SANS Top 20 Security Vulnerabilities

SANS have released their “Top 20 security vulnerabilities” for 2007.

Users who are allowed by their employers to browse the Internet have become a source of major security risk for their organizations. A few years back securing servers and services was seen as the primary task for securing an organization. Today it is equally important, perhaps even more important, to prevent users having their computers compromised via malicious web pages or other client-targeting attacks.

Quite right. 9 days (rather than 286 days) should be looking pretty good to a lot of companies right now.

The SANS article does have a section on browsers. It says the following about Firefox:

Mozilla Firefox is the second most popular web browser after Internet Explorer. It also has a fair share of vulnerabilities. In 2007, it has released several updates to address publicly disclosed vulnerabilities. Similarly to Internet Explorer, unpatched or older versions of Firefox contain multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts or code. …

Yes, but how many people are actually using old versions of Firefox (as opposed to old versions of IE)? According to Secunia, only 5% of Firefox users, as opposed to 10% of IE users. Actually, I’m amazed the IE number is that high. Most Windows PCs I come across are very out of date with patches. Firefox, on the other hand, doesn’t give you a choice.

They lay into IE about Active X, and then list 10 things you should or could do to mitigate the risk. The last one?

Consider using other browsers such as Mozilla Firefox that do not support ActiveX technology.

4 thoughts on “SANS Top 20 Security Vulnerabilities

  1. Extension installations are just as dangerous as ActiveX, assuming that you go to any other place than the official Addons site.

    I freely admit that I know little to nothing about network policies and administration on a professional level, but if Firefox was more roll-out-friendly, I think it would fare much better in terms of a corporate alternative to IE. I know that MSI installers will probably happen eventually, but being able to centrally lock down aspects of Firefox is also an important consideration which to the best of my knowledge is currently lacking.

    I’m not saying that Firefox is bad for corporate usage, but it could certainly be more attractive and safer.

  2. I may say that Firefox may “force” you to update, but if you’re administrator doesn’t let you you have to put up with the insanely annoying “Software Update Failed” dialog EVERY time you start it.

    And the one(s) at a certain organization I patronize don’t.