Linked by David Adams on Mon 6th Oct 2003 19:34 UTC
Bugs & Viruses It's an oft-repeated maxim that one of the reasons that Windows operating systems are plagued by so many viruses, worms, and security exploits is because they are so popular. Extrapolating on this, many have remarked that if Linux, MacOS, or other OSes become more popular, they will attract the attention of virus writers. That may be true, but the increased attention will not necessarily yield the same quantity of viruses and other exploits, says a Register article. Update: Rebuttal article.
Order by: Score:
Hrmm.
by anonymous on Mon 6th Oct 2003 19:45 UTC

There are obviously multiple factors involved in the number of known security exploits for an operating system. Arguing otherwise would be nonsense

popular?
by Neil Chalk on Mon 6th Oct 2003 19:55 UTC

... or is it that Windows is the least popular?

other Os's
by peragrin on Mon 6th Oct 2003 19:55 UTC

It isn't pure marketshare probelm. the first virus writer to make a mass worm for mac osX would be very well known in no time. Linux is the most hacked OS(accroading to truely independant source). Any system can be insecure if not set up right. But only on Microsoft products can, SQL slammer, Blaster, Sobig.f bring down the Internet, in hours. You can hack a linux box, but you can't use it to automatically search out another box to attack. SQL slammer was what 376 bytes long. That is smaller than this paragraph.

normalizing
by Anonymous on Mon 6th Oct 2003 19:56 UTC

just normalizing the numbers by market share:

windows: 60000/90 = 667
Mac: 40/5 = 8
linux: 40/2 = 20

Windows wins hands down ;) !!!

re: normalizing
by MattPie on Mon 6th Oct 2003 20:14 UTC

That's assuming a linear response. Like with valid software, a lot of people aren't going to spend 5% writing Mac viruses because they could use that time to infect far more machines.

could it be that people are to blame?
by afrokhan on Mon 6th Oct 2003 20:18 UTC

in most cases, windows exploits become significant due human error / ignorance. slammer? the bug was fixed, but administrators didn't apply the patch. or, am i missing something? blaster? the bug was fixed, but end-users didn't apply the patches. or, am i, again, mistaken? software will continue to improve, and that's good. but, i feel that virusers, worms, etc. will only become less of an issue as the general computing populus becomes more educated.

Right...?
by Thom on Mon 6th Oct 2003 20:20 UTC

The author wrote:
""When an HTML-based email shows up in my Inbox, I see only the HTML code, and a message appears at the top of the email: "This is an HTML message. For security reasons, only the raw HTML code is shown. If you trust the sender of this message then you can activate formatted HTML display for this message by clicking here.""

Just a note: Outlook 2003 does exactly the same (finally).

---

Anyway, I still believe marketshare pays a big role in this whole virus thing. Even though Linux is more secure (it obviously is) it is not immune. Programmers/virus makers etc. WILL, in the end, find ways around the root priviliges thing. BUT, *nix will have to gain more marketshare on the desktop, though, else the virus maker's work isn't worth it. As with bike locks here in Amsterdam; even the most expensive ones are easily "cracked" by our friendly local junkie community.

Anyway, I found this a rather unnews worthy article; not much new here. And kind of low to take a go at Lindows.com. I think that company has done some amazing things when it comes to Linux' desktop usabilty.

But then again, you probsbly wouldn't have expected anything else form me, now, would you? ;)

not so true...
by marc on Mon 6th Oct 2003 20:21 UTC

Writing Virii for Windows is so much easyer that writing for Linux or MacOS X. Windows is more exploitable than anything else, everyone knows that. For Mac OS X I can't speak, but the vulnerabilities in Linux are different than the ones in Windows, that is why it is harder to write viruses/works/exploits for Linux. There is not even a decent keyboard logger for Linux (LKL sux).

Well ...
by WorknMan on Mon 6th Oct 2003 20:36 UTC

The main thing I believe that makes it harder to spread viruses in Linux is that its users are not dumb (as in computer illiterate). Most of them know better than to take any executable file and run it. However, once you get a bunch of Windows users in Linux (the same users who never bother to patch their systems), they'll pretty much run everything but the kitchen sink. The author says that new users will be educated not to do so, but who's going to educate them? If this method of education would work so well, why not educate them now on Windows instead of hoping that maybe one day they'll make the switch?
And also realize that most of the modern email viruses use their own SMTP engine to send themselves out and don't use the Outlook address book. So, in Linux, as long as you've got email addresses in any of the files in your /home directory and permission to access the SMTP port, the viruses will run just fine.
And who says there won't be some new mechanism to send out viruses in Linux other than email. Say, for example ... what if it were possible to do some nasty thing via Mozilla/Firebird extensions? That may or may not be possible, but it's just a thought.

afrokhan wrote:

"in most cases, windows exploits become significant due human error / ignorance. slammer? the bug was fixed, but administrators didn't apply the patch. or, am i missing something? blaster? the bug was fixed, but end-users didn't apply the patches. or, am i, again, mistaken? software will continue to improve, and that's good. but, i feel that virusers, worms, etc. will only become less of an issue as the general computing populus becomes more educated."

The above reasoning is flawed in general and flawed in specifics. Patching Windows correctly is difficult and costly and doesn't always work, which is why experienced system administrators have a difficult time patching promptly and keeping their systems operational and available.

As to slammer, the order of events was a patch to fix the vulnerability slammer exploited, a patch to fix something else that reversed the slammer patch and then the slammer virus. That had nothing to do with human error outside of MS.

Regards,

Mark Wilson

MS and virii
by brando on Mon 6th Oct 2003 20:47 UTC

MS does have the most viri because there are so many computers, that is what makes it hit so hard everytime there is a virus, but that isn't why they write them. Its because its so easy to exploit a hole in Windows than any other operating system. Code can so easily run on Windows and corrupt files quickly. With Linux, Unix, and Mac, you have to mean the harm, you have to do the commands to run the harmful code. Only way that will happen is if some one hacks a server for apt-get and put their code in there. But then again, with the hash file that comes with it, you can tell if you are getting good code or not. Hell, if Unix was so easy to use back in the day as Windows has become, then we would all be using Unix right now. But Unix was text based, and corporate owned to the death, and hard to use for the average user, thus the reason why Windows took off. Mac held in there but didn't change their OS till 1999 and now they are gaining again on MS, but there is Linux. Unix's cousin, say this is because its text based and use some of the same libraries and programs, that has many people working to make the GUI look and feel good so people will switch, and in time, they will. Forced due to MS way of giving no choice to its followers though to their licensing and security problems. Weither they go to Linux, BSD, or Mac, is all up to how things play out in the future.

re: workman
by Bas on Mon 6th Oct 2003 20:52 UTC

>So, in Linux, as long as you've got email addresses in any of
>the files in your /home directory and permission to access
>the SMTP port, the viruses will run just fine.

