LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

Tux3: the other next-generation filesystem

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

The most over- and under-rated vulnerabilities

[Posted August 26, 2003 by corbet]

ITSecurity.com has published a look at the most over- and under-rated vulnerabilities, as determined by Harris Corporation. The list is worth a look; it is an attempt to clarify where the real risks lie. Besides, a couple of the entries are rather amusing.

So what are the overrated vulnerabilities? A few selections from the list include:

  • PGP vulnerabilities. As the authors assert, there is no known case of somebody having actually broken PGP's encryption.

  • SNMP; "As long as the default community strings have been changed, SNMP should be fairly safe. Actual exploitation using SNMP has been rare."

  • Cross-site scripting. Actual cross-site scripting exploits are rare; there is usually a more direct route to what the crackers want.

  • Gopher vulnerabilities. Evidently some people are still concerned about Gopher holes.

So, rather than running out to patch that Gopher server, what should you really be worried about? The list includes:

  • Remote procedure call vulnerabilities. RPC remains dangerous, and certainly should not be exposed to the internet.

  • Wireless networks which are easy to find and penetrate, and which often live inside firewalls.

  • Keystroke loggers and spyware.

  • WebDAV servers. This one makes the list mostly due to the potential of compromising the web server, and (on Windows, at least) thus the whole machine.

Interestingly, virus-susceptible email systems do not make the list, despite the fact that this type of vulnerability has probably created more in the way of security costs - especially recently - than any other. Clearly this vulnerability is underrated, given that it remains unclosed after all these years. Risk, evidently, is still in the eye of the beholder.

(Log in to post comments)

The most over- and under-rated vulnerabilities

Posted Aug 28, 2003 3:29 UTC (Thu) by JoeBuck (subscriber, #2330) [Link]

Haven't cross-site scripting holes been used to deface large numbers of web sites?

The most over- and under-rated vulnerabilities

Posted Aug 28, 2003 12:21 UTC (Thu) by mwh (subscriber, #582) [Link]

Not nearly as many as buffer overflows in IIS, I'd expect.

Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds