The Web's 20 Worst Security Flaws

XsynackX writes "The SANS Institute released its Top-20 list of the biggest vulnerabilities on the web today. The SANS Top 20 Internet Security Vulnerabilities list is actually a compilation of two lists--the top 10 Windows vulnerabilities and the top 10 Unix vulnerabilities. The list goes into almost more detail than any one person could ever take in on individual security flaws, but provides a wealth of knowledge for those who like to get in-depth. Interestingly enough, the browser section of the Windows vulnerabilities lists everyone's favorite browser Internet Explorer with 15 flaws and Mozilla with only 7."

Ok I'm sure I'll get slammed for this but...

[otlg]

Doesn't everyone that reads /. know that MS IE is a gaping security vulnerability by now. Do we *really* need to keep harping on it like a bunch of smug self-righteous motherfuckers?

In my oppion

[Ziak]

I've always said that spyware was caused due to Internet Explorer being so popular.... If firefox keeps the rate of growth its doing I don't think it will be that long into we see spy/malware targeting Firefox as well....

7 is not `only'

[mukund]

Interestingly enough, the browser section of the Windows vulnerabilities lists everyone's favorite browser Internet Explorer with 15 flaws and Mozilla with only 7.

Don't think I'm trolling but this is like saying the USA has 27,000 nuclear weapons whereas Russia has only 13,000.

Re:7 is not `only'

[ricotest]

Also, 'flaw' is stupidly vague. There's a big difference between 'sometimes the Slashdot page isn't rendered correctly' and 'a JPEG image allows remote code execution'. From a quick look at the article, however, it covers 'vulnerabilities' which is more specific: data loss, remote code execution and crashes.

Still, I agree with the parent - this is an AvP situation. Whoever 'wins' with the least problems, we still lose.

Re:7 is not `only'

[fireboy1919]

RTFA. It's more like saying that USA has 27,000 nuclear weapons and Russia has 13,000, but they've all been disarmed.

Not only do the Mozilla vulnerabilities not actually allow much of an attack, but they've all been fixed in the latest versions of the browser.

This is not true on the Windows side, as Secunia recommends disabling or switching browsers to deal with a lot of the bugs.

That should be...

Top Vulnerabilities to UNIX Systems
1. A fool with root access.

You were going for the Funny mod, right?

[wasted]

If not ...
The article separately lists the top 10 Windows and top 10 Unix vulnerabilities. In this case, Top 10 plus Top 10 does not necessarily equal Top 20.

Sort of like if you considered the Top 10 fastest race cars at a Nascar race and the Top 10 fastest race cars at a soapbox derby race - the resulting list wouldn't be the Top 20 fastest race cars.

Re:not just "the web"

[DarkSarin]

Remember this: if the attackers have physical access to the machine, there is almost no security to speak of. You may be able to limit access to one machine at a time (thus preventing intranet assualts), but once an attacker is sitting at the computer in question, there is very little that they cannot do. This is true for both windows and linux. Even password theft is possible on Linux, given the right amount of time.

Certainly some attacks take longer, but in general, if they have your machine, its too late for security!