Core software as security vulnerabilities
- 19 October, 2004 10:15
The SANS Institute just released its 2004 list of the 20 most critical Internet security vulnerabilities. It includes 10 threats in Windows-based systems and 10 in Unix-based systems.
The title is a little bit misleading because SANS does not list specific vulnerabilities. Instead it lists programs or sub-systems that too often contain vulnerabilities.
The whole list comes across a little bit like telling someone to stop breathing in order to avoid getting cancer from air pollution -- accurate but useless advice. I'll focus on the Windows part of the list because many more people can relate to Windows vulnerabilities than Unix ones (including, I suppose, Mac OSX).
The 10 "vulnerabilities" on the SANS list are: Web servers & services, workstation service, Windows remote access services, Microsoft SQL Server, Windows authentication, Web browsers, file-sharing applications, Windows Local Security Authority Subsystem Service exposures, Microsoft Outlook mail client and instant messaging.
You can't just turn all these things off and have much of a system left, so as the SANS commentary suggests, adopting aggressive patching strategies is the Windows user's only hope for survival.
Most of the problems the SANS Institute discusses with these Microsoft and non-Microsoft applications and Windows sub-systems can be summarized by saying that lots of examples of poor programming practice have been found and exploited in this software. I'd expect that some of the software listed will be replaced next year with other software where the same sort of problems have been uncovered.
With 40 million or more lines of secret source code in Windows XP, I find it hard to imagine that there aren't many thousands of bugs yet to be discovered.
I expect there are also many bugs in the 30 million or more lines of source code in Linux, but the public nature of the code means the problems may be found and fixed sooner.
Bugs in software are to be expected because programmers often are humans and perfection is an uncommon trait among humans. But some issues on the SANS list are not bugs -- they are features. The best example is the Outlook mail client, of which the SANS commentary politely says "the embedded automation features are at odds with the built-in security controls (often disregarded by end users)." In a bit of understatement, SANS mentions that "this has given rise to e-mail viruses, worms, malicious code to compromise the local system, and many other forms of attack." This kind of thing is far harder to fix.
If all this makes you want to get an abacus (or a Mac), you're not alone.
But sad to say, neither solution is acceptable in much of today's workplace, even though at least the Mac would do the job most of the time. (It's hard to do word processing on an abacus though.)
That leads back to the advice mentioned earlier about breathing -- which was about the only statistically valid result of the cancer and air pollution research I participated in as a lab technician in my first job out of Boston University.
Disclaimer: Some things that Harvard's neighbors see as bugs Harvard sees as features (students on a Saturday night for example). But I did not ask the neighbors or Harvard about the above lament.
Bradner is a consultant with Harvard University's University Information Systems. He can be reached at firstname.lastname@example.org.