Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

New SANS/FBI Top 20 List 199

An anonymous reader submits "The SANS Institute (together with the FBI) published today an updated version of its list of The Twenty Most Critical Internet Security Vulnerabilities. As usual, part of the news is that not too much has changed. The list is split into 10 Unix and 10 Windows vulnerabilities. Leaders are BIND and IIS (last year it was RPC on the Unix side). But some issues (weak passwords) made it into both lists. For last years version, see here. In addition to this list, and a lot of other stuff, the SANS institute is behind DShield and the Internet Storm Center."
This discussion has been archived. No new comments can be posted.

New SANS/FBI Top 20 List

Comments Filter:
  • With all the worms this year this must have been quite a job to sift through.

    I do however agree with them about the BIND vuln being at the top of the list for unix systems. That was a big issue having to update all our nameservers..

  • by dnotj ( 633262 ) on Wednesday October 08, 2003 @04:17PM (#7166170) Homepage
    If the windows and UNIX ones where mixed?

    Would billy and his band of thugs be the leader of the pack?

    What about the second 10 for m$? where would they be with the UNIX top 10? top 20?

    • They kept them separate specifically to avoid that debate. Even if your system is more secure than the other, it still is important to know what the top vulnerabilities in your system are, so you know wher e to concentrate your efforts locking things down.
    • Naturally, because of the larger deployed base of Windows machines I would expect any vulnerability for Windows to be magnified in its importance just because of how many machines it affects, independent of whether Windows has more flaws, worse flaws, poor design, etc.

      OS flavor is only weakly correlated as a function of importance as a security vulnerability. Vulnerabilities that affect root name servers and routers could be just as important in terms of impact as several thousands of home Windows PC's ho

    • Well, considering DNS is used almost EVERYWHERE, and any vanilla install of Linux has DNS, SendMail, Apache, etc, its hard to say. IIS is on the list for MS, but a vanilla install of WinXP doesnt have IIS. And while IE is also on the list, MS's Auto-update will (I think by default after the first prompt) go out to MS and download the latest updates.

      So its hard to say.

  • Does this mean (Score:4, Insightful)

    by satsuke ( 263225 ) on Wednesday October 08, 2003 @04:18PM (#7166179)
    Clicked link to site .. loading very slowly.

    Does this mean the security information clearinghouse can be DDOS'd ?

    By slashdot obviously .. don't know about other more intentional attacks
  • oh no! (Score:2, Funny)

    by Anonymous Coward
    Looks like the site is slashdotted...
    oh wait...it's my 33.6 modem :)
  • by caluml ( 551744 ) <slashdotNO@SPAMspamgoeshere.calum.org> on Wednesday October 08, 2003 @04:23PM (#7166222) Homepage
    The 3rd highest vulnerability to Unix is Apache?
    That's just crazy. OpenSSL and OpenSSH are having lots more problems right now. And Bind? When was the last remotely exploitable problem with that?

    Or am I reading a list from 5 years ago?

    • by Xerithane ( 13482 ) <xerithane.nerdfarm@org> on Wednesday October 08, 2003 @04:26PM (#7166267) Homepage Journal
      The 3rd highest vulnerability to Unix is Apache?

      Yes, but not because of Apache. It's because of people who don't properly handle data coming in from the user, etc. It's a tool that is used most dangerously, most often.

      That's just crazy. OpenSSL and OpenSSH are having lots more problems right now. And Bind? When was the last remotely exploitable problem with that?

      I know there was one in Bind8 last year. I'm not sure of any more recent with 8 or 9, though.
      • Yes, but not because of Apache. It's because of people who don't properly handle data coming in from the user, etc. It's a tool that is used most dangerously, most often.

        Well, that could apply to anything. I could bind /bin/sh to a port running as root via inetd, and that would be a big problem.

        I know there was one in Bind8 last year. I'm not sure of any more recent with 8 or 9, though.

        But who the hell uses 8 any more? :) (Cue lots of people praising djbdns...)

        • Comment removed (Score:5, Insightful)

          by account_deleted ( 4530225 ) on Wednesday October 08, 2003 @04:46PM (#7166476)
          Comment removed based on user account deletion
          • What amazes more is the people running old browsers. Who the heck still uses Netscape 4? I mean, by today's standards it sucks. Even for old hardware, it still sucks. There are much better choices - Netscape 4 is just bloat, and it's slow. IE 3.0? C'mon people!

            Anyhow, my choice for web browsers on ancient machines is Opera 5, which has a nice balance between speed, features, and ability to view fancy webpages that you shouldn't be loading on a 486 anyway.
          • Some people are just too lazy to update anything on their machines. I propose that the number one security problem on both lists be changed to "Lazy Users/Sysadmins who never update their systems."

            You're comparing apples and oranges. There are plenty of folks who are still surfing the Net on "antiquated" equipment (slow machines, tiny monitors, 4.x browsers), and it's not because they're lazy. Grandparents who check email and maybe read a few websites don't need anything more than Windows 9x machine.

        • Well, that could apply to anything. I could bind /bin/sh to a port running as root via inetd, and that would be a big problem.

          But you have to look at Apache allowing access, through ExecCGI outside of a chroot, etc. If a webserver were to be more secure, it would only run scripts from a unix socket (or some more modern approach) to a chroot jail. I've not seen anything like that in common practice though.
        • I could bind /bin/sh to a port running as root via inetd, and that would be a big problem.

          What, you mean you don't do that?!?
          Sheesh, what if you forget your password and you're away from home where you have it written on a sticky stuck on your monitor?

          What are you gonna do then, Smart Guy?

    • Here [securityfocus.com] is one. Just search for bind on securityfocus [securityfocus.com] and you'll find more
    • OK.. Speaking as one of the culprits here.. ;)

      Those of you who patch regularly and often aren't the problem, or the target audience. Yes, the last Bind exploit was quite some time ago, and patched systems fixed it long ago. On the other hand, want to guess which there are more of out there, fully patched RedHat 9.0 boxes or unpatched RedHat 7.2 boxes?

      One of the inputs into the ranking and selection criteria was how heavily exploited the holes were. And you know what? There's more sites being nailed *NO
  • by Kjella ( 173770 ) on Wednesday October 08, 2003 @04:24PM (#7166244) Homepage
    still exist between the chair and keyboard... I think they should make a third category for that.

    Kjella
    • by airrage ( 514164 ) on Wednesday October 08, 2003 @04:33PM (#7166346) Homepage Journal
      My first reaction is to "ditto" your comment. But I can't. I can't because I can't blame the end-user for something that isn't their fault.

      Computers basically come from the manufacturer broke. The remain in states of brokeness -- sometimes entering complete brokeness -- and its all the poor user can do to keep the computer operating.

      It's our fault as IT professionals to make computers more like ... refrigerators for lack of a better similie.

      I can't blame the user for software that contains vulnerabilities which they don't (and shouldn't) have the comprehension or time to understand. I can't blame the user for default settings on devices that are delivered unmodified. I can't blame the user for software that allows a person to accomplish something they shouldn't.

      Yeah, I think my answer is better.

      • How many of them have a computer because the MS WinXP advert convinced them they should own one?

        There's a friend of mine whose mother bought a top range piece of kit a couple of years back. What did she do with it? She dusted it and showed it to visitors because when she sat down and said "I want to see The Sound of Music" it didn't work.

        You can't even begin to explain security to someone like that. Who's to blame? M$? The company who built it? The guy who sold it to her? My friend for not having the pati
        • Re: (Score:3, Insightful)

          Comment removed based on user account deletion
          • Well... there's "knowing how to use" and "knowing how it works". Many computer tasks (especially as regards security) require some knowledge of how the damned thing works. We blame user for 'stupidly using software that has security holes' that they know nothing about; We'd never make the analogous complaint that 'that fool crashed because his axle was made of bad steel', we'd blame the manufacturer, and rightly so.

            • " Well... there's "knowing how to use" and "knowing how it works". Many computer tasks (especially as regards security) require some knowledge of how the damned thing works.

              On the contrary, I feel that people should understand how things work, at least the basics. If you own a car, you should understand the basics of how a car works, at least so you don't get completely taken advantage of by auto mechanics. Also, you need to understand that there are basic maintenance tasks associated with car ownersh

      • I think you're misanalyzing the problem. Out of the box my portable cd player can play cds. Unfortunately that's all it will ever be able to do. Out of the box, a computer can't do anything, but it has the abiltiy to do damn near anything.
        This is the greatest strength and weakness of the computer. It will always be incomplete, because its potential can never be fully realized.
  • The List (Score:2, Redundant)

    by spoonist ( 32012 )

    Top Vulnerabilities to Windows Systems

    W1 Internet Information Services (IIS)

    W2 Microsoft SQL Server (MSSQL)

    W3 Windows Authentication

    W4 Internet Explorer (IE)

    W5 Windows Remote Access Services

    W6 Microsoft Data Access Components (MDAC)

    W7 Windows Scripting Host (WSH)

    W8 Microsoft Outlook Outlook Express

    W9 Windows Peer to Peer File Sharing (P2P)

    W10 Simple Network Management Protocol (SNMP)

    Top Vulnerabilities to UNIX Systems

    U1 BIND Domain Name System

    U2 Remote Procedure Calls

    • Regarding U4 which says:

      The most common password vulnerabilities are: (a) user accounts that have weak or nonexistent passwords; (b) users accounts with widely known or openly displayed passwords; (c) system or software created administrative level accounts with widely known, weak, or nonexistent passwords; and (d) weak or well known password hashing algorithms and/or user password hashes that are stored with weak security and are visible to anyone.

      The best defense against all of these vulnerabilities is

      • Can someone give me an example of a compromise based on a weak password?

        Weak passwords remain vulnerable to dictionary attacks, whereby a large collection of everyday words is passed through the same one-way hashing algorithm that the password system uses. These encrypted strings are then compared against the entries in the system password file, which on many systems is readable by any user (typically for historical reasons). If a match is found, then it is trivial to see which plaintext word produced t

      • Watch any computer movie, any hacker can guess a password in 5 minutes. How many admins do you know that grep their logs for failed password attempts?
        1. Can someone give me an example of a compromise based on a weak password?

        How would you know?

      • Re:The List (Score:3, Insightful)

        by valdis ( 160799 )
        "Can someone give me an example of a compromise based on a weak password?"

        If I had a dollar for every time we've had User A hack into User B's computer/mailbox/whatever because User A guessed that User B used their lover's name as a password...
  • Vulnerability of SANS own site to slashdotting!

    At least it sure looks slashdotted now... :)
  • See?! Telnet & FTP aren't on the list anymore.

    And Gopher! YEAH!

    Enough of this ASP/PHP/SSL/SSH crap. Give us the OLD stuff back!
    When I was growing up, we had telnet and we liked it!
  • Why two lists? (Score:2, Interesting)

    by grub ( 11606 )

    There aren't two internets running, one for Windows and one for Unix.

    Methinks this is to avoid having loads of MS crud being labelled as the bulk of the threats. MS advertisment money is always nice, wink wink nudge nudge.
    • by vladkrupin ( 44145 ) on Wednesday October 08, 2003 @04:34PM (#7166352) Homepage
      There aren't two internets running, one for Windows and one for Unix

      Yes, there are. One is for IE, and one - for everything else.

      (Yes, I am expecting flames to correct my narrow view of internet and tell me that there is more than just web browsing, blah,blah. But you see my point, don't you?)
      • I can't remember the last time I tried to access a site with Mozilla, to find that it only worked in IE.

