Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Web's 20 Worst Security Flaws

Posted by timothy on from the ie-is-one-through-seven dept.

XsynackX writes "The SANS Institute released its Top-20 list of the biggest vulnerabilities on the web today. The SANS Top 20 Internet Security Vulnerabilities list is actually a compilation of two lists--the top 10 Windows vulnerabilities and the top 10 Unix vulnerabilities. The list goes into almost more detail than any one person could ever take in on individual security flaws, but provides a wealth of knowledge for those who like to get in-depth. Interestingly enough, the browser section of the Windows vulnerabilities lists everyone's favorite browser Internet Explorer with 15 flaws and Mozilla with only 7."

27 of 214 comments (clear)

  1. not just "the web" by UnderAttack · · Score: 4, Informative

    These flaws cover more then just "the web".
    They include things like week passwords and non-web network threats.

    --
    ---- join dshield.org Distributed Intrusion Detec
    1. Re:not just "the web" by pjt33 · · Score: 4, Funny

      But surely changing your passwords every week is good? (Well, against external attackers - not so good against internal attackers if you have to write your password on a PostIt and stick it to your monitor).

    2. Re:not just "the web" by tomsuchy · · Score: 5, Funny

      NEVER stick your password post-it on the monitor! It goes under the keyboard.

      --
      this isn't a sig. i type this (including the two dashes), every time i post, just to make it look like a sig.
    3. Re:not just "the web" by flossie · · Score: 4, Funny
      NEVER stick your password post-it on the monitor! It goes under the keyboard.

      That's precisely why you should stick it to the monitor - nobody will find it because they will be busy looking under the keyboard! Cunning, eh?

      --
      flossie

      Write now. Defend liberty

    4. Re:not just "the web" by DarkSarin · · Score: 4, Insightful

      Remember this: if the attackers have physical access to the machine, there is almost no security to speak of. You may be able to limit access to one machine at a time (thus preventing intranet assualts), but once an attacker is sitting at the computer in question, there is very little that they cannot do. This is true for both windows and linux. Even password theft is possible on Linux, given the right amount of time.

      Certainly some attacks take longer, but in general, if they have your machine, its too late for security!

      --
      "We don't know what we are doing, but we are doing it very carefully,..." Wherry, R.J. Personnel Psychology (1995)
  2. Firefox vulnerabilities IE vulnerabilities by thre5her · · Score: 4, Interesting

    Fortunately for now, security through obscurity prevails for Firefox, since most exploits will likely target IE users. However, Firefox's development model is inherently better than IE's with regards to security, since the status of these vulnerabilities is known to all and they are fixed much more quickly. Why Microsoft is still in the browser game with their lame, few-and-far-between updates is beyond me.

  3. Only 7? by cperciva · · Score: 4, Interesting

    ...Internet Explorer with 15 flaws and Mozilla with only 7

    Err... at this point, does it really matter? It's useful to compare BIND against djbdns (many security flaws vs. none), or Linux against OpenBSD (many security flaws vs. one remote hole in 8 years), but 15 flaws vs. 7 flaws? To me, that just says that both browsers are horribly insecure, and slightly more effort has been put into finding flaws in MSIE.

    --
    Tarsnap: Online backups for the truly paranoid
    1. Re:Only 7? by Anonymous Coward · · Score: 3, Informative

      Openbsd'd claim is for holes in a default install. Virtually no services are running in a default install.

      Add open ssh, your ftp daemon of choice, apache etc and the amount holes look about the same as Linux. Both OSs do, after all, run mostly the same software.

      Comparing MSIE vs Mozilla is useful, as both do the same job and are exposed to the internet in the same way.

    2. Re:Only 7? by endofoctober · · Score: 4, Informative

      The numbers may not matter, but the response to the threats from both organizations matters very much. Of the 7 flaws in Mozilla, all have been fixed as of Moz1.7/FF.9 whereas of IE's 15 vulnerabilities, only 6 have vendor patches.

