The following text is copyright 2004 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.


Core software as security vulnerabilities


By Scott Bradner


The SANS Institute just released its 2004 list of the "twenty most critical Internet security vulnerabilities."  It includes 10 threats in Windows-based systems and 10 threats in UNIX-based systems.  The title is a little bit misleading because they do not actually list specific vulnerabilities, instead they list programs or subsystems that too often contain vulnerabilities.  The whole list comes across a little bit like telling someone to stop breathing in order to avoid getting cancer from air pollution -- accurate but useless advice.


I'll focus on the Windows part of the list ( since many more people can relate to Windows vulnerabilities than can relate to UNIX (including, I suppose, Mac OSX) vulnerabilities.


The ten "vulnerabilities" on the SANS list are:  web servers & services, workstation service, Windows remote access services, Microsoft SQL Server, Windows authentication, web browsers, file-sharing applications, Windows Local Security Authority Subsystem Service exposures, Microsoft Outlook mail client and instant messaging. 


You can't just turn all of these things off and have much of a system left so, as the SANS commentary suggests, adopting aggressive patching strategies are the Window's user's only hope for survival.


Most of the problems the SANS Institute discusses in conjunction with these Microsoft and non-Microsoft applications and Windows subsystems can be summarized by saying that lots of examples of poor programming practice have been found and exploited in this software.  I would expect that some of the software listed this year will be replaced next year with other software where the same sort of problems have been uncovered.  With 40 or more million lines of secret source code in Windows XP I find it hard to imagine that there are not many thousands of bugs yet to be discovered. (  I expect that there are also many bugs in the 30 or more million lines of source code in Linux but the public nature of the code means that the problems may be found and fixed sooner.


Bugs in software are to be expected since programmers are so often pesky humans and perfection is an uncommon trait among humans.  But some of the issues on the SANS list are not bugs -- they are features.  The best example is the Outlook mail client, of which the SANS commentary politely says "the embedded automation features are at odds with the built-in security controls (often disregarded by end-users)."  In a bit of understatement, they go on to mention that "this has given rise to e-mail viruses, worms, malicious code to compromise the local system, and many other forms of attack."  This kind of thing is far harder to fix.


If all this makes you want to get an abacus (or a Mac) you are not alone but, sad to say, neither solution is acceptable in much of today's workplace, even though at least the Mac would do the job most of the time  - it's hard to do word processing on an abacus though.


That leads back to the advice in the first paragraph  -- which actually was about the only statistically valid result of the cancer and air pollution research I participated in as a lab technician in my first job out of BU.


disclaimer:  Some things that Harvard's neighbors see as bugs Harvard sees as features, students on a Saturday night for example, but I did not ask the neighbors or Harvard about the above lament.