According to InformationWeek, that is.
- SQL Slammer
- Windows Plug and Play
- Cisco IOS heap overflow
- Windows Metafile
- Oracle transparent data encryption
- Oracle PLSQL gateway
- Apple Mac iChat
- Internet Explorer createTextRange()
- Internet Explorer HTA files
- Sendmail SMTP server software
No doubt that these are noteworthy events, but distilling “infamous moments” in security research to just 10 tends to miss out other significant infamous moments. As some security blogs (OSVDB) points out, “initial discovery/disclosure of vulnerability classes (Overflow, XSS, SQL Injection) seem like they would big moments.” Moreover, the “list seems to be very centered around the last couple of years.”
Personally, I would like to add these.
- RPC-DCOM bug (MS03-026) – bots love this
- LSASS bug (MS04-011) – bots also love this
- IIS IDA/IDQ ISAPI Filter Buffer Overflow (MS02-010) – to be exploited later on by code red
- PHP remote file inclusion vulnerability – not a bug in PHP per se, but in applications written in PHP. This bug class left a lot of linux/unix systems using affected PHP applications vulnerable. Most of the Linux bots found these days uses some form of this vulnerability to spread.
These ones are off the top of my head. Of course, there are a lot others that I’ve missed. But then again, adding more would make the length of the list greater than 10, which is the purpose of the original article.
