Security: red image of padlock with @ symbol superimposed The SANS Institute released 2004's Top 20 Internet Security Vulnerabilities list, its fifth edition of the annual list.

It's a good, evolving guide that draws attention to the problem of Internet security which is of growing importance as we become more reliant on the Internet as a platform for our communications and commerce. (More on the relative importance of Internet security in another blog post -- when I get some time to write about that).

Notable additions to the list are e-mail client software vulnerabilities and instant messaging vulnerabilities on the Windows list. I am unsure why both of these were not added to the list before. Attacks against both of these types of applications evolved far beyond the nuisance level years ago, particularly in the case of spam and e-mail-borne worms and viruses.

Security threats from P2P filesharing applications like Morpheus, KaZaA, eDonkey, Gnutella and BitTorrent are also on the rise, reflected in the category's ranking in the list -- rising to 7th from 9th in 2003. Using these programs is like opening up your computer to anyone who has Internet access, particularly if you don't know what you're doing. This is one of the many reasons why I  never install these types of applications.

The "SANS Top-20 2004 is actually two Top Ten lists: the ten most commonly exploited vulnerable services in Windows and the ten most commonly exploited elements in UNIX and Linux environments.

Not surprisingly, we see many of the same vulnerabilities highlighted year after year (see the links to previous versions of the list at the bottom of this entry). We also see solutions offered to the problems, which is what makes the SANS list particularly useful. It's too bad that we have heard many of these solutions before -- things like keeping your software up-to-date, using a firewall, making sure your virus definitions are current, etc.

An aside: Part of the problem is a fundamental flaw in the software design of many applications -- think buffer overflows as a prime example -- and the inherent lack of usability of most security solutions for the typical end-user. The list is aimed at security professionals and corporate administrators who manage fleets of desktop computers, intranets and other networks, but consumers can benefit from the list, too.

It almost goes without saying that Microsoft's Internet Explorer (IE) Web browser was -- deservedly -- slammed for poor security. The SANS list explains that IE has "153 IE vulnerabilities since April 2001, according to the Security Focus Archive" and 34 "unpatched vulnerabilities ... according to http://umbrella.name/originalvuln/msie/". Keep in mind that these are only the known vulnerabilities. It says nothing of new vulnerabilities that have yet to be discovered.

This apparently makes IE the most insecure Web browser on the market, which is most unfortunate for us since it's also the most widely deployed.

The tight integration of IE into the Windows operating system, its vulnerability to spyware, the long wait time for fixes to be issued (up to six months at a time -- or longer!) and the integration of ActiveX and Active Scripting controls give miscreants and would-be ne'erdowells plenty of opportunities to bypass, evade or disable security settings.

It doesn't help that Microsoft all but ceased developing its Web browser once it reigned supreme. Fortunately, companies like Opera and the open-source Mozilla project didn't.

Media coverage

 
SANS Reference materials

Better Web browsers & e-mail software: