Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Web's 20 Worst Security Flaws

Posted by timothy on from the ie-is-one-through-seven dept.

XsynackX writes "The SANS Institute released its Top-20 list of the biggest vulnerabilities on the web today. The SANS Top 20 Internet Security Vulnerabilities list is actually a compilation of two lists--the top 10 Windows vulnerabilities and the top 10 Unix vulnerabilities. The list goes into almost more detail than any one person could ever take in on individual security flaws, but provides a wealth of knowledge for those who like to get in-depth. Interestingly enough, the browser section of the Windows vulnerabilities lists everyone's favorite browser Internet Explorer with 15 flaws and Mozilla with only 7."

4 of 214 comments (clear)

  1. not just "the web" by UnderAttack · · Score: 4, Informative

    These flaws cover more then just "the web".
    They include things like week passwords and non-web network threats.

    --
    ---- join dshield.org Distributed Intrusion Detec
  2. Re:In my oppion by ttldkns · · Score: 4, Informative

    Crack sites and (my friend told me this) some pron sites used to have XPI install spyware (but you had to click ok to install it).

    This was fixed by the mozilla dev team's implementation of a XPI installer website whitelist consisting of (by default) just mozdev.org. The user can add other sites though, should they want to.

    --
    How many computers are too many?
  3. Re:Only 7? by endofoctober · · Score: 4, Informative

    The numbers may not matter, but the response to the threats from both organizations matters very much. Of the 7 flaws in Mozilla, all have been fixed as of Moz1.7/FF.9 whereas of IE's 15 vulnerabilities, only 6 have vendor patches.

    --
    - Jack
  4. Re:Only 7? by ArbitraryConstant · · Score: 4, Informative

    OpenSSH is on by default in OpenBSD. The one hole in 8 years was in OpenSSH. OpenSSH is the only service visible to the outside that's on be default.

    The forked Apache in OpenBSD is much more secure than any you'd find elsewhere. On top of all the patches rejected by the Apache people for various reasons and thus not distributed to anyone else, it benefits from W^X protection (on i386, which no one else has) and ProPolice (it's not that widely used, some of the userspace stuff in Linux seems to use it but the kernel doesn't). This has turned a bunch of arbitrary code exploits into DOSs, which merely crash the server process.

    The ftpd in the base install as well as everything else benefits from W^X and ProPolice. W^X is handled by the system, and ProPolice is used by default on anything you compile. Therefore, unless you work pretty hard to avoid it, anything that's run on OpenBSD benefits from the added protection. As a result, it's more secure because exploits aren't always exploitable on the platform.

    DOS issues are still patched, but the difference is that they're not exploitable before the patch is issued.

    --
    I rarely criticize things I don't care about.