Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Web's 20 Worst Security Flaws

Posted by timothy on from the ie-is-one-through-seven dept.

XsynackX writes "The SANS Institute released its Top-20 list of the biggest vulnerabilities on the web today. The SANS Top 20 Internet Security Vulnerabilities list is actually a compilation of two lists--the top 10 Windows vulnerabilities and the top 10 Unix vulnerabilities. The list goes into almost more detail than any one person could ever take in on individual security flaws, but provides a wealth of knowledge for those who like to get in-depth. Interestingly enough, the browser section of the Windows vulnerabilities lists everyone's favorite browser Internet Explorer with 15 flaws and Mozilla with only 7."

17 of 214 comments (clear)

  1. Ok I'm sure I'll get slammed for this but... by otlg · · Score: 4, Insightful

    Doesn't everyone that reads /. know that MS IE is a gaping security vulnerability by now. Do we *really* need to keep harping on it like a bunch of smug self-righteous motherfuckers?

    1. Re:Ok I'm sure I'll get slammed for this but... by LGagnon · · Score: 2, Insightful

      IE is still the most "popular" browser, so yes, we do have to. Until other browsers have greater or equal market share, there's a need to inform all those who still use IE (and yes, this includes some people on Slashdot).

  2. In my oppion by Ziak · · Score: 4, Insightful

    I've always said that spyware was caused due to Internet Explorer being so popular.... If firefox keeps the rate of growth its doing I don't think it will be that long into we see spy/malware targeting Firefox as well....

    --
    Loading Please Wait....
  3. 7 is not `only' by mukund · · Score: 4, Insightful

    Interestingly enough, the browser section of the Windows vulnerabilities lists everyone's favorite browser Internet Explorer with 15 flaws and Mozilla with only 7.

    Don't think I'm trolling but this is like saying the USA has 27,000 nuclear weapons whereas Russia has only 13,000.

    --
    Banu
    1. Re:7 is not `only' by ricotest · · Score: 4, Insightful

      Also, 'flaw' is stupidly vague. There's a big difference between 'sometimes the Slashdot page isn't rendered correctly' and 'a JPEG image allows remote code execution'. From a quick look at the article, however, it covers 'vulnerabilities' which is more specific: data loss, remote code execution and crashes.

      Still, I agree with the parent - this is an AvP situation. Whoever 'wins' with the least problems, we still lose.

    2. Re:7 is not `only' by fireboy1919 · · Score: 4, Insightful

      RTFA. It's more like saying that USA has 27,000 nuclear weapons and Russia has 13,000, but they've all been disarmed.

      Not only do the Mozilla vulnerabilities not actually allow much of an attack, but they've all been fixed in the latest versions of the browser.

      This is not true on the Windows side, as Secunia recommends disabling or switching browsers to deal with a lot of the bugs.

      --
      Mod me down and I will become more powerful than you can possibly imagine!
    3. Re:7 is not `only' by mdfst13 · · Score: 2, Insightful

      Not just that, but there is also overlap. I.e. most of the Mozilla vulnerabilities also apply against IE. If the basic issue were solved (for example, the JPEG flaw in MS Windows), then Mozilla wouldn't have to add code to catch OS and protocol level flaws.

      The shell: vulnerability is a perfect example of this. Mozilla didn't fix anything. They simply decided that the shell: protocol was so incredibly insecure that they would disable it entirely. IE is still vulnerable, as the protocol still sucks. Now though, people using IE have to click the run from remote location button rather than "Save As" in order to get cracked.

  4. Re:Firefox vulnerabilities IE vulnerabilities by superpulpsicle · · Score: 2, Insightful

    Because Microsoft wants to be in EVERY game, win or lose. They started out as an OS company, then later became an Word processing, database, browser making, video game company. M$ management is the classic "I want that Feature, because I said so" type.

  5. That should be... by Anonymous Coward · · Score: 5, Insightful

    Top Vulnerabilities to UNIX Systems
    1. A fool with root access.

  6. Erm no. by colonslashslash · · Score: 2, Insightful
    Windows with 95% has 10 of the top 20 vulnerabilities Unix with 5% also has 10 of the top 20 vulnerabilities.

    I think the stats speak for themselves in which is more secure. If Win boxes can take such a phenomenal market share and still only have the same number of 'top' vulnerabilities, that's putting it 19 times more secure. From the summary:

    "The SANS Top 20 Internet Security Vulnerabilities list is actually a compilation of two lists--the top 10 Windows vulnerabilities and the top 10 Unix vulnerabilities."

    The two lists are not competeting with each other, it is simply the top 10 win vulns, and the top 10 unix vulns, its not a top 20 list where there happen to be 10 vulnerabilities of each OS.

