Security Basics mailing list archives

Re: Ten least secure programs

From: Ansgar Wiechers <bugtraq () planetcobalt net>
Date: Tue, 1 Jul 2003 10:52:23 +0200

I'm not sure if this discussion will be productive in any way, since you
seem to concentrate too much on the software and ignore layer 8, which
is (IMHO) the major problem. But anyway, here you go:

On 2003-06-28 Chris Berry wrote:

I'm putting together a list of what seem to be the ten least secure
computer items in use today with the idea of having a set of things to
recommend AGAINST people using, probably to be posted on the IT room
door with a note like "NO, you cannot use the following!!".  Here is
what I have so far, I'm looking for additions and comments.  The list
is in order from with the worst offender being number one.  These
should be products whose inheirent design is flawed, not that are just
difficult to secure.  I expect vigorous discussion. *putting on flame
retardent garments*  Oh, and leave Operating systems out of this one.


I'm not sure if this discussion will be productive in any way, since you
seem to concentrate too much on the software and ignore layer 8, which
is (IMHO) the major problem. But anyway, here we go:

1) Microsoft Outlook


I beg to differ on this one. Outlook is a groupware client and is
therefore *designed* to be insecure. It's a behaviour I would expect
from a groupware client. Of course one should *not* use Outlook as an
internet mail client (at least not without taking further precautions).
Also I would like to mention that AFAIR all vulnerabilities in Outlook
are vulnerabilities of the Internet Explorer (which I suggest to put on
this list instead).

2) Telnet
3) Sendmail
4) IIS Server
5) Wireless networking
6) PHP
7) ?
8) ?
9) ?
10) ?


You might want to add FTP in general and BIND (at least earlier than
version 9) here.

Regards
Ansgar Wiechers

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

Current thread:

Re: Ten least secure programs, (continued)
- Re: Ten least secure programs Dan Duplito (Jul 02)
- Re: Ten least secure programs Vic Parat (NSS) (Jul 02)
- Re: Ten least secure programs David Nichols (Jul 02)
- RE: Ten least secure programs Chris Berry (Jul 02)
- RE: Ten least secure programs Chris Berry (Jul 02)
- Re: Ten least secure programs Steve Bremer (Jul 02)
- Re: Ten least secure programs Chris Berry (Jul 02)
- Re: Ten least secure programs Chris Berry (Jul 02)
- RE: Ten least secure programs Mark McConnell (Jul 02)
- RE: Ten least secure programs Martijn Dunnebier (Jul 02)
- Re: Ten least secure programs Ansgar Wiechers (Jul 02)
- RE: Ten least secure programs Chris Berry (Jul 02)
- Re: Ten least secure programs Devdas Bhagat (Jul 02)
- RE: Ten least secure programs Thorsten Dampf (Jul 02)
- Re: Ten least secure programs Chris Berry (Jul 02)