        True, my online banking service advises me to use IE, but I ignore that advice, and it works just fine in Mozilla. Every other site I use is fine. Perhaps that's more indicative of the sorts of sites I visit, though.
        • I can't remember the last time I tried to access a site with Mozilla, to find that it only worked in IE. ...then you haven't browsed web for a while.
          - one of my favorite news sources (www.gazeta.ru) sucks in mozilla, at least their news section
          - my bank started sucking in mozilla recently
          - ebay often freaks out on some items in mozilla, so I have to copy that URL and paste it to IE to view the item.
          - my card company works intermittently with mozilla (citiCards)
          - MSNBC is sucking up mud in mozilla, even tho
          • Well, I can understand an occasional problem, but this seems like too much. For example, I've never had a problem on citicards with Mozilla. MSNBC doesn't look right? And you're surprised? Oh yeah, and I'd guess your employer is essentially irrelevant if their website doesn't work right, or at least they don't mind being irrelevant.

            The only times I've had problems with Mozilla is when a site has explicitly rejected Mozilla because it didn't match one of their accepted browsers (which always include Nets
        • I agree, but i find that the most annoying thing is that IE still won't correctly render COMPLIANT HTML/CSS correctly, so unless you want to have 90% of the people that look at your site complaining about the way it looks, you have to either:

          a) Create a much more limited website, without some of the stuff you want to add
          OR
          b) Create a website with completely BROKEN HTML/CSS so that IE can render it correctly

          In summary, the problem doesn't neccessarily lie in the fact that certain sites "only" render in
    • Re:Why two lists? (Score:4, Interesting)

      by woozlewuzzle ( 532172 ) on Wednesday October 08, 2003 @04:34PM (#7166357)
      The point of the lists is not to embarass the makers of operating systems. It is to let administrators (of either operating system) what the most successfully attacked services are, so that they can concentrate their efforts. I recall a study, perhaps last year, by NASA of all people that, by just addressing the Top 20 list, they were able to reduce security incidents by over 90%. It doesn't mean you shouldn't secure everything, but you need to prioritize when you are overworked, underpaid and underappreciated
    • Methinks this is to avoid having loads of MS crud being labelled as the bulk of the threats. MS advertisment money is always nice, wink wink nudge nudge.

      I looked with a moderate amount of effort to find some kind of numerical data to put next to the items on the list (# of incidents, level of compromise, etc.) but didn't find any. If anyone comes across it, please post, it would be interesting to see how the 'top 20' rank intermixed.
  • "Sans FBI" isn't that French for "Without FBI"?
    Interesting though, that #8 on unix is SSH... That's supposed to be secure! (Yes I've patched!)
    Oh yeah and Apache and other stuff - But most of those are almost always (almost!) misconfigured servers and sloppy admins!
  • U3 Apache Web Server
    Shouldn't they have stated misconfigurations of Apache...

    U8 Secure Shell (SSH)
    Oxymoron seeing this here. Secure Shell...

    U10 Open Secure Sockets Layer (SSL)
    Yay another oxymoron, or according to Bush: An oxycontin!

    Multiple vulnerabilities have been found in OpenSSL, of which the most serious are the set of 4 vulnerabilities listed in CAN-2002-0655, CAN-2002-0656, CAN-2002-0557, and CAN-2002-0659. These allow the remote execution of arbitrary code as the user of the OpenSSL librarie

    • by woozlewuzzle ( 532172 ) on Wednesday October 08, 2003 @04:38PM (#7166403)
      you're missing the point. They aren't trying to criticize these products. They are letting administrators know what services are being succesfully attacked the most. If you are a decent admin that isn't totally overworked, you've probably already patched and secured these services if you are running them. That is the point. They don't have the same agenda as many of the butt munches on /.

      • Bah... They should have stated which services were actually used to access machines. If that's the case, what are the stats for false positives. Meaning are numbers for something like a Scan included. Remember scanning is done daily by millions, should this be considered an attack? Consider this... If someone scans a machine and they have no intentions of attacking it, but something done out of curiousity or some stupid reason, IDS' often see this as an attack. How did SANS gather their data, and if somethi
    • Oxymoron seeing this here. Secure Shell... ...untill that oxymoron exploits your openssh...

      U10 Open Secure Sockets Layer (SSL) ... or your openssl... Both had more than enough holes lately to warrant even higher placements on that list, IMHO.
    • "Who the hell uses sendmail as the root user anyway? Please email me if you do so, so I could laugh at you."

      1) The setuid bit was removed in Sendmail 8.12.0, but there's a lot of 8.9.3 and 8.10.x and 8.11.x versions still out in the field.

      2) Note that you *can* use the 'RunAsUser' option so the sendmail that's listening on port 25 and running your queue and all that stuff doesn't run as root - but then a lot of things break. The most notable breakage is that .forward processing gets hosed (because once i
  • Under U5. Clear Text Services:

    # ngrep assword
  • Hmm... (Score:3, Insightful)

    by dasmegabyte ( 267018 ) <das@OHNOWHATSTHISdasmegabyte.org> on Wednesday October 08, 2003 @04:35PM (#7166371) Homepage Journal
    Looks like Dan Bernstein [slashdot.org] was on to something when he said BIND's design was fundamentally flawed and would result in vulnerability after vulnerability. Just goes to show you that sometimes the most paranoid among us can still be on to something.
    • Looks like Dan Bernstein was on to something when he said BIND's design was fundamentally flawed and would result in vulnerability after vulnerability. Just goes to show you that sometimes the most paranoid among us can still be on to something.

      You are referring to these pages:

      http://cr.yp.to/djbdns/blurb/unbind.html [cr.yp.to]

      http://cr.yp.to/djbdns/blurb/security.html [cr.yp.to]
    • sometimes the most paranoid among us can still be on to something.

      Not the best choice of adjective: leaving aside the question of what Dan Bernstein thinks about anything, in security, paranoia is a survival trait. :)

    • Most of the problems with bind have been with versions 4 and 8. bind 9 was a complete redesign and has proved itself to be much more secure.
  • by JRHelgeson ( 576325 ) on Wednesday October 08, 2003 @04:39PM (#7166408) Homepage Journal
    I think they forgot to mention the /. effect as being one of the greatest threats on the net. It should rank up there towards #1 on both Windows & Unix.
  • by johnlcallaway ( 165670 ) on Wednesday October 08, 2003 @04:43PM (#7166441)
    Windows break/Fixes can be simplistically be broken down this way:
    • W1 Internet Information Services (IIS) - Keep it patched
    • W2 Microsoft SQL Server (MSSQL) - Keep it patched and don't connect it to the web
    • W3 Windows Authentication - Create and enforce password policies
    • W4 Internet Explorer (IE) - Keep it patched
    • W5 Windows Remote Access Services - Don't use it/keep it patched/hack the registry
    • W6 Microsoft Data Access Components (MDAC) - Keep it patched
    • W7 Windows Scripting Host (WSH) - Disable it
    • W8 Microsoft Outlook Outlook Express - Remove it
    • W9 Windows Peer to Peer File Sharing (P2P) - Don't install it
    • W10 Simple Network Management Protocol (SNMP) - Disable it unless you know what you are doing
    Unix break/Fixes can be simplistically be broken down this way:
    • U1 BIND Domain Name System - Don't install or use an alternative and only on DNS servers
    • U2 Remote Procedure Calls (RPC) - Don't install it, period. Nasty, nasty, little things.
    • U3 Apache Web Server - Don't install it except on web servers and only install modules you need
    • U4 General UNIX Authentication Accounts with No Passwords or Weak Passwords - Create and enforce password policies
    • U5 Clear Text Services - Don't install them, use alternatives
    • U6 Sendmail - Don't install, use an alternative, and only install on mail servers
    • U7 Simple Network Management Protocol (SNMP) - Don't install it unless you know what you are doing
    • U8 Secure Shell (SSH) - Keep up to date with patches and don't allow access from Internet except over VPN
    • U9 Misconfiguration of Enterprise Services NIS/NFS - Don't install them
    • U10 Open Secure Sockets Layer (SSL) - Don't install or install only where needed and keep up to date with patches
    The best choice is if you don't need it, don't install it. If software isn't on the machine, it can't be hacked.

    Of course, with Unix, at least you have that choice......
    • The primary function of a computer is not security. If that was the goal, I could just pull the plug and beat it with a sledge hammer. See? Perfectly secure!

      I bought the computer to do work, some of which involves communicating with other computers. Disabling useful features is not a practical strategy for the long term.

  • The number two Unix vulnerability was RPC, which I was not aware of. However, the last two major windows vulnerabilities were both with the same Windows RPC service and yet that didn't make the list at all. MS Blaster was an exploit of the RPC vulnerability.
  • A waste of time? (Score:3, Interesting)

    by thesupraman ( 179040 ) on Wednesday October 08, 2003 @04:49PM (#7166505)

    Well, this list looks very foolish to me.

    Firstly, why two seperate lists? are they saying there are as many unix security violations and windows? I wonder what colour the sky is in their world.

    Secondly, just look at the lists.. a large number of the windows services are 'essential' (well, if you believe microsoft) for a windows server.
    Most of the unix services are easily replacable with effectively identical but more secure options.
    Anyone who runs sendmail rather than postfix gets all they deserve.
    RPC? why on earth would you make that available? NFS is hardly essential these days.
    No password accounts? my god - I never realised that was forced on you by unix! :P
    Bind? there are certainly secure alternatives to BIND (djbdns, for one) - and even BIND should be running chrooted anyway..
    And clear text services? why don't they point out that situating your critical servers outside on the street is also a security risk!

    My point is that nearly all of the unix 'problems' are very easy to avoid, or are only problems for very short times (the SSH/SSL problem, for example) - the majority of the windows 'problems' are almost impossible to avoid, patches come late, and sometimes even make things worse.

    I see windows machines being virused/hacked about once a month (and trust me - I try to stop this a lot, as it makes my life very difficult) - I've only ever had ONE linux machine hacked in around 4 years - through a sendmail hole, and I stopped running sendmail everywhere the next day (it took about 1 hour to change 5 servers to postfix)

    These lists need some form of relative threat rating on these problems!
    • Firstly, why two seperate lists? are they saying there are as many unix security violations and windows? I wonder what colour the sky is in their world.

      Probably, they're trying to avoid touching off exactly this sort of religious flaming... maybe they judge that "mine is bigger than yours" is a poor addition to any discussion of security, even if (or maybe even especially if) there is some discernible difference in size between the... er.. security records in question.

      Windows's poor security track recor

    • Two separate lists are useful because they have different target audiences. It doesn't matter how critical a Windows flaw is, there's absolutely nothing I can do about it, because I don't use Windows.

      Of course, there's relatively little point in having a yearly report about Unix vulnerabilities, since that's laughably infrequent to think about security in the Unix world.
    • While I agree with most of what you said...

      RPC? why on earth would you make that available? NFS is hardly essential these days.

      I use NFS both at work and on my home network every day. At work, there is no data stored on the local machine. I do everything over NFS mounts. And I couldn't imagine not using it.

      Of course, if you mean offering NFS over a public network like the Internet, then I wholeheartedly agree. But on a private network, it's invaluable.
    • Because the purpose of this list isn't about which software is the most secure. It's about what system admins need to do with the systems they have, be it Windows or Unix. Even admins running the most secure software in the world need to be vigilent about their system.