Workman,

What is going to execute the virus? It always needs a process
to do that. Its more complicated than that..
It is NOT easy to write an email virus for Linux that will
self extract, execute and run, i think its even impossible.

?Say, for example ... what if it were possible to do some
>nasty thing via Mozilla/Firebird extensions?

Please my pants gets all wet..

RE: Well...
by Jason G on Mon 6th Oct 2003 20:55 UTC

"So, in Linux, as long as you've got email addresses in any of the files in your /home directory and permission to access the SMTP port, the viruses will run just fine. "

By default, a user must have root priveledges to access all ports under 1024, SMTP is port 25.

Re: marc
by Bascule on Mon 6th Oct 2003 21:02 UTC

Writing Virii for Windows is so much easyer that writing for Linux or MacOS X. Windows is more exploitable than anything else, everyone knows that.

Exploitability in Windows lies primarily in the enormous home market, where Windows is most likely terribly configured from a security standpoint.

A Windows machine configured with a proper security policy and user permissions is no more or less exploitable than a similar Linux system.

Were the same level of scrutiny applied to auditing Evolution that is applied to Outlook Express, I'm sure a number of buffer overflows would be found in the message parsing code, and a number of design errors which could lead to automatic execution of attachments.

Read your mail with Pine? Let's not forget this recent Pine buffer overflow: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0721

Why hasn't anyone written a mass mailing worm that exploits this Pine vulnerability? Possibly because no one cares enough... if you are going to spend time writing a mass mailing worm, why not exploit an Outlook vulnerability instead?

Also keep in mind that the same qualities of Linux which make it somewhat more resistant to viruses/worms (namely the constantly changing glibc ABI with symbol names and various structures constantly being altered) are the same qualities that bar Linux from receiving commercial application support. Application developers making Linux releases often must target them at a single distribution (which is almost always RedHat)

Re: Jason G
by Bascule on Mon 6th Oct 2003 21:04 UTC

"So, in Linux, as long as you've got email addresses in any of the files in your /home directory and permission to access the SMTP port, the viruses will run just fine. "

By default, a user must have root priveledges to access all ports under 1024, SMTP is port 25.


It should be clear that WorknMan is referring to the ability to the ability to make outgoing TCP connections on port 25 in order to create a mass mailer worm, which is something any user on the system can do.

author way off base
by Brad on Mon 6th Oct 2003 21:06 UTC

The author is rather off base on his direction.

First of, yes the main reason windows is most effected is marketshare, but it's not just because of market share. It's a compounding effect.

For starters, yes it's much easier to get a virus going in windows, part of the reason is people can build upon previous knowlegde. If MS released a completely new OS, the kind of change that would be like Apple shift from 0s9 to osx then most viruses would be stopped cold overnight. It would take a long time to rediscover all the common ways to get people.

The author goes off on how the way people use the computer makes a big differance, talking about email attachements. Yes the windows way is less secure. But people like the way it is. People don't want to have things like linux does it.

People say if linux got the same market share as windows it would get virus's just the same. This is very much true, and it's not do to linear growth that can be seen by scaling the numbers to such a market share. As some have shown linux wouldn't have the same number of virus. But in reality thats not the whole truth, since for one to even think of how linux would be at 90% market share, you have to think of how it will get there. As it current is, it's not going to get there. For linux to get to that kind of growth, it would have ot make many changes to be a way people would want it. And once that is done much the same issues would arrise. At some point there will be an email client that lets you click on an attachement in linux and it runs it. Person is happy now, and now the same flaw is in linux. This idea can now be carried through the OS. If linux doesn't make changes to be what people want then it's not going to grow, and then everything simple isn't going to matter. It will remain a "secure" OS with no market share. For it to be windows killer it will end up having the same flaws.

Now granted windows does have some simply boneheaded flaws at times. And for the most part MS does a good job fixing them.

Linux's biggest security flaw is thinking it's so secure. That will change in time. With all the effort going into linux to get it to do more things and do more for people, and so forth it will attract more flaws. The more complex you make something the more the odds for them go up, exponentialy.

Linux can remain more like openbsd, but then it's not going to be in the same market as windows. Once you make Linux a true alternative to windows, most all the same problems will be in it to.

re: bascule
by Bas on Mon 6th Oct 2003 21:09 UTC

>It should be clear that WorknMan is referring to the ability
>to the ability to make outgoing TCP connections on port 25 in
>order to create a mass mailer worm, which is something any
>user on the system can do.

It should be clear that this statement is absolutly nonsens.

admins account
by Brad on Mon 6th Oct 2003 21:13 UTC

the author also goes on about how windows defaults the user to admin. He says it's mind boggling as to why they do that. It's not. It's simple. People want it that way. People don't want to be loging into their computer, or feel like one of many users. They want to have it be just their computer, turn it on and it's there. For home use and being used by one person, the multi-user / admin idea sucks. This is one of the things that bugs people about linux, what fans think of as a great thing is a turn off. I think some distro's have changed things to be more windows like.

Not that such a setup isn't usefull, but for most people they just have the computer to themselves, so such a system is pointless. Even in a family environment few care to use such a setup.

Popularity != Vulnerability
by Will on Mon 6th Oct 2003 21:14 UTC

However, Popularity == Exploitability.

The classic "network effect" comes in to play here.

Simple example is the first Internet worm. It can be argued that all Unixen running from similar sources suffered the same exploitability that the worm used, but since it was something that was machine specific, no machines other than Sun machines (I believe) were directly affected.

Also, popularity affects the ability to spread, particularly if it's just randomly spawning attacks. If 90% of the machines I ping happen to be Windows boxes, then a Windows virus has a 90% of being able to start propagating right out of the box.

Next, high popularity means high availability to the authors, as well as a large knowledgebase to work from. I'm sure some crafty hacker can come up with something vile that affects TCP/IP enabled C64s, but it also requires, if nothing else, that the author has access to that system in order to create the exploit. Since I haven't seen anyone argue that these virii and worms are State sanctioned, that means the authors are essentially "hobbyists", and will use the system at hand.

Finally, since again these aren't necessarily directed attacks from one entity to another, the motivation seems simply to be notoriety. Mad Hackers will get more out of something that had wide range affect rather than something more restricted.

None of these arguments address the exploitablity of a system. If everyone was running a very secure system, there would still be motivation and means for someone to find an exploit. For example, how vulnerable is, say, BeOS? I don't know, and it really doesn't matter because it's so obscure.

The biggest problem, of course, is that through a long history, the most popular system also happens to be extremely vulnerable. That plus historically, folks have not had to consider security as a primary element of their computing experience.

For example, many packages on Win2K require "root" to simply install, and in one case, Warcraft III, I could not even run the game unless I was Administrator. So to lower the entire Pain In The A$$ factor of the computing experience, it is easier to simply log in as Admin and stay there.

On my old NeXTStation, it was easy to NOT have to log in as root, so I never did. If a consumer oriented program needed root (few did anyway), it asked for the PW at install, installed as root, and plopped me back into my user login. Win2K has something sorta kinda like that, but it doesn't work well, and software makers don't seem to test with it.

I'm sure I'm not the only one out there running my Win2K in Admin mode 24 hours a day, ripe for the picking if not for other measures.

These bad habits, both from users and coders, along with zillions of lines of historical code written in more trusting times come together to form a ripe target for those motivated to infiltrate and cause havoc.


MS vs *NIX Security
by Mike on Mon 6th Oct 2003 21:17 UTC

Not to bash MS at all, but its products are less secure by design. With a little effort, one can beef up the security on one a Windows box... the problem is, most Windows users don't really know how to (or even care to, for that matter)...

(Just one example, but a good one...) Defaults like automatic logon for on a user with Admin rights... that's just asking for a system to be compromised.

Don't get me wrong... some linux distros (Lindows) do that default user = ROOT behavior as well... but many others have people setting up user accounts and emphasize not logging in as root unless absolutely necessesary (su).

If someone with access to every critical component/process/etc. is logged in....and a vulnerability on their system is compromised.... they're pretty much SOL.

Re: Will
by Bascule on Mon 6th Oct 2003 21:18 UTC

On my old NeXTStation, it was easy to NOT have to log in as root, so I never did. If a consumer oriented program needed root (few did anyway), it asked for the PW at install, installed as root, and plopped me back into my user login. Win2K has something sorta kinda like that, but it doesn't work well, and software makers don't seem to test with it.

Can you give an exaple of when the Windows privilege elevation didn't "work well" or a specific piece of software you were unable to install or use with it?

(the question then becomes does said softare exist outside of Windows...)

RE: RE: Well
by Drill Sgt on Mon 6th Oct 2003 21:22 UTC

"By default, a user must have root priveledges to access all ports under 1024, SMTP is port 25."

As well by default every user can send email by default, which I believe was the point. It is extremely easy to send mass emails from the command line, on Linux anyway.

That said, something would still have to execute the process. Lets not forget the fiasco with the disguised mp3 that deleted the files from the persons home directory. "Playing" that mp3 executed the code. Could be done for email as well, but again it would only effect the single user, not the whole machine.

Ms Vs *NIX
by Youlle on Mon 6th Oct 2003 21:25 UTC

okay i use three Oses at home, SuSE Linux 8.1 Pro, WindowsXP, & Redhat 6.0, okay the linux distros maybe slightly out of date but they do their job, now, linux is more secure than windows because of its inherited chmodding system that it inherited from UNIX, this is linux's main strength compared to windows all have execution rights system, also someone mentioned about how can u run an executable without running it ur self, ever heard of the registry, Windows has one, linux has one, just needs the install program to enter one line entry into the registry and then that program can run on startup doing all the damage it wants to, no system is fool proof, and as market share increases so does no of viruses writen for it, look at some hobbyOs's no viruses what so ever y? because they have no market share, it isnt just market share but it plays a huge role in it

Re: Re: marc
by Mark Wilson on Mon 6th Oct 2003 21:40 UTC

Bascule wrote:

"Exploitability in Windows lies primarily in the enormous home market, where Windows is most likely terribly configured from a security standpoint."

The above is an assertion contrary to reported facts. For example: SQLSlammer, U.S. Department of State, almost every corporate network using Windows at least once in the past year.

"A Windows machine configured with a proper security policy and user permissions is no more or less exploitable than a similar Linux system."

The above assertion is contrary to all reported evidence and does not present any evidence in support.

"Were the same level of scrutiny applied to auditing Evolution that is applied to Outlook Express, I'm sure a number of buffer overflows would be found in the message parsing code, and a number of design errors which could lead to automatic execution of attachments."

It is incorrect to assume that the scrutiny level of Evolution code is less than that of Outlook code, or vice versa. After all, the only people looking at Outlook code are those working for MS.

"Read your mail with Pine? [snip] Why hasn't anyone written a mass mailing worm that exploits this Pine vulnerability? Possibly because no one cares enough... "

Possibly because it's already been fixed.

http://rhn.redhat.com/errata/RHSA-2003-273.html

Open source means that people at more than one company can analyze source code, test for vulnerabilities and fix them before they are exploited.

Regards,

Mark Wilson

Re: Marc Wilson
by Bascule on Mon 6th Oct 2003 21:54 UTC

"Exploitability in Windows lies primarily in the enormous home market, where Windows is most likely terribly configured from a security standpoint."

The above is an assertion contrary to reported facts. For example: SQLSlammer, U.S. Department of State, almost every corporate network using Windows at least once in the past year.


No, the above assertion is certainly correct, even if your interpretation of it is not. Compare the number of hosts infected by the Slammer worm to the number of home users compromised by other worms such as MSBlast and Welchia, neither of which are problems if DCOM has been disabled, but of course no home users are likely to have done that.

"A Windows machine configured with a proper security policy and user permissions is no more or less exploitable than a similar Linux system."

The above assertion is contrary to all reported evidence and does not present any evidence in support.


Please name a critical security feature that is present in the mainline Linux kernel which Windows is lacking.

It is incorrect to assume that the scrutiny level of Evolution code is less than that of Outlook code, or vice versa. After all, the only people looking at Outlook code are those working for MS.

It's not necessary to have access to the source in order to scruitinze a program for security vulnerabilities. The majority of IIS vulnerabilities have been discovered by eEye, who does not have access to the IIS source code.

"Read your mail with Pine? [snip] Why hasn't anyone written a mass mailing worm that exploits this Pine vulnerability? Possibly because no one cares enough... "

Possibly because it's already been fixed.

http://rhn.redhat.com/errata/RHSA-2003-273.html

Open source means that people at more than one company can analyze source code, test for vulnerabilities and fix them before they are exploited.


I can't believe the foolishness of this comment... the fact that a version of Pine which isn't affected by this security vulnerability exist means... that thousands of systems with a vulnerable copy of Pine installed are no longer vulnerable?

Patches were available for the vulnerabilities exploited by the Slammer worm, Welchia and MSBlast, Code Red, Nimda, etc. before any of these worms were in the wild. Yet these worms managed to propagate, but by your total lack of logic this simply shouldn't be, should it?

Popularity
by Nathan O. on Mon 6th Oct 2003 22:49 UTC

I think if Windows was less popular, there'd be far fewer viruses, but that's not to say that if the others were more popular, they'd have more.

Re: Re: Will
by Marshall on Mon 6th Oct 2003 23:10 UTC

Can you give an exaple of when the Windows privilege elevation didn't "work well" or a specific piece of software you were unable to install or use with it?

(the question then becomes does said softare exist outside of Windows...)


Pretty much no game will run without being admin on windows (BF1942 popular example if memory serves which often it doesn't). No it doesn't really run on linux but that isn't the point. Why shouldn't the developers of the software make their programs run as a regular user?

Virus Report Problems
by Jason Lotito on Mon 6th Oct 2003 23:14 UTC

People make many claims with regards to viruses on different OS's, and it's interesting that open source software is usually lumped together as a "Linux" problem. For example, if someone breaks into a Linux server through a hole in SSH or a default password of some software they are using, is this really a Linux problem?

What no one has done (at least, none that I have read) is a comparison of Microsoft products, and how they compare to open source products, and the resulting impact. For example, just because a report says that Linux is the most attacked doesn't mean it's the OS at fault. The same goes for Windows. Most of the time, it's not the underlying OS that is the problem, but rather, the applications that are run on top of it.

So when you look at the number of potential security holes on "Linux," would it be fair to compare it with the potential security holes in products that run on Windows?

What I mean is just because something runs on an OS doesn't make the OS a vulnerable. If the applications is broken, the applications is broken. But most reports tally up the number of holes in various software that can run on Linux or BSD, and compare it to Microsoft products only.

If a report counts the number of holes in, let's say, sendmail, and qmail, and various other MTA's, will it also count the number of holes in various Microsoft software and total them up?

I remember one report about a year ago (can't remember the link, sorry), and they were tallying up the results on various open source OSs. When the numbers were finished, the report made it look as though Microsoft was more secure. But when you actually looked at the numbers, they were counting and totaling all popular MTA's bugs, as well as various other software of the same type, and using all those numbers against the Microsoft numbers.

Anyways, I really went off topic here. The point, I guess, is that you need to look at a platform, and the products, and entities. Linux v.s. Mircosoft bug count wars are useless. Comparing direct products to other products is what really matters. Apache v.s. IIS, and not just the number of virii/bugs/holes/etc. The response time is also important, as well as the impact. And the ability to solve the problems yourself, if need be.

my 2cents

Re: Re: Will
by Will on Mon 6th Oct 2003 23:35 UTC

Can you give an exaple of when the Windows privilege elevation didn't "work well" or a specific piece of software you were unable to install or use with it?

(the question then becomes does said softare exist outside of Windows...)


I don't recall the product. Among the assorted products, I've had some that simply say "Must be admin to install" and abort, and I had one that asked me for the Admin password, but the install failed.

As I also mentioned, WCIII simply wouldn't run as a normal user, I had to be Admin to just play it, and not just install it.

I also found that there were problems installing on a system that had a "default login", particuarly if it was different from Admin. Originally I had our home machine configured to log in automatically at boot as a regular user. But, I disabled that after having problems when I logged in as Admin and installed something that wanted a reboot. Very nasty.

All of it was pretty specific Windows software. Maybe there are comparable Mac versions, I haven't looked.

I think that a lot of developers migrating off of the W95/98 model towards the 2K/XP model simply don't take the multi-user concept into consideration, particularly with home users. So, they don't test all of the myriad ways someone may want to try and install something.

Certainly, the installer companies and/or Microsoft have considered the problem as witnessed by the security elevation concept. But the fact that I had to run a game as Admin tells me the problem is still pretty entrenched.

Mind, I have no problem with something akin to a root owned X server, while logged in as someone else, because that path CAN be better secured and audited compared to just having blatant root/admin powers for everything from Word to Warcraft to Notepad.

I assume that root runs the X Server on my Sun Ultra 10, I've never looked and it never crossed my mind that it's an issue.

On a single user machine, I think that Windows (or even Unixen here) can use an ACL trick (or simply changing the owner) to open up /dev/video to the logged in user as part of the login process. Thus making this nominally root owned system device (the display) usable by the logged in user vs just making it, essentially, world writable/readable.

I found the article rather well written and argued.
That said, I wonder whether my Windows 2000 system is
any less secure than my Linux systems.

As a home user, I tend to shut down non-essential
services. I regularly restrict what programs I allow
to start at boot. I scan regularly for viruses and
spyware. I use a firewall that allows program by
program access to the LAN and the Internet (Internet
Explorer gets no permission to do anything).

The author makes the valid point that one cannot just
launch an attachment or download. On a Windows
machine, I might get a brain freeze, but my firewall
should catch what is launching, if it tries to call
out. Indeed, that's a feature I miss on Linux, a
firewall that monitors the programs that call out,
and that can detect any changes that occur.

The flip side, is that such security in Windows is
more work. With Linux I save time. Even with dual
boot systems, people must run Linux to check their
e-mail.

...and in related news...
by Hastings Ranch on Tue 7th Oct 2003 00:44 UTC

yep, a new Microsoft worm-o-the-day!

Somehow I don't think exploits like this would be as easy to exploit and write worms for on Linux.

http://www.divisiontwo.com/articles/usblastworm.htm

insecure by design
by Marcus Sundman on Tue 7th Oct 2003 00:52 UTC

Both Windows and Linux are insecure by design. Both are made with the assumption that people in charge of security are perfect. I can't understand why people are so incredibly stupid that they don't realize that security primarily based on ACLs won't work as long as people are infallible. It's not as if people haven't tried that approach, and failed constantly.
So what's the solution then? Well, capability-based security, of course. It works, it works well and the switch could even be made gradually. There is no catch. Only mass ignorance is keeping systems in their current insecure state.

re: insecure by design
by Hastings Ranch on Tue 7th Oct 2003 00:55 UTC

>>capability-based security

Care to define your buzzword?

re: insecure by design
by Marcus Sundman on Tue 7th Oct 2003 01:08 UTC

> >>capability-based security
>
> Care to define your buzzword?

