The Web's 20 Worst Security Flaws

XsynackX writes "The SANS Institute released its Top-20 list of the biggest vulnerabilities on the web today. The SANS Top 20 Internet Security Vulnerabilities list is actually a compilation of two lists--the top 10 Windows vulnerabilities and the top 10 Unix vulnerabilities. The list goes into almost more detail than any one person could ever take in on individual security flaws, but provides a wealth of knowledge for those who like to get in-depth. Interestingly enough, the browser section of the Windows vulnerabilities lists everyone's favorite browser Internet Explorer with 15 flaws and Mozilla with only 7."

not just "the web"

[UnderAttack]

These flaws cover more then just "the web".
They include things like week passwords and non-web network threats.

I can't see the site

[Anonymous Coward]

Is slashdotting a vulnerability?

Re:not just "the web"

[StyxRiver]

I can see plume of smoke from the servers at the Sans Institute! Succumb to the /. effect!

Re:not just "the web"

[pjt33]

But surely changing your passwords every week is good? (Well, against external attackers - not so good against internal attackers if you have to write your password on a PostIt and stick it to your monitor).

Re:not just "the web"

[tomsuchy]

NEVER stick your password post-it on the monitor! It goes under the keyboard.

Re:not just "the web"

[flossie]

NEVER stick your password post-it on the monitor! It goes under the keyboard.

That's precisely why you should stick it to the monitor - nobody will find it because they will be busy looking under the keyboard! Cunning, eh?

Re:not just "the web"

[ArbitraryConstant]

Changing your password every week is dumb, or at best of little benefit.

Better pick a good password and hang onto it for a while so you can remember it.

Sigh

[pjt33]

The mods understood. Well, two of them. I've no idea why I was modded insightful.

Re:Sigh

[Finuvir]

I often mod funny comments as insightful if there's any way I can justify it to myself. Funny doesn't boost the karma of the poster, so I go for a mod (usually insightful) that does give the karma. Or maybe they just didn't get it.

Re:Sigh

[jrockway]

Maybe "Underrated" is a better mod choice then? If you do that, you don't have to worry about paying hell in M2. M2-ers are mostly on crack these days (the mods are fine).

Re:not just "the web"

[zerocool^]

I know a guy who used to be a computer tech...

Whenever a windows 98 machine would come in for a wipe-and-reload, it was fairly standard policy that, if the end user didn't have the key with them, but it was obvious that they had a copy of windows on the machine, my friend would use another windows98 key - they all work anyway, and there's no activation.

So, after doing the install 40,000 times, he had the key memorized, and used it as his password.

There's nothing like seeing someone type 25 random charact

Re:not just "the web"

[ArbitraryConstant]

My passwords inspire similar awe. :)

http://homestar.sytes.net/cgi-bin/passgen

I typically rotate my passwords when I have to get my iBook fixed-- about every 6 months. I love the looks on their faces when I tell them my password.

Re:not just "the web"

[Ohreally_factor]

your password is "fhqwhgads [homestarrunner.com]"?

Re:not just "the web"

[ArbitraryConstant]

Not to give away any information about my password, it's possible for my password generator to generate that. So, maybe.

Re:not just "the web"

[plover]

No, but according to his logs YOUR password is now most likely "Cz=+LCjxP3renBK7".

I just love web-based password generators...

Re:not just "the web"

[DarkSarin]

Remember this: if the attackers have physical access to the machine, there is almost no security to speak of. You may be able to limit access to one machine at a time (thus preventing intranet assualts), but once an attacker is sitting at the computer in question, there is very little that they cannot do. This is true for both windows and linux. Even password theft is possible on Linux, given the right amount of time.

Certainly some attacks take longer, but in general, if they have your machine, its too late for security!

Re:not just "the web"

[Slime-dogg]

Yeah. Give someone access to the physical computer with an extra hard disk, or a jump drive, and there's very little that you can do. The only thing, I imagine, is setting a bios password.

Now, one of my buddies had a Compaq laptop which had a bios password that he didn't know. He drained the CMOS battery, in hopes of resetting the password. This had the effect of breaking the whole thing. He called Compaq, and they said that he'd have to replace the motherboard.

Now, if you can implement security like

Re:not just "the web"

[lachlan76]

A BIOS password is not an effective security measure.

I had to bypass one the other day - you just unplug the computer, move the jumper into the 'CLEAR CMOS' position - if you have trouble finding it, it should be near the battery, or at least they are on every computer I've done it on.

Re:not just "the web"

[AK Marc]

A BIOS password is effective for security on most laptops. They have no documented proceedure to clear the CMOS. HP requires MB replacement on lost BIOS password. The grandparent said Dell required the same. At that point, they would have an easier time buying an identical laptop and pulling the HD out and moving it.

Most desktops have a jumper you can get to, but most cases have the option to be padlocked shut. Again, if someone has physical access and no restriction on what they can do to it, there i

Re:not just "the web"

[gcaseye6677]

That's not a security feature, that's extreme incompetence on the part of Compaq. Their junky machine couldn't recover from the simplest of hardware failures. What a waste.

Re:not just "the web"

[ScrewMaster]

Well, they only get one chance to guess MY password. If they get it wrong, the thermite charge under the hard drive goes off and that's that.

Granted, I go through a lot of hard drives.

Re:not just "the web"

[0racle]

No its not. A small accident will destroy your data, desk, you and who knows what else.

Re:not just "the web"

[Dwonis]

What's better is to disable remote password authentication entirely, if you can.

Funny

[Pan T. Hose]

They include things like week passwords and non-web network threats.

But surely changing your passwords every week is good? (Well, against external attackers - not so good against internal attackers if you have to write your password on a PostIt and stick it to your monitor).

Great pun, but seriously, this reminds me of one story. There was a web-based service to conveniently change personal pages of people working in the lab (photo, bio, links to projects) where everyone were usually logged-in

Re:Funny

[pjt33]

Why do they need to sniff the password if they can sniff the cookie? Surely the cookie wasn't sent over SSL and the password in plaintext.

Simple

[Pan T. Hose]

Why do they need to sniff the password if they can sniff the cookie? Surely the cookie wasn't sent over SSL and the password in plaintext.

It wasn't sent over SSL but of course it wasn't a simple:

Set-Cookie: LOGGED_USER=name; ...

but instead included enough information about the client encrypted and signed by the server that simply sending the same data by anyone else wouldn't work.

As an example please consider this simplified idea: the server verifies the password during the login and has

Re:not just "the web"

[plover]

I have a good secure password that I use for my own stuff and rarely change it, it's long and not even close to a real word.

But how do you know that this password hasn't been compromised? What if you used it when you signed up for the InnocentHobbyAndNotEvilHackers.org newsletter? And is this password (or a close variant) the same as the password and email address you use at BigCorporateBank.com?

Passwords don't stand up and shout "I've been compromised!" when a bad guy learns them. Expiring password

Firefox vulnerabilities IE vulnerabilities

[thre5her]

Fortunately for now, security through obscurity prevails for Firefox, since most exploits will likely target IE users. However, Firefox's development model is inherently better than IE's with regards to security, since the status of these vulnerabilities is known to all and they are fixed much more quickly. Why Microsoft is still in the browser game with their lame, few-and-far-between updates is beyond me.

Re:Firefox vulnerabilities < IE vulnerabilities

[thre5her]

I'm a fool for not using the & lt;.

Re:Firefox vulnerabilities IE vulnerabilities

[superpulpsicle]

Because Microsoft wants to be in EVERY game, win or lose. They started out as an OS company, then later became an Word processing, database, browser making, video game company. M$ management is the classic "I want that Feature, because I said so" type.

Re:Firefox vulnerabilities IE vulnerabilities

[Inthewire]

I thought they started out as a language company.
Shows what I know.

Re:Firefox vulnerabilities IE vulnerabilities

[tomhudson]

And Traf-O-Data was just smoke and mirrors, anyway. Turns out that the Gatester's widely-reported first foray into computer services never made a dime - the $20,000 contract reported in most biographies turned out to be a bit of "feature enhancement".

