Jan 27 2005
The SANS group has collected this excellent list of vulnerabilities, and it’s definitely something that should be perused. I always find this list amusing, mostly because of the scope of the vulnerabilities. The Windows top 10 are always the most ubiquitous tools, the ones no one can live without, like the web browser and email, not to mention the web services. In comparison, while the vulnerabilities on the UNIX side are important, most of them are quite a bit more limited. For example, every Windows system is going to have the workstation service (W2), but only a limited number of *nix systems are going to have BIND or a web server running. The #1 vulnerability on the Windows list should just be Windows itself.
On a related note, Richard Bejtlich, author of The Tao of Network Security Monitoring, takes exception with the way SANS uses the words ‘threat’ and ‘vulnerability’. His point is well taken, but I’m not sure if it’s that important in the bigger picture. Semantics definitely affect how you look at an issue or problem, but I think it’s more important to get the information out than argue about how its presented.
If I have the time, I’d like to compare the new list to the last few years. Other the the name of the specific vulnerabilities, I’m pretty sure what’s on the list really hasn’t changes all that much over the last few years. So yes, this years buffer overflow is a little different from last years, but it’s still a buffer overflow in how IE handles URLs.