Google is your friend.
The first hit is an introduction to the subject:
http://www.skyhunter.com/marcs/capabilityIntro/

I also recommend reading "Capability Myths Demolished" available e.g. at http://zesty.ca/capmyths/

re: insecure by design
by Marcus Sundman on Tue 7th Oct 2003 01:23 UTC

> ACLs won't work as long as people are infallible

Oops! It should, of course, say "ACLs won't work as long as people are NOT infallible"

Windows = Swiss Cheese
by moocow on Tue 7th Oct 2003 02:29 UTC

I think that Windows being so open to virii is also a motive. White hats want to highlight problems that are blatantly obvious to all but the ignorant while black hats want to wreak havoc on the net and see Windows as an excellent vehicle.

No one wants to acknowledge
by keath on Tue 7th Oct 2003 02:47 UTC

Seems most posters are not even acknowledging the truth of the article. That even if Linux and Mac OS X were targeted as much as Windows, viruses would have less success spreading among the machines. I think the article did a good job of explaining why that would be true.

There was the one Windows user though, who admitted it was true but said that was how he wanted it; because security would just get in the user's way. It would be too inconvenient to have to think about what program you were allowing to run unchecked on your computer. Just click and see what happens. Or don't even click, just allow all processes to run; that's the way Windows users want it!

And that's fine for him. People can allow whatever access they want to thier home computers. Personal preference and all that. It just strikes me as irresponsible to use the same system on the world's servers, where it impacts all of us.

Re: Re: Marc Wilson
by Mark Wilson on Tue 7th Oct 2003 03:50 UTC

Bascule wrote:

"Compare the number of hosts infected by the Slammer worm to the number of home users compromised by other worms such as MSBlast and Welchia, neither of which are problems if DCOM has been disabled, but of course no home users are likely to have done that."

You don't have anything to back up your arguments.

Now you're talking about the number of hosts vs. home users. Slammer disabled ATM machine networks, among other pernicious effects. Welchia is what hit the U.S. State Dept. And yes, MS does ship their product with security features turned off.

B: "Please name a critical security feature that is present in the mainline Linux kernel which Windows is lacking."

So you've acknowledged that you don't have any evidence to support your argument. I refer you to the article for a comparison of Windows and Linux security features. For example, from the article:

Article: "Even if the OS has been set up correctly, with an Administrator account and a non-privileged user account, things are still not copasetic. On a Windows system, programs installed by a non-Administrative user can still add DLLs and other system files that can be run at a level of permission that damages the system itself."

B: "It's not necessary to have access to the source in order to scruitinze a program for security vulnerabilities. The majority of IIS vulnerabilities have been discovered by eEye, who does not have access to the IIS source code."

It's better to have access to the source code than not. Your example proves my point that having more than one company's employees looking at source code makes it easier to find vulnerabilities before an exploit is developed. It's harder to find vulnerabilities before they are exploited if you don't have access to the source.

"I can't believe the foolishness of this comment... the fact that a version of Pine which isn't affected by this security vulnerability exist means... that thousands of systems with a vulnerable copy of Pine installed are no longer vulnerable?"

I can't believe the foolishness of your comment. You seem to like to create "straw man" arguments by misconstruing what my words said and then argue against that (without facts). If a program has a security flaw, discovered by whatever means, then it should be fixed. No one, least of all me, has ever argued that a particular piece of software is definitely 100% secure now. Stating this truth does not, however, lead to the conclusion that security is impossible and that all OSs are equally vulnerable. But I think you know that already because I doubt that your persistence in advancing silly arguments is based on your being stupid.

"Patches were available for the vulnerabilities exploited by the Slammer worm, Welchia and MSBlast, Code Red, Nimda, etc. before any of these worms were in the wild. Yet these worms managed to propagate, but by your total lack of logic this simply shouldn't be, should it?"

Thank you for the recitation of several of the more costly MS viruses and worms. As has been widely reported, including today, MS patches frequently reopen old security holes and create new ones; MS patches are difficult to install, particularly over a network; MS patches have a history of crashing systems (until the 1.1 release of the patch); etc. Even MS has admitted that their patching approach doesn't work.

Regards,

Mark Wilson

Re: Mike (IP: ---.ecsu.ctstateu.edu)
by drsmithy on Tue 7th Oct 2003 04:13 UTC

Not to bash MS at all, but its products are less secure by design.

Name some *design* features present in other OSes that are lacking Windows. Please remember the difference between *design* and *implementation*.

I can certainly name several *design* features of (most) unix-like OSes that make it less secure than Windows. I can only think of one where unix-like OSes are clearly superior.

With a little effort, one can beef up the security on one a Windows box... the problem is, most Windows users don't really know how to (or even care to, for that matter)...

Which is basically the point the article is trying to deny.

(Just one example, but a good one...) Defaults like automatic logon for on a user with Admin rights... that's just asking for a system to be compromised.

Actually that's a pretty poor example. The only environments where the default auto-login is left enabled will be ones where the people are implicitly trusted - home users and small offices.

I don't know how many people break into your house to install and propogate viruses from your computer, but it hasn't happened to me yet.

Windows platforms have more viruses because
a) it's a more inviting target
b) users are generally less technically able
c) machines are generally being used in less secure environments.

These are all directly related to popularity. The only times this entire article isn't giving ways Linux is less capable and using them to say it is more secure are the times it's actually contradicting itself and admitting Windows' popularity is the main reason it's more vulnerable.

Not to mention the simple factual errors:

"None of the Unix or Linux viruses became widespread - most were confined to the laboratory."

Yes, the Morris Worm wasn't widespread at all, was it ?

"Let's look further at social engineering. Windows software is either executable or not, depending on the file extension. So if a file ends with ".exe" or ".scr", it can be run as a program [...]."

Things like .scr files aren't actually executables in the same sense as .exe files. They are simply automatically passed on to appropriate handlers when "launched" from the shell. Disassociate the handler from the file extension or change the file extension and the vulnerability disappears.
An identical process happens under most other decent GUIs as well and is equally vulnerable.

"Further, due to the strong separation between normal users and the privileged root user, our Linux user would have to be running as root to really do any damage to the system. He could damage his /home directory, but that's about it."

Whilst not factually incorrect, the underlying point is largely moot. Yes, a regular user can only damage their own files, however, this is being somewhat ignorant of the fact that on the typical system the user's files are the only ones they really care about. Not having any of your OS files touched while a virus merrily wipes out 30 gigs of MP3s and the thesis you've just spent 11 months writing is, at best, a pyrric victory.

