1.7/FF.9 whereas of IE's 15 vulnerabilities, only 6 have vendor patches.
- Jack
The entire 56 page report is available in pdf. Lets be sure to slashdot both their servers:
http://files.sans.org/top20.pdf (351KB)
OpenSSH is on by default in OpenBSD. The one hole in 8 years was in OpenSSH. OpenSSH is the only service visible to the outside that's on be default.
The forked Apache in OpenBSD is much more secure than any you'd find elsewhere. On top of all the patches rejected by the Apache people for various reasons and thus not distributed to anyone else, it benefits from W^X protection (on i386, which no one else has) and ProPolice (it's not that widely used, some of the userspace stuff in Linux seems to use it but the kernel doesn't). This has turned a bunch of arbitrary code exploits into DOSs, which merely crash the server process.
The ftpd in the base install as well as everything else benefits from W^X and ProPolice. W^X is handled by the system, and ProPolice is used by default on anything you compile. Therefore, unless you work pretty hard to avoid it, anything that's run on OpenBSD benefits from the added protection. As a result, it's more secure because exploits aren't always exploitable on the platform.
DOS issues are still patched, but the difference is that they're not exploitable before the patch is issued.
I rarely criticize things I don't care about.
Outlook!=Outlook Express. Outlook comes with Office, OE comes with IE, and they both suck.
I wouldn't take SANS's list of browser security holes too seriously. It lists the most publicized holes in Mozilla rather than the most serious holes. (To get a list of the most serious holes, look the "critical severity, high risk" holes (marked in red) on mozilla.org's list.) SANS's list includes Mozilla XPInstall Dialog Box Security Issue, which was fixed a few months ago, but fails to mention that a fully-updated version of IE in SP2 is still vulnerable. Under the list, SANS claims that Firefox does not have automatic updates, which is false.
The shareholder is always right.
It makes as much sense as listing "Web browsers" as a Windows vulnerability. If you read the sections on Web browsers and P2P apps, you'll see that they're talking about specific vulnerabilities in Web browsers and P2P apps, not Web browsers and P2P apps themselves.
The shareholder is always right.
Great pun, but seriously, this reminds me of one story. There was a web-based service to conveniently change personal pages of people working in the lab (photo, bio, links to projects) where everyone were usually logged-in permanently with never-expiring cookies (much like Slashdot). One day some students defeced the info page of one professor changing his photo to goatse.cx picture. I have done the investigation (eventually leading to expelling said students and further prosecution for sexual molesting--it was a public network with unfiltered access from the library used by minors) and what I have found out was that they broke into the account by sniffing a password from HTTP traffic while the victim was changing it for security reasons! I checked it and she was the only person who kept changing her password. The password was a random string of 32 alphanumeric characters, changed every morning. Other people had passwords like "pass," "clit" or "arse" (I kid you not!) but those accounts were not broken into since those passwords were not changed periodically via HTTP, effectively remaining secret. The only person paying attention to security was the least secure one. Interesting, is it not? Since that very incident I always keep saying that security layers are like the layers of onion indeed, but it is a rotten onion.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."