      --
      - Jack
    3. Re:Only 7? by ArbitraryConstant · · Score: 4, Informative

      OpenSSH is on by default in OpenBSD. The one hole in 8 years was in OpenSSH. OpenSSH is the only service visible to the outside that's on be default.

      The forked Apache in OpenBSD is much more secure than any you'd find elsewhere. On top of all the patches rejected by the Apache people for various reasons and thus not distributed to anyone else, it benefits from W^X protection (on i386, which no one else has) and ProPolice (it's not that widely used, some of the userspace stuff in Linux seems to use it but the kernel doesn't). This has turned a bunch of arbitrary code exploits into DOSs, which merely crash the server process.

      The ftpd in the base install as well as everything else benefits from W^X and ProPolice. W^X is handled by the system, and ProPolice is used by default on anything you compile. Therefore, unless you work pretty hard to avoid it, anything that's run on OpenBSD benefits from the added protection. As a result, it's more secure because exploits aren't always exploitable on the platform.

      DOS issues are still patched, but the difference is that they're not exploitable before the patch is issued.

      --
      I rarely criticize things I don't care about.
  4. Their web server... by ttldkns · · Score: 4, Funny

    ...seems to feel that posting a link to it on slashdot is a vunerability.

    --
    How many computers are too many?
  5. Hrm. statistics speak for themselves. by rebeka+thomas · · Score: 3, Funny

    Windows with 95% has 10 of the top 20 vulnerabilities
    Unix with 5% also has 10 of the top 20 vulnerabilities.

    I think the stats speak for themselves in which is more secure. If Win boxes can take such a phenomenal market share and still only have the same number of 'top' vulnerabilities, that's putting it 19 times more secure.

    --
    RST
  6. Ok I'm sure I'll get slammed for this but... by otlg · · Score: 4, Insightful

    Doesn't everyone that reads /. know that MS IE is a gaping security vulnerability by now. Do we *really* need to keep harping on it like a bunch of smug self-righteous motherfuckers?

    1. Re:Ok I'm sure I'll get slammed for this but... by Anonymous Coward · · Score: 5, Funny

      Do we *really* need to keep harping on it like a bunch of smug self-righteous motherfuckers?

      Yes, because it makes our penises feel bigger.

  7. In my oppion by Ziak · · Score: 4, Insightful

    I've always said that spyware was caused due to Internet Explorer being so popular.... If firefox keeps the rate of growth its doing I don't think it will be that long into we see spy/malware targeting Firefox as well....

    --
    Loading Please Wait....
    1. Re:In my oppion by ttldkns · · Score: 4, Informative

      Crack sites and (my friend told me this) some pron sites used to have XPI install spyware (but you had to click ok to install it).

      This was fixed by the mozilla dev team's implementation of a XPI installer website whitelist consisting of (by default) just mozdev.org. The user can add other sites though, should they want to.

      --
      How many computers are too many?
    2. Re:In my oppion by Space_Soldier · · Score: 5, Interesting

      That is not entirely true. It is well known that Microsoft abandoned IE after it has won the first browser war. Microsoft have also had a unsecure programming mindset because they started as one-user-minded company instead of multi-user-minded company. Because they did not care about security at first, now they are paying the price. Unfortunetly, the consumer is facing the heat worse than Microsoft.

      Firefox does not allow extensions to be installed from another web site besides update.mozilla.org by default. The user must specify in the options that it wants to allow extensions from a certain site to be installed, which should keep spyware low for now. Firefox users also have more computer skills than IE users. Firefox holes are filled faster than IE. All this should keep spyware low on the Mozilla platform.

      PS: I believe that a recently passed bill made spyware illegal with the penality of prison, and I think that I saw on Google news something about the first spyware trial.

  8. 7 is not `only' by mukund · · Score: 4, Insightful

    Interestingly enough, the browser section of the Windows vulnerabilities lists everyone's favorite browser Internet Explorer with 15 flaws and Mozilla with only 7.

    Don't think I'm trolling but this is like saying the USA has 27,000 nuclear weapons whereas Russia has only 13,000.

    --
    Banu
    1. Re:7 is not `only' by ricotest · · Score: 4, Insightful

      Also, 'flaw' is stupidly vague. There's a big difference between 'sometimes the Slashdot page isn't rendered correctly' and 'a JPEG image allows remote code execution'. From a quick look at the article, however, it covers 'vulnerabilities' which is more specific: data loss, remote code execution and crashes.

      Still, I agree with the parent - this is an AvP situation. Whoever 'wins' with the least problems, we still lose.

    2. Re:7 is not `only' by fireboy1919 · · Score: 4, Insightful

      RTFA. It's more like saying that USA has 27,000 nuclear weapons and Russia has 13,000, but they've all been disarmed.

      Not only do the Mozilla vulnerabilities not actually allow much of an attack, but they've all been fixed in the latest versions of the browser.

      This is not true on the Windows side, as Secunia recommends disabling or switching browsers to deal with a lot of the bugs.

      --
      Mod me down and I will become more powerful than you can possibly imagine!
  9. That should be... by Anonymous Coward · · Score: 5, Insightful

    Top Vulnerabilities to UNIX Systems
    1. A fool with root access.

  10. You were going for the Funny mod, right? by wasted · · Score: 4, Insightful

    If not ...
    The article separately lists the top 10 Windows and top 10 Unix vulnerabilities. In this case, Top 10 plus Top 10 does not necessarily equal Top 20.

    Sort of like if you considered the Top 10 fastest race cars at a Nascar race and the Top 10 fastest race cars at a soapbox derby race - the resulting list wouldn't be the Top 20 fastest race cars.

  11. P2P??? by Reason58 · · Score: 3, Interesting

    They list peer to peer as a Windows vulnerability?! That makes about as much sense as saying me taking a sledgehammer to your computer is a Unix vulnerability.

  12. Only? by powerlinekid · · Score: 4, Interesting

    ...everyone's favorite browser Internet Explorer with 15 flaws and Mozilla with only 7.

    I don't think security flaws in something as commonly used as a web browser should ever be noted as "only" a certain number. Sure Mozilla beat IE, but the point still remains that it had 7 too many. I'll have to read this list when I get a chance and see how many of those were really windows issues and mozilla just passed the data on.

    (And yes I know you'll never have bug free software)

    --

    can't sleep slashdot will eat me
  13. The Entire 56 page report. by Anonymous Coward · · Score: 3, Informative

    The entire 56 page report is available in pdf. Lets be sure to slashdot both their servers:
    http://files.sans.org/top20.pdf (351KB)

  14. Re:Firefox vulnerabilities IE vulnerabilities by jejones · · Score: 3, Insightful

    Several reasons:

    1. They wove IE into the OS for political reasons, and it's probably impractical to extract it.

    2. XUL is threatening what Netscape once threatened, namely getting rid of the applications barrier to entry that preserves the OS monopoly.

    3. MS can't be perceived as ever having lost. The image of the invincible monolith must be preserved.

  15. A matter of attitude? by tiger99 · · Score: 3, Insightful
    If someone finds a security hole in Mozilla, it gets fixed as quickly as possible, and a patch issued. Some of these such as the shell: exploit were in fact Windoze problems which the Moz developers kindly patched around. That one was a tiny download.

    But the Criminal Monopoly simply don't care either about other people's security, or about their browser, which was only intended to kill Netscape. As that has been more or less accomplished, they are simply not interested any more. What is more, in common with other Monopoly products, the underlying codebase has probably become such a mess that it would be better to throw it away and start again, but the paranoid megalomaniac Bill would have too many tantrums if someone was brave enough to tell him the truth.