Not to mention root access isn't necessary to do things like scan the user's home directory for email addresses, send out mass emails and do most other things Windows worms do.

This whole attitude Linux zealots have about how acquiring root privileges is somehow difficult and thus overall vulnerability is somehow greatly reduced is just a wank. Firstly, acquiring root privileges on and end-user system would not be hard. Secondly, they aren't really necessary to wreak the same levels of havoc current Windows worms do.

"Unfortunately, running as root (or Administrator) is common in the Windows world.

[...] with the power to do anything he wants to the computer."

Administrator != root. Acquiring root privileges exposes a system much more than acquiring Administrator privileges. An Administrator *can't* do "anything he wants to the computer", a root user *can*.

"[...] let's examine software design for reasons why Linux (and Mac OS X) is better designed than Microsoft when it comes to email security. Microsoft continually links together its software, often not for technical reasons, but instead for marketing or business development reasons (see the previous link for corroboration). For instance, Outlook Express and Outlook both use the consistently-buggy Internet Explorer to view HTML-based emails."

Using the system's HTML engine to render HTML in other applications *is* good design. It's a textbook example of modularity and code reuse which, last time I checked, were considered good software engineering practices.

"Finally, if there is an attachment, it does not automatically run ... ever."

I'm not aware of any version of Outlook that has defaulted to automatically running attachments by design. They've always required either an exploited coding bug or user interaction - both of which are equally possible on other platforms.

RE: Virus Report Problems
by Great Cthulhu on Tue 7th Oct 2003 04:20 UTC

Very good response. I agree with you on all terms.

Re: Marcus Sundman (IP: ---.kotikaista.weppi.fi)
by drsmithy on Tue 7th Oct 2003 04:38 UTC

Google is your friend.
The first hit is an introduction to the subject:
http://www.skyhunter.com/marcs/capabilityIntro/


Translation: dynamic ACLs.

This approach wouldn't work as it suffers from the big problem of dialog-box-overload. After about the first half-dozen annoying boxes that pop up during the simple process of sending an email, an end-user is either going to a) disable the system or b) simply start hitting "OK" as a matter of course without even readin the message. Indeed, were such a system to be implemented in Windows, I'd predict utilities available to automatically hit "OK" every time would be available within a week and be immensely popular.

And that's only on the desktop side. On the server side it'd be even less practical as the admin either has to sit there approving every operation or pre-define a set of allowable activities (thus removing the only advantage the system has - being dynamic).

Then there's the whole problem of deciding at which point to prompt for each capability. Is simply reading the disk suspicious ? How about writing to it ? Should any outgoing network connection require authorisation ? Is every file deletion going to require answering a half-dozen dialog boxes ? How about over a network share ?

Choice quote:
"Next, Melissa would have to ask you, "Can I have a direct connection to the Internet?" At this point only the most naive user would fail to realize that this email message, no matter how strong the claim that it came from a friend, is up to no good purpose. You would say "No!"

And that would be the end of all such viruses. No fuss, no muss. They would never rate a mention in the news."

The person who wrote this has either never dealt with end users, or is one of the most optimistic and idealistic individuals on the planet. I mean, do they seriously expect peope who can't set the clock on their VCR to even know what a "direct connect to the internet" even *is* ?

I also recommend reading "Capability Myths Demolished" available e.g. at http://zesty.ca/capmyths/

A quick read indicates that this document might address the myths listed and possibly even demolish them, but it doesn't address the problems that would be encountered in actual implementation.

@drsmithy
by Great Cthulhu on Tue 7th Oct 2003 04:44 UTC

Things like .scr files aren't actually executables in the same sense as .exe files. They are simply automatically passed on to appropriate handlers when "launched" from the shell.

Which, when you're a virus, amounts to pretty much the same thing.

Disassociate the handler from the file extension or change the file extension and the vulnerability disappears.

So you have to hack your system to make it more secure? Gee, that's one hell of a security model for Joe Sixpack and Grandma!

Meanwhile, in Linux (KMail at least), downloaded files cannot be executed straight from the mailer. The user has to make them executable first. Did you read the article?

An identical process happens under most other decent GUIs as well and is equally vulnerable.

Then again, there are a couple of decent GUIs, such as Gnome and KDE on *nix, where this process does not happen. Therefore, according to what you're saying, they are less vulnerable.

"Further, due to the strong separation between normal users and the privileged root user, our Linux user would have to be running as root to really do any damage to the system. He could damage his /home directory, but that's about it."

Whilst not factually incorrect, the underlying point is largely moot. Yes, a regular user can only damage their own files, however, this is being somewhat ignorant of the fact that on the typical system the user's files are the only ones they really care about. Not having any of your OS files touched while a virus merrily wipes out 30 gigs of MP3s and the thesis you've just spent 11 months writing is, at best, a pyrric victory.


Well one should expect that people who have important data on their hard drives keep CD-ROM backup of the most valuable stuff. I also regularly make backup of my files and settings in case my PC gets stolen.

The problem with the new wave of viruses is not so much losing one's files, though. In fact, what's the fun in destroying people's data - you won't even know about it. The main idea behind the nastier viruses of the last few years is to either turn Windows machines into DDoS zombies, or to slow down servers with self-replicating worms. Both of these endeavours - which are the real computer virus threats of the early 21st century, not losing your mp3s - usually require root or Administrative rights.


Administrator != root. Acquiring root privileges exposes a system much more than acquiring Administrator privileges. An Administrator *can't* do "anything he wants to the computer", a root user *can*.

Simply put, BS. Being an Administrator on a Windows system is practically the same as being root on a *nix system. Tell me what you can't do as an Administrator in Windows (well, except recompile your kernel, or course) that you can as root. Real important stuff, you know, something that would actually make your point relevant.

Using the system's HTML engine to render HTML in other applications *is* good design.

The problem is when the HTML engine has one of the worst security record and has been tightly integrated in the OS in order to shut out rival HTML engines. Or perhaps you weren't around when the whole Netscape/MS trial thing was going on?

Re: keath (IP: ---.bak.rr.com)
by drsmithy on Tue 7th Oct 2003 04:49 UTC

Seems most posters are not even acknowledging the truth of the article. That even if Linux and Mac OS X were targeted as much as Windows, viruses would have less success spreading among the machines. I think the article did a good job of explaining why that would be true.