    --
    She's built like a steak house, but she handles like a bistro....
  7. You were going for the Funny mod, right? by wasted · · Score: 4, Insightful

    If not ...
    The article separately lists the top 10 Windows and top 10 Unix vulnerabilities. In this case, Top 10 plus Top 10 does not necessarily equal Top 20.

    Sort of like if you considered the Top 10 fastest race cars at a Nascar race and the Top 10 fastest race cars at a soapbox derby race - the resulting list wouldn't be the Top 20 fastest race cars.

  8. Re:Firefox vulnerabilities IE vulnerabilities by Inthewire · · Score: 2, Insightful

    I thought they started out as a language company.
    Shows what I know.

    --


    Writers imply. Readers infer.
  9. Re:not just "the web" by DarkSarin · · Score: 4, Insightful

    Remember this: if the attackers have physical access to the machine, there is almost no security to speak of. You may be able to limit access to one machine at a time (thus preventing intranet assualts), but once an attacker is sitting at the computer in question, there is very little that they cannot do. This is true for both windows and linux. Even password theft is possible on Linux, given the right amount of time.

    Certainly some attacks take longer, but in general, if they have your machine, its too late for security!

    --
    "We don't know what we are doing, but we are doing it very carefully,..." Wherry, R.J. Personnel Psychology (1995)
  10. Re:Firefox vulnerabilities IE vulnerabilities by jejones · · Score: 3, Insightful

    Several reasons:

    1. They wove IE into the OS for political reasons, and it's probably impractical to extract it.

    2. XUL is threatening what Netscape once threatened, namely getting rid of the applications barrier to entry that preserves the OS monopoly.

    3. MS can't be perceived as ever having lost. The image of the invincible monolith must be preserved.

  11. Re:Firefox vulnerabilities IE vulnerabilities by Anonymous Coward · · Score: 2, Insightful

    However, Firefox's development model is inherently better than IE's with regards to security, since the status of these vulnerabilities is known to all and they are fixed much more quickly

    Unfortunately, not all Firefox vulnerabilities are known to all, and nor are they fixed "quickly".

    In cases where the bug is made public, this is true. For cases where they sweep the bug in the rug and keep it from showing publicly in the bug database while they argue amongst themselves if they're really going to fix it, vulnerabilities have been left in the code for years.

  12. Re:Firefox vulnerabilities IE vulnerabilities by HellYeahAutomaton · · Score: 2, Insightful


    This thread is veering way off topic, and I realize this, but there are a couple of important issues here that need to be addressed. (Please don't mod me down. :)

    1) Firefox is about as secure and obscure as any of the less. There are a multitude of different browsers out there now, and undeniably companies like Espial and Opera have lost a lot of ground to the popularity of Firefox. Hackers have the implicit goal of doing something because they can. Exploiting holes in a piece of software starts as a "I will see if I can do this" and may eventually turn into a "Let's see who I can #$%^ over" plan. It varies. If Firefox had the most number of seats it could still be a target.

    2) MS is a business, and businesses try to make wads of cash anywhere they can. Every MS success technical success also has a large number of accompanying failures. Businesses have focus changes; some are successful and some are not. The free market (voting with dollars) decides who will be around.

    Cases in point:
    a) Sun started losing ground in the server market, so they started looking to Java as their next savior.


    b) SGI started losing ground the in the graphics workstation market and got behind OpenGL as a standard.

    c) Be, Inc changed focus from their operating system to Information Appliances and it wound them up filing for bankruptcy.


    d) Apple gave up on the Pippin and the Newton, but
    they started doing iPods because they wanted to have a me-too with the Rios and Creative Nomads.


    e) Sony for walked right in and created its own games console when Nintendo and Sega were making cash hand over fist. It paid off for them.


    f) Many companies created Doom knockoffs in the 90s and everyone and their brother now are trying to make silly bowling games for cell phones. Businesses are copycats. If they see success in an area, it is much easier to imitate (and litigate) than to innovate.


    The point behind all of these stories is that you have to diversify and change directions in order to stay afloat in business; With or without any implied innovation. MS, as well as any big business has a lot of potential to stagnate, and diversifying markets is not a bad idea. MS is just one target of stagnation out of many.

  13. A matter of attitude? by tiger99 · · Score: 3, Insightful
    If someone finds a security hole in Mozilla, it gets fixed as quickly as possible, and a patch issued. Some of these such as the shell: exploit were in fact Windoze problems which the Moz developers kindly patched around. That one was a tiny download.

    But the Criminal Monopoly simply don't care either about other people's security, or about their browser, which was only intended to kill Netscape. As that has been more or less accomplished, they are simply not interested any more. What is more, in common with other Monopoly products, the underlying codebase has probably become such a mess that it would be better to throw it away and start again, but the paranoid megalomaniac Bill would have too many tantrums if someone was brave enough to tell him the truth.