Re:Firefox vulnerabilities IE vulnerabilities

[fafaforza]

Its more like "We haven't come up with anything innovative since Windows 95, but still want to make wads of cash".

That's why they jump on anything that looks like it might be taking off. IE: their own music store, game console, etc.

Re:Firefox vulnerabilities IE vulnerabilities

[HellYeahAutomaton]

This thread is veering way off topic, and I realize this, but there are a couple of important issues here that need to be addressed. (Please don't mod me down. :)

1) Firefox is about as secure and obscure as any of the less. There are a multitude of different browsers out there now, and undeniably companies like Espial and Opera have lost a lot of ground to the popularity of Firefox. Hackers have the implicit goal of doing something because they can. Exploiting holes in a piece of software starts as a "I

Re:Firefox vulnerabilities IE vulnerabilities

[bhima]

Be, inc went out of business because of Microsoft's unethical and illegal business practices. Palm eventually won that law suit a received a tidy settlement from Microsoft.

Re:Firefox vulnerabilities IE vulnerabilities

[drsmithy]

Be, inc went out of business because of Microsoft's unethical and illegal business practices.

Be went out of business because no-one bought their OS. One of the main reasons no-one bought their OS was because it never made it out of beta.

Re:Firefox vulnerabilities IE vulnerabilities

[westlake]

Microsoft began as a language company (BASIC interpreters for microcomputers) in 1975. Microsoft [wikipedia.org].

Re:Firefox vulnerabilities IE vulnerabilities

[jejones]

Several reasons:

1. They wove IE into the OS for political reasons, and it's probably impractical to extract it.

2. XUL is threatening what Netscape once threatened, namely getting rid of the applications barrier to entry that preserves the OS monopoly.

3. MS can't be perceived as ever having lost. The image of the invincible monolith must be preserved.

Re:Firefox vulnerabilities IE vulnerabilities

[Anonymous Coward]

However, Firefox's development model is inherently better than IE's with regards to security, since the status of these vulnerabilities is known to all and they are fixed much more quickly

Unfortunately, not all Firefox vulnerabilities are known to all, and nor are they fixed "quickly".

In cases where the bug is made public, this is true. For cases where they sweep the bug in the rug and keep it from showing publicly in the bug database while they argue amongst themselves if they're really going to fix it

Re:Firefox vulnerabilities INSIDER KNOWLEDGE???

[Cereal Box]

The parent poster is actually correct. I'm not going to go to the trouble of digging up the links right now, but if you go back and look at the past few Firefox vulnerability Slashdot stories you'll see the links to Bugzilla that state that many of the problems (for instance, the shell: exploit) have not only been known for years before being fixed, but only had their status changed from "confidential" to "public" soon after the fix was released.

Only 7?

[cperciva]

...Internet Explorer with 15 flaws and Mozilla with only 7

Err... at this point, does it really matter? It's useful to compare BIND against djbdns (many security flaws vs. none), or Linux against OpenBSD (many security flaws vs. one remote hole in 8 years), but 15 flaws vs. 7 flaws? To me, that just says that both browsers are horribly insecure, and slightly more effort has been put into finding flaws in MSIE.

Re:Only 7?

[Anonymous Coward]

Openbsd'd claim is for holes in a default install. Virtually no services are running in a default install.

Add open ssh, your ftp daemon of choice, apache etc and the amount holes look about the same as Linux. Both OSs do, after all, run mostly the same software.

Comparing MSIE vs Mozilla is useful, as both do the same job and are exposed to the internet in the same way.

Re:Only 7?

[ArbitraryConstant]

OpenSSH is on by default in OpenBSD. The one hole in 8 years was in OpenSSH. OpenSSH is the only service visible to the outside that's on be default.

The forked Apache in OpenBSD is much more secure than any you'd find elsewhere. On top of all the patches rejected by the Apache people for various reasons and thus not distributed to anyone else, it benefits from W^X protection (on i386, which no one else has) and ProPolice (it's not that widely used, some of the userspace stuff in Linux seems to use it but the kernel doesn't). This has turned a bunch of arbitrary code exploits into DOSs, which merely crash the server process.