No, it didn't. Apart from the parts where it was agreeing that Windows' popularity is one of the main reasons it is so vulnerable (see "monoculture" comments), it was mainly listing ways in which Linux was less capable and hand-waving about how "not being root" would stop worms spreading and dramatically limit local system damage, which is just plain false.

RE: drsmithy
by Great Cthulhu on Tue 7th Oct 2003 04:58 UTC

Apart from the parts where it was agreeing that Windows' popularity is one of the main reasons it is so vulnerable (see "monoculture" comments),

Actually that is incorrect. The author does not blame Windows vulnerability on the fact that it's a monoculture. He's saying that viruses can do a lot more damage in a monoculure. There's quite a difference here - your interpretation of what the author is really saying is erroneous.

it was mainly listing ways in which Linux was less capable and hand-waving about how "not being root" would stop worms spreading and dramatically limit local system damage, which is just plain false.

"Not being root" does limit the spreading worm, but it doesn't help local system damage, as in a user's file. That still doesn't contradict the fact that "not being root" is safer: it prevents situation A and doesn't affect situation B either way, which is safer than not having an effection on either situation.

So in fact it appears that the author - who incidentally is a computer security specialist - is right on both these counts, and you aren't. Sorry.

Tiger Repellant
by SofaShark on Tue 7th Oct 2003 05:51 UTC

The OSS response to this issue (we don't get viruses therefore we must be secure) always reminds me of a Simpsons episode where Lisa taunts Homer with a rock. It goes something like this.

Lisa: That's specious reasoning Dad, It's like saying this rock keeps away tigers.
Homer: Really? How does it work?
Lisa: It doesn't! It's just a stupid rock! But do you see any tigers around here?
Homer: Lisa, I want to buy your rock!


more of the same
by keath on Tue 7th Oct 2003 05:58 UTC

http://www.macdailynews.com/comments.php?id=P1804_0_1_0_C

- "Administrator accounts in Windows (and therefore viruses that exploit it) have access to all areas of the operating system. In Mac OS X, even an administrator canít touch the files that drive the operating system itself. A Mac OS X virus (if there were such a thing) could theoretically wipe out all of your files, but wouldnít be able to access anyone else's stuff -- and couldn't touch the operating system itself."

Running Win2K as 'Root'
by Chuck Hunnefield on Tue 7th Oct 2003 05:58 UTC

"If a consumer oriented program needed root (few did anyway), it asked for the PW at install, installed as root, and plopped me back into my user login. Win2K has something sorta kinda like that, but it doesn't work well, and software makers don't seem to test with it.

I'm sure I'm not the only one out there running my Win2K in Admin mode 24 hours a day, ripe for the picking if not for other measures. "

YES!! Every student here (I'm the Admin at the Linden Hall School in Lititz, PA, USA), has to run our lab machines as an administrator for this very reason. So many of the programs we use will not operate properly unless you are a local administrator of the machine. This of course sucks because it really opens these machines up to all sorts of garbageware over time, but there's simply nothing to be done for it.

You would think that after all this time that software vendors would be more careful, but this is simply not the case. If we could get our users running as simply 'Power Users' or just regular old 'Users' that would be super, but so many educational titles are just progammed poorly.

Re: Great Cthulhu (IP: ---.205-131-66.nowhere.mc.videotron.ca)
by drsmithy on Tue 7th Oct 2003 06:05 UTC

Which, when you're a virus, amounts to pretty much the same thing.

No, it doesn't. Malicious executable code just needs to be executed to cause damage (eg: it contains system calls to delete hard disk partitions). Something like a .scr file has to get itself "run" by something that has to know which handler to pass it on to. Even then, it has to be passed to an exploitable handler to do damage (eg: must be run by explorer, explorer must have .scr file associated with something, the associated app must be vulnerable to an exploit and *then* the system calls to delete hard disk partitions are run).

So you have to hack your system to make it more secure?

No, you have to configure it to be secure, just like you do with any other platform.

Meanwhile, in Linux (KMail at least), downloaded files cannot be executed straight from the mailer.

Funny, my default kMail install launches things like PDFs and jpegs into an appropriate viewer after giving an "are you sure" prompt. Seems to me it's using exactly the same process as Windows and hence is vulnerable to the same sort of attach. Mail.app on OS X also behaves like this IIRC.

The user has to make them executable first. Did you read the article?

Yes. The process described for launching an attachment is identical to using Outlook in Windows.

Then again, there are a couple of decent GUIs, such as Gnome and KDE on *nix, where this process does not happen. Therefore, according to what you're saying, they are less vulnerable.

Yes, it does. If I double click a .pdf or jpeg in GNOME or KDE, they hand the file off the an associated handler in the same way Windows does. As does Finder in OS X.

Well one should expect that people who have important data on their hard drives keep CD-ROM backup of the most valuable stuff.

One would. Of course, they don't and with a multitude of Linux zealots running around preaching how Linux's superior security will stop viruses from erasing files, they wouldn't be likely to suddenly start, either.

The main idea behind the nastier viruses of the last few years is to either turn Windows machines into DDoS zombies, or to slow down servers with self-replicating worms. Both of these endeavours - which are the real computer virus threats of the early 21st century, not losing your mp3s - usually require root or Administrative rights.

Please detail why root privileges are necessary to attain either of these goals on the average system.

Simply put, BS. Being an Administrator on a Windows system is practically the same as being root on a *nix system. Tell me what you can't do as an Administrator in Windows (well, except recompile your kernel, or course) that you can as root. Real important stuff, you know, something that would actually make your point relevant.

Kill any processes on the system. Delete open files. Modify files where Administrator has not been given write or delete access. Basically all the stuff one could do to a system that Administrator can't - root has no restrictions at all on the typical unix box.

Of course, these aren't really all that applicable to the attacks you feel are important (although they are important). Why don't you list the things a normal user can't do but root can to allow DoS attacks (local and remote).

The problem is when the HTML engine has one of the worst security record and has been tightly integrated in the OS in order to shut out rival HTML engines.

You'll need to describe what you mean by "tightly integrated" (as opposed to "loosely integrated" ?) and how that somehow makes it different to any other widely used OS component - like, say, libc.

Or perhaps you weren't around when the whole Netscape/MS trial thing was going on?

I was. It was a crock then and remains a crock now. Netscape screwed themselves by promising much and delivering nothing. Microsoft's development of a system-level HTML component may well have aided in this process, but was hardly the only - or even major - cause. The development of such a component - and similar ones hence - would have been inevitable once the ubiquity of HTML was established and customers demanded it.