      Now you could say that a decent system admin should already know everything on this list, and should have fixed it. I agree, but we know for a fact that not all system admins do this, either out of ignorance or lack of time. That is the whole
  • Weak passwords, clear text in http, ftp etc are hardly Unix specific and would also feature on the Windows, though lower down.

    That these folks had to dig so deep to find 10 Unix vulns heartens me. Apart from BIND, what this says to me is the worst Unix vulnerabilities are only as bad as the fifteenth or twentieth placed Windows ones.

    • The authentication issue is mentioned in the Windows list as well at #3 so they did account for that.

      The clear text part though doesn't seem to be accounted for in windows systems unless you count it mentioning IIS. Though I suppose you could view it as them realizing it's a UNIX controlled server world so this is more prevelent on UNIX machines than Windows and also the fact that Windows has other more pressing vulnerabilities ahead of clear text protocols.
  • by Elwood P Dowd ( 16933 ) <judgmentalist@gmail.com> on Wednesday October 08, 2003 @04:51PM (#7166524) Journal
    Does anyone know a good way to make Mac OS X pay attention to passwords longer than 8 characters long?

    Are there any caveats?

    Sorry this offtopic, it just always annoyed me. I can type fast enough that I'd prefer to have something like this as my password: "I have the most t76uDDd password ever. BTW your mom says hi."
    • First let me say I know nothing about Mac OSX, so YMMV. From what I understand 8 is the default for most *NIXs and to change it is a compile time option for the kernel which I'm supposing you can't do. If you have an /etc/login.defs, the PASS_MAX_LEN field only specifies how many characters are used when crypt() hashes the password for the md5 output.
    • I'm not entirely sure about 10.2.x on down(I'm pretty sure they're stuck at 8), but 10.3(aka Panther) finally takes care of the issue officially. With Panther, Apple's finally gone to the *nix standard of shadow hashes, so you can have whatever long password you want.
      • I'm not entirely sure about 10.2.x on down(I'm pretty sure they're stuck at 8), but 10.3(aka Panther) finally takes care of the issue officially. With Panther, Apple's finally gone to the *nix standard of shadow hashes, so you can have whatever long password you want.

        10.2 still uses the standard crypt() algorithm without md5 support, so it's still limited to 8 characters. Glad to hear they're finally changing this.
  • by moltar77 ( 708055 ) on Wednesday October 08, 2003 @05:07PM (#7166661)
    Windows! On a more serious note, the web site listed a very nice link [microsoft.com] for manually removing Outlook Express. At last I can purge my hard drive of that thing!!
  • The real difference between lists is that on the *nix side, the only problem I see that is related to a machine that is either completely firewalled off, not running the service in question is the weak/no password issue - which is on both lists (what was #11 on each?). Which means that most likely, it is possible to build a non- service offering system that can act just fine as a client and local machine with a *nix (make mine slackware thanks!) base.

    The windows list though contains several other items tha
  • It amazes me that BIND (and, for that matter, Sendmail) still ship as defaults with RH and some of the other distributions.

    There are still a few obscure cases where Sendmail does a job no other MTA can -- though they are getting obscurer by the minute -- but there really is no excuse to have a copy of BIND running anywhere, on any machine, at any time. It's bloated, unstable, unsafe, poorly coded and, as its long track record demonstrates, its developers lack either the intention or the ability to fix it.
  • Most of the windows vulnerabilities are vulns that affect both server and end-user machines, and they're on by default. Hard to turn off, too, without affecting random things in the O/S, and you have to be able to read the list of umpteen million running services (knowing what they are, in other words) in the admin tool MS provides.

    Most of the Unix/Linux vulnerabilities affect servers primarily. Most end-users would have these services turned off (workstations wouldn't be running apache or an SSH server, f
    • I personnally don't run either IIS not SQL Server on my XP box, moreover, the firewall which is provided and proposed when I create a DSL connection prevents me from being attack on the RPC port as well as other ports.
      The lack of Desktop issues on Unix comes principally from the lack of Unix desktops... That's why they're not considered as important, because almost nobody's hit when there's a failure in Mozilla, it's a drop in the ocean of users.

      As for disabling services, I largely prefer the UI provided b
      • Not to upset/depress you, but you DO know that all firewalls in the windows world run in userspace (whereas Unix/Linux firewalls run in the kernel) so they're not quite as bulletproof as you might think?

        By the way, your windows box is listening on a whole range of ports you don't even know about. And, you have to trust that Microsoft has truly locked down that "firewall" of yours. Considering that they opened up all those weird ports in an end-user machine in the first place (why?) you might want to ask yo
        • Not to upset/depress you, but you DO know that all firewalls in the windows world run in userspace (whereas Unix/Linux firewalls run in the kernel) so they're not quite as bulletproof as you might think?

          1) That's not true, you can write a packet filter driver on Windows, running in kernel space to do the filtering, see http://msdn.microsoft.com/library/default.asp?url = /library/en-us/network/hh/network/fltrhook_5xpj.as p

          However most people use the IP Filter API to do this in user-mode, thus avoiding pu
          • If you know what you're talking about, why is it you think that a user-space firewall is more secure than a kernel-space firewall?

            When the firewall runs in the kernel, the firewall sees incoming packets FIRST, and can drop them on the spot. When the firewall runs in user-space, incoming packets come in, get handled by a kernel process (which may have a vulnerability), and THEN get handled by the firewall. So if there's a vulnerability in the kernel, the packet has already nailed you before the firewall ha
  • by hayden ( 9724 ) on Wednesday October 08, 2003 @05:16PM (#7166727)
    4 Unix vulnerabilities could be considered to seriously dumb things to do (clear text services, bad passwords, misconfiguration, these are not problems specifically with unix) Sendmail is more about how horribly bad it's history is (which pales into insignificance if you compare it with IIS, IE, outlook etc) and the Apache entry is more about how crap "Web Programmers" are with security than actual problems with Apache.

    Compare with the Windows list. Most of which are application problems and things that have been fixed in the unix world for a long time (such as keeping passwords in /etc/passwd). One of the list has the dubious honour of being the reason for a whole class of vulnerabilities (the "email virus", read, the "Outlook Express virus"). I can remember laughing at people who said "I'll send you a virus in your email" about 6 years ago. The only reason IE isn't higher is because attacks on OE are much more fruitful.

  • can we get a big round of 'duh!' for this one please? i mean, accounts without passwords and/or with stolen passwords arn't vulnerabilities with the computer as much as like walking into harlam. alone. dressed in a kkk outfit. singing 'dixie'. it's just asking for trouble.
  • Look at the "Learn how to improve your system security" frame notice how there are no classes in the Seattle area.
    Why not have more security classes in the M$ corporate area? Mabey it would help improve M$ Security if there coders could take a few classes.
  • When I type openssl version into the terminal on OS X, it returns :
    OpenSSL 0.9.6i

    Which is lower than 0.9.7. The article said you were vulnerable if you had a version lower than that. Time to self update I guess. I'm surprised Apple has never updated this, and yes I am using 10.2.8 currently.

    • Crap. Crappity crappity crap.

      My fault.

      I totally botched the issue of vendor-backported patches. It's not an OSX-only issue - RedHat 8.0 has a nicely patched version that says 0.9.6b. I couldn't come up with a good way to fit instructions for RedHat, Debian, Suse, Solaris, AIX, Irix, Tru64, Solaris, *BSD, and whatever - all into a few lines. On the flip side, reading http://www.cert.org/advisories/CA-2003-26.html it seems that the CERT crew couldn't do it either - the 'Vendor Info' in Appendix A is ove

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...