The ftpd in the base install as well as everything else benefits from W^X and ProPolice. W^X is handled by the system, and ProPolice is used by default on anything you compile. Therefore, unless you work pretty hard to avoid it, anything that's run on OpenBSD benefits from the added protection. As a result, it's more secure because exploits aren't always exploitable on the platform.

DOS issues are still patched, but the difference is that they're not exploitable before the patch is issued.

Re:Only 7?

[ArbitraryConstant]

"w^x in OpenBSD is rather new. I've run RSBAC in Linux for many years now. I'd say my Linux box has been much more secure than an OpenBSD one because of that."

That depends on what you're doing with it. If you're running a system where you have to let people in for them to do what's needed, access controls are probably the way to go (on Linux or other OS).

If you want a server that does generic serving or firewalling, OpenBSD is the way to go because it is more resistant to exploits of any kind, and the ser

Re:Only 7?

[ArbitraryConstant]

Those services are running, but not visible or available to the outside.

Re:Only 7?

[endofoctober]

The numbers may not matter, but the response to the threats from both organizations matters very much. Of the 7 flaws in Mozilla, all have been fixed as of Moz1.7/FF.9 whereas of IE's 15 vulnerabilities, only 6 have vendor patches.

A matter of attitude?

[tiger99]

If someone finds a security hole in Mozilla, it gets fixed as quickly as possible, and a patch issued. Some of these such as the shell: exploit were in fact Windoze problems which the Moz developers kindly patched around. That one was a tiny download.

But the Criminal Monopoly simply don't care either about other people's security, or about their browser, which was only intended to kill Netscape. As that has been more or less accomplished, they are simply not interested any more. What is more, in common with other Monopoly products, the underlying codebase has probably become such a mess that it would be better to throw it away and start again, but the paranoid megalomaniac Bill would have too many tantrums if someone was brave enough to tell him the truth.

I guess you could say...

[rmdyer]

...that Mozilla isn't half bad! :)

Re:Only 7?

[jesser]

I wouldn't take SANS's list of browser security holes [sans.org] too seriously. It lists the most publicized holes in Mozilla rather than the most serious holes. (To get a list of the most serious holes, look the "critical severity, high risk" holes (marked in red) on mozilla.org's list [mozilla.org].) SANS's list includes Mozilla XPInstall Dialog Box Security Issue [secunia.com], which was fixed a few months ago, but fails to mention that a fully-updated version of IE in SP2 is still vulnerable. Under the list, SANS claims that Firefox does

Re:Only 7?

[mdfst13]

"An alternate browser provides little or no security advantage."

In this case, it reduced the number of security holes to patch from 15 to 7. I.e. Mozilla needs to be patched to cover up MS Windows security holes half as often as does IE.

Switching from IE to Mozilla does make one's system more secure. The fact that switching from MS Windows to a unix based system will have a greater effect on security should not keep people who are using MS Windows from swapping browsers.

Their web server...

[ttldkns]

...seems to feel that posting a link to it on slashdot is a vunerability.

Hrm. statistics speak for themselves.

[rebeka thomas]

Windows with 95% has 10 of the top 20 vulnerabilities
Unix with 5% also has 10 of the top 20 vulnerabilities.

I think the stats speak for themselves in which is more secure. If Win boxes can take such a phenomenal market share and still only have the same number of 'top' vulnerabilities, that's putting it 19 times more secure.

Re:Hrm. statistics speak for themselves.

[otlg]

I think your interpretation is not quite correct. This was simple a pair of top 10 lists jammed together. It has nothing to do with instance or severity outside of their respective platforms.

Erm no.

[colonslashslash]

Windows with 95% has 10 of the top 20 vulnerabilities Unix with 5% also has 10 of the top 20 vulnerabilities.

I think the stats speak for themselves in which is more secure. If Win boxes can take such a phenomenal market share and still only have the same number of 'top' vulnerabilities, that's putting it 19 times more secure. From the summary:

"The SANS Top 20 Internet Security Vulnerabilities list is actually a compilation of two lists--the top 10 Windows vulnerabilities and the top 10 Unix vulnerabi

Re:Erm no.