I also find it entertaining how no-one is lambasting Apple for "integrating" a HTML engine. Presumably since they're already a monopoly, it's ok.

Re: Great Cthulhu (IP: ---.205-131-66.nowhere.mc.videotron.ca)
by drsmithy on Tue 7th Oct 2003 06:31 UTC

Actually that is incorrect. The author does not blame Windows vulnerability on the fact that it's a monoculture.</I.

Windows is more vulnerable because it is more common (more targets, higher probability target is vulnerable).
Windows is more vulnerable because it exposes greater functionality.
Windows worms and viruses cause more damage because it is common.
Windows worms and viruses can spread more quickly because it is common.

The author's comments on "monoculture" are a tacit admission commanility is a fundamental aspect.

[i]He's saying that viruses can do a lot more damage in a monoculure.


Yet his primary thesis is that OS popularity is independent of damage that can be wrought. Basically, he's trying to say if Linux or OS X were in the same position Windows is, the same problems would not plague it.

"Not being root" does limit the spreading worm,

How, from a practical perspective, does lack of root access limit a worm's ability to spread from the typical machine ?

That still doesn't contradict the fact that "not being root" is safer: it prevents situation A and doesn't affect situation B either way, which is safer than not having an effection on either situation.

Without knowing what your situations A and B are it's kind of hard to comment.

So in fact it appears that the author - who incidentally is a computer security specialist - is right on both these counts, and you aren't. Sorry.

The author may be a "Security Consultant", but that article is nothing more than anti-Windows FUD, hand-waving, misleading statements and incorrect conclusions - with a few subtle factual errors thrown in for good measure.

In short, it's a troll.

Re: Great Cthulhu (IP: ---.205-131-66.nowhere.mc.videotron.ca)
by drsmithy on Tue 7th Oct 2003 06:50 UTC

Ack, repost with decent formatting.

Actually that is incorrect. The author does not blame Windows vulnerability on the fact that it's a monoculture..

Windows is more vulnerable because it is more common (more targets, higher probability target is vulnerable).
Windows is more vulnerable because it exposes greater functionality.
Windows worms and viruses cause more damage because it is common.
Windows worms and viruses can spread more quickly because it is common.

The author's comments on "monoculture" are a tacit admission commanility is a fundamental aspect.

He's saying that viruses can do a lot more damage in a monoculure.

Yet his primary thesis is that OS popularity is independent of damage that can be wrought. Basically, he's trying to say if Linux or OS X were in the same position Windows is, the same problems would not plague it.

"Not being root" does limit the spreading worm, [...]

How, from a practical perspective, does lack of root access limit a worm's ability to spread from the typical machine ?

That still doesn't contradict the fact that "not being root" is safer: it prevents situation A and doesn't affect situation B either way, which is safer than not having an effection on either situation.

Without knowing what your situations A and B are it's kind of hard to comment.

So in fact it appears that the author - who incidentally is a computer security specialist - is right on both these counts, and you aren't. Sorry.

The author may be a "Security Consultant", but that article is nothing more than anti-Windows FUD, hand-waving, misleading statements and incorrect conclusions - with a few subtle factual errors thrown in for good measure.

In short, it's a troll.

re: drsmithy.
by Anonymous on Tue 7th Oct 2003 07:22 UTC

> Kill any processes on the system.

Grab PSKill from winternals.com, run it as administrator and it will allow you to stop pretty much any process in its tracks. Just becase Task Manager has a few safety mechanisms that watch what you're trying to kill doesn't mean the sys itself won't let you. The API does not care.

> Modify files where Administrator has not been given write or delete access.

Actually if you go into properties of said file/dir and pick the nice little take ownership options in Security you can do whatever the hell you want. And yes Administrator can do this. A few simple API calls and you've pretty much taken care of that issue.

RE; drsmithy
by iain peters on Tue 7th Oct 2003 07:33 UTC

"The user has to make them executable first. Did you read the article?
Yes. The process described for launching an attachment is identical to using Outlook in Windows."

Can you please explain how as you response looks like a semantic argument i.e. launching as opposed to executing.
In Windows (particularily in 9.x series) you execute a program because it has file extension of .EXE/.BAT/.CMD etc. In the *nix environoment, as you know, you have to copy it to the file system first, chmod and then run it. I don't see how they are the same although Outlook has now had that "feature" switched off.
"Funny, my default kMail install launches things like PDFs and jpegs into an appropriate viewer after giving an "are you sure" prompt." - have PDF's/Jpegs become executable or does your Kmail allow you to run binaries too?
"I can certainly name several *design* features of (most) unix-like OSes that make it less secure than Windows." - can you please name these "design" features, i'd like to make sure they don't affect me.

RE: Youlle - can you tell me where the registry is in your Linux implementations - are you talking the Gnome situation?

Re: iain peters (IP: 62.6.160.---)
by drsmithy on Tue 7th Oct 2003 08:14 UTC

Can you please explain how as you response looks like a semantic argument i.e. launching as opposed to executing.

I was commenting on the general "launching attachments" issue. The processes for non-executable attachments are the same.

Actual executable files are a specific example where Outlook & co. have greater functionality. The user still has to specifically authorise running the executable (in a dialog that defaults to "Save"). Some people might consider this a weakness, but I don't - I *like* having the option to run an executable without fiddling around with file permissions first.

Additionally, the difference between having to run a commandline tool and selecting an option in a dialog is largely semantic when talking about end users. If people are dumb enough to open things like "Anna nude", they're definitely silly enough to run "chmod a+x anna_nude" when an email tells them to.

The biggest security vulnerability - as is grudgingly admitted in the article - is social engineering. All current OSes have sufficient levels of programmatic security to provide a practically equivalent level of protection to the average end user. The problem is as soon as you start enforcing too much security programmatically, it encroaches on usability.

can you please name these "design" features, i'd like to make sure they don't affect me.

Unrestricted superuser.
The fact you have to be root to do anything even remotely low level.
Various kludges like privsep, sudo and suid binaries.

Basically, they all revolve around unix's primitive security model, which is barely more than a step away from that of DOS and classic MacOS.

Market Share isn't a factor
by Peter Moss on Tue 7th Oct 2003 08:15 UTC

I'm sorry but saying market share is THE factor is rubbish. That's like comparing the security of the more popular Ford Fiesta with a basic immobiliser and no alarm to a Merc SLK with the highest level of security devices. Even if the Merc where as common as the Ford it would still be a lot harder to break into.

Re: Peter Moss (IP: ---.thekmgroup.co.uk)
by drsmithy on Tue 7th