Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Web's 20 Worst Security Flaws

Posted by timothy on from the ie-is-one-through-seven dept.

XsynackX writes "The SANS Institute released its Top-20 list of the biggest vulnerabilities on the web today. The SANS Top 20 Internet Security Vulnerabilities list is actually a compilation of two lists--the top 10 Windows vulnerabilities and the top 10 Unix vulnerabilities. The list goes into almost more detail than any one person could ever take in on individual security flaws, but provides a wealth of knowledge for those who like to get in-depth. Interestingly enough, the browser section of the Windows vulnerabilities lists everyone's favorite browser Internet Explorer with 15 flaws and Mozilla with only 7."

11 of 214 comments (clear)

  1. Firefox vulnerabilities IE vulnerabilities by thre5her · · Score: 4, Interesting

    Fortunately for now, security through obscurity prevails for Firefox, since most exploits will likely target IE users. However, Firefox's development model is inherently better than IE's with regards to security, since the status of these vulnerabilities is known to all and they are fixed much more quickly. Why Microsoft is still in the browser game with their lame, few-and-far-between updates is beyond me.

  2. Only 7? by cperciva · · Score: 4, Interesting

    ...Internet Explorer with 15 flaws and Mozilla with only 7

    Err... at this point, does it really matter? It's useful to compare BIND against djbdns (many security flaws vs. none), or Linux against OpenBSD (many security flaws vs. one remote hole in 8 years), but 15 flaws vs. 7 flaws? To me, that just says that both browsers are horribly insecure, and slightly more effort has been put into finding flaws in MSIE.

    --
    Tarsnap: Online backups for the truly paranoid
  3. What about threats to Mac OS X? by toupsie · · Score: 2, Interesting

    What are the major threats against Mac OS X? Granted a lot of the underpinnings of Mac OS X are BSD userland cousins, but the default install locks down the OS quite a bit. Is my Safari going to let me "owned" like IE? Should I be paying attention to the threats on Linux userland apps? Or is it all "Don't Worry, Be Happy" for Mac users?

    --
    Strange women lying in ponds distributing swords is no basis for a system of government.
  4. Re:In my oppion by Space_Soldier · · Score: 5, Interesting

    That is not entirely true. It is well known that Microsoft abandoned IE after it has won the first browser war. Microsoft have also had a unsecure programming mindset because they started as one-user-minded company instead of multi-user-minded company. Because they did not care about security at first, now they are paying the price. Unfortunetly, the consumer is facing the heat worse than Microsoft.

    Firefox does not allow extensions to be installed from another web site besides update.mozilla.org by default. The user must specify in the options that it wants to allow extensions from a certain site to be installed, which should keep spyware low for now. Firefox users also have more computer skills than IE users. Firefox holes are filled faster than IE. All this should keep spyware low on the Mozilla platform.

    PS: I believe that a recently passed bill made spyware illegal with the penality of prison, and I think that I saw on Google news something about the first spyware trial.

  5. Re:Firefox vulnerabilities IE vulnerabilities by fafaforza · · Score: 1, Interesting

    Its more like "We haven't come up with anything innovative since Windows 95, but still want to make wads of cash".

    That's why they jump on anything that looks like it might be taking off. IE: their own music store, game console, etc.

  6. P2P??? by Reason58 · · Score: 3, Interesting

    They list peer to peer as a Windows vulnerability?! That makes about as much sense as saying me taking a sledgehammer to your computer is a Unix vulnerability.

  7. Re:not just "the web" by ArbitraryConstant · · Score: 2, Interesting

    Changing your password every week is dumb, or at best of little benefit.

    Better pick a good password and hang onto it for a while so you can remember it.

    --
    I rarely criticize things I don't care about.
  8. Only? by powerlinekid · · Score: 4, Interesting

    ...everyone's favorite browser Internet Explorer with 15 flaws and Mozilla with only 7.

    I don't think security flaws in something as commonly used as a web browser should ever be noted as "only" a certain number. Sure Mozilla beat IE, but the point still remains that it had 7 too many. I'll have to read this list when I get a chance and see how many of those were really windows issues and mozilla just passed the data on.

    (And yes I know you'll never have bug free software)

    --

    can't sleep slashdot will eat me
  9. NetBIOS protection -- close port 445 by Gary+Destruction · · Score: 2, Interesting

    Go into the registry to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\NetBT\Parameters You'll see a string value called "TransportBindName". The default value for that string is "\Devices\". Delete \Devices\ and reboot. Port 445 will close.

  10. Interesting quote from the article by RodeoBoy · · Score: 2, Interesting

    To date no security exposures have been identified in IIS 6.0

  11. Re:not just "the web" by zerocool^ · · Score: 2, Interesting


    I know a guy who used to be a computer tech...

    Whenever a windows 98 machine would come in for a wipe-and-reload, it was fairly standard policy that, if the end user didn't have the key with them, but it was obvious that they had a copy of windows on the machine, my friend would use another windows98 key - they all work anyway, and there's no activation.

    So, after doing the install 40,000 times, he had the key memorized, and used it as his password.

    There's nothing like seeing someone type 25 random characters as a password.

    ~Will

    --
    sig?