[Valar]

annnndddd whhhhooossshhh.... there goes the joke.

Re:Hrm. statistics speak for themselves.

[ThomaMelas]

Um...bad math. It's the top ten vulnerabilities for each. Not just that both of them have just ten major vulnerabilities.

You were going for the Funny mod, right?

[wasted]

If not ...
The article separately lists the top 10 Windows and top 10 Unix vulnerabilities. In this case, Top 10 plus Top 10 does not necessarily equal Top 20.

Sort of like if you considered the Top 10 fastest race cars at a Nascar race and the Top 10 fastest race cars at a soapbox derby race - the resulting list wouldn't be the Top 20 fastest race cars.

Re:Hrm. statistics speak for themselves.

[ConceptJunkie]

Wow! You have a future in presidential debating!

Ok I'm sure I'll get slammed for this but...

[otlg]

Doesn't everyone that reads /. know that MS IE is a gaping security vulnerability by now. Do we *really* need to keep harping on it like a bunch of smug self-righteous motherfuckers?

Re:Ok I'm sure I'll get slammed for this but...

[Anonymous Coward]

Do we *really* need to keep harping on it like a bunch of smug self-righteous motherfuckers?

Yes, because it makes our penises feel bigger.

Re:Ok I'm sure I'll get slammed for this but...

[hai.uchida]

Yes, actually, we do. Harping on their security "oversights" isn't picking on the little guy when he's down... As long as Microsoft holds a virtual monopoly their sloppiness and failures affect all of us.

Re:Ok I'm sure I'll get slammed for this but...

[otlg]

You've totally missed the point I was trying to make. There is nothing wrong with chastising manufacturers over security flaws. I have *no* problem with that. However, the tone of the article was 'IE has 15, mozilla only has 7, microsoft sucks, open source rules'. The reality of the situation is as follows: Microsoft has security holes, and we all know it. Mozilla/Firefox/etc. with their open source, open book approach has bugs as well. I guess what I'm saying is, I'm disappointed by the attitude that

Re:Ok I'm sure I'll get slammed for this but...

[LGagnon]

IE is still the most "popular" browser, so yes, we do have to. Until other browsers have greater or equal market share, there's a need to inform all those who still use IE (and yes, this includes some people on Slashdot).

In my oppion

[Ziak]

I've always said that spyware was caused due to Internet Explorer being so popular.... If firefox keeps the rate of growth its doing I don't think it will be that long into we see spy/malware targeting Firefox as well....

Re:In my oppion

[ttldkns]

Crack sites and (my friend told me this) some pron sites used to have XPI install spyware (but you had to click ok to install it).

This was fixed by the mozilla dev team's implementation of a XPI installer website whitelist consisting of (by default) just mozdev.org. The user can add other sites though, should they want to.

Re:In my oppion

[skinfitz]

What happens if your hosts file or DNS is compromised?

Re:In my oppion

[ttldkns]

Thats why you should set your hosts file to read only. Spybot S&D does this for you but you can do it yourself too.

Re:In my oppion

[skinfitz]

Setting my local hosts file to read only stops DNS being compromised?

Wow! Tell the BIND guys that quick! ;)

Re:In my oppion

[ttldkns]

yeah, you know i was talking about your local hosts file being compromised

Re:In my oppion

[Space_Soldier]

That is not entirely true. It is well known that Microsoft abandoned IE after it has won the first browser war. Microsoft have also had a unsecure programming mindset because they started as one-user-minded company instead of multi-user-minded company. Because they did not care about security at first, now they are paying the price. Unfortunetly, the consumer is facing the heat worse than Microsoft.

Firefox does not allow extensions to be installed from another web site besides update.mozilla.org by default. The user must specify in the options that it wants to allow extensions from a certain site to be installed, which should keep spyware low for now. Firefox users also have more computer skills than IE users. Firefox holes are filled faster than IE. All this should keep spyware low on the Mozilla platform.

PS: I believe that a recently passed bill made spyware illegal with the penality of prison, and I think that I saw on Google news something about the first spyware trial.

7 is not `only'

[mukund]

Interestingly enough, the browser section of the Windows vulnerabilities lists everyone's favorite browser Internet Explorer with 15 flaws and Mozilla with only 7.

Don't think I'm trolling but this is like saying the USA has 27,000 nuclear weapons whereas Russia has only 13,000.

Re:7 is not `only'

[26199]

That was my initial thought, too.

Then I thought, why the hell am I trying to see meaning in statistics quoted on the Slashdot front page? It would be more meaningful to flip a coin to decide which is more secure.

You'd have to actually RTFA and think about it for a while before coming to any kind of sensible conclusion. That said, past experience has me biased in favour of mozilla...

Re:7 is not `only'

[ricotest]

Also, 'flaw' is stupidly vague. There's a big difference between 'sometimes the Slashdot page isn't rendered correctly' and 'a JPEG image allows remote code execution'. From a quick look at the article, however, it covers 'vulnerabilities' which is more specific: data loss, remote code execution and crashes.

Still, I agree with the parent - this is an AvP situation. Whoever 'wins' with the least problems, we still lose.

Re:7 is not `only'

[fireboy1919]

RTFA. It's more like saying that USA has 27,000 nuclear weapons and Russia has 13,000, but they've all been disarmed.

Not only do the Mozilla vulnerabilities not actually allow much of an attack, but they've all been fixed in the latest versions of the browser.

This is not true on the Windows side, as Secunia recommends disabling or switching browsers to deal with a lot of the bugs.

Re:7 is not `only'

[mdfst13]

Not just that, but there is also overlap. I.e. most of the Mozilla vulnerabilities also apply against IE. If the basic issue were solved (for example, the JPEG flaw in MS Windows), then Mozilla wouldn't have to add code to catch OS and protocol level flaws.

The shell: vulnerability is a perfect example of this. Mozilla didn't fix anything. They simply decided that the shell: protocol was so incredibly insecure that they would disable it entirely. IE is still vulnerable, as the protocol still sucks. No

That should be...

[Anonymous Coward]

Top Vulnerabilities to UNIX Systems
1. A fool with root access.

What about threats to Mac OS X?

[toupsie]

What are the major threats against Mac OS X? Granted a lot of the underpinnings of Mac OS X are BSD userland cousins, but the default install locks down the OS quite a bit. Is my Safari going to let me "owned" like IE? Should I be paying attention to the threats on Linux userland apps? Or is it all "Don't Worry, Be Happy" for Mac users?

Re:What about threats to Mac OS X?

[Anonymous Coward]

Given a normal install, it would take a combined Safari exploit + root exploit to 'own' your box. You should only worry about the Linux apps you're running on your machine, ie fink. A compromise of one of those would still need a root exploit, though.

Generally, with automatic update turned on, and the ocasional glance at the Apple section on /., you should be fine.

I feel safe

[davesplace1]

Oh yea I feel so much safer after reading about all these security flaws :(

Why is OpenSSL mentioned for unix and not windows?

[Anonymous Coward]

I thought it was well known that MS copied the ASN.1 parser from OpenSSL and was vulnerable to the same flaws.

More One Liners

[Eberlin]

1) Does Windows XP count as 1 flaw or 10?

2) I suppose it can't be more than 5 'cause it has to make room for Windows 2003

3) Where's Didio of yankem grope to tell us all that those *nix flaws are really SCO Unix flaws that they've copied over?

4) FLAWS? I'm all for FLOSS -- ask Perens!

5) ESR waves hand -- "These are not the ports you're looking for."

6) Security Flaws? Ha! Here in Redmond, we call it Innovation(TM) Why do you think we call it Trashwor...um, Trustworthy Computing?

IE is #1 browser

[jlefeld]

Number 1 in flaws that is.

P2P???

[Reason58]

They list peer to peer as a Windows vulnerability?! That makes about as much sense as saying me taking a sledgehammer to your computer is a Unix vulnerability.

Re:P2P???

[mdfst13]

"That makes about as much sense as saying me taking a sledgehammer to your computer is a Unix vulnerability."

Only if people with sledgehammers are as common as P2P use in MS Windows. This isn't a listing of default install vulnerabilities. This is a list of the most likely reasons for a system to get cracked. Apparently idiot installing P2P software is the 7th most common reason for a MS Windows box to get cracked. I doubt that DOS via sledgehammer appears very high among crack causes.

Re:P2P???

[DarkEdgeX]

Yeah but P2P is such a generic term. P2P isn't an inherent vulnerability.

Re:P2P???

[mdfst13]

Neither is a browser. P2P allows for three classes of exploits, all of which they describe.

The main reason that businesses should keep P2P software off their machines is that it makes them vulnerable to lawsuits by copyright holders (the legal exploit). *All* P2P programs are vulnerable to that and the spoofed content (social) exploit. The technical exploits (which are program specific) are much less serious in comparison.

This is not a technical article. They aren't giving prizes to the best exploits.

Re:P2P???

[jesser]

It makes as much sense as listing "Web browsers" as a Windows vulnerability. If you read the sections on Web browsers and P2P apps, you'll see that they're talking about specific vulnerabilities in Web browsers and P2P apps, not Web browsers and P2P apps themselves.

Re:P2P???

[Tony-A]

"taking a sledgehammer to your computer is a Unix vulnerability."

Yep, Unix is vulnerable. It's all a matter of degree of what it takes to smash it. Vulnerability is not a yes-no thingee. It's all a matter of degree.

Only?

[powerlinekid]

...everyone's favorite browser Internet Explorer with 15 flaws and Mozilla with only 7.

I don't think security flaws in something as commonly used as a web browser should ever be noted as "only" a certain number. Sure Mozilla beat IE, but the point still remains that it had 7 too many. I'll have to read this list when I get a chance and see how many of those were really windows issues and mozilla just passed the data on.

(And yes I know you'll never have bug free software)

Re:Only?

[powerlinekid]

Did I ever accept any exploits? I just said 7 is too many. Read before flipping out.

The Entire 56 page report.

[Anonymous Coward]

The entire 56 page report is available in pdf. Lets be sure to slashdot both their servers:
http://files.sans.org/top20.pdf [sans.org] (351KB)

Windows + Linux

[Nom du Keyboard]

So when I run a Windows emulator under Linux, do I get all 20 of them?

Re:Windows + Linux

[magefile]

This is an interesting question. If you got all 20 in one configuration but not the other, would it mean that the one with the holes was better (i.e., emulates the target OS/shell better) or worse (less secure)?

NetBIOS protection -- close port 445

[Gary Destruction]

Go into the registry to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\NetBT\Parameters You'll see a string value called "TransportBindName". The default value for that string is "\Devices\". Delete \Devices\ and reboot. Port 445 will close.

Re:NetBIOS protection -- close port 445

[Dibblah]

Someone stop this guy. Seriously. This has been available through the UI since Windows 95. Here's a hint: Windows Is Not Unix. You don't have to go looking for the config file.

Interesting quote from the article

[RodeoBoy]

To date no security exposures have been identified in IIS 6.0

Re:Interesting quote from the article

[Proudrooster]

That's what THEY want YOU to believe. The hackers have just figured out it's more profitable to exploit security holes for "protection money" than it is to write virii that cripple the Internet. I am sure the IIS has plenty of holes.

In fact Microsoft's latest security hole [microsoft.com] requires IIS5 or IIS6.

Really?

[ScrewMaster]

ONLY 7?

U3. Authentication

[Dunkirk]

I think it's pretty telling that the #3 issue on *nix is about how to make good passwords. That's a completely meat-space issue, not code. In fact, a solid half of the *nix list is just good administration practices.

Greatest security flaws...

[John Allsup]

1. Micro$oft internet explorer
2. Micro$oft lookout!
3. Micro$oft lookout express
4. Micro$oft windows
5. Micro$oft internet explorer
6. Micro$oft windows
7. Micro$oft internet explorer
8. Micro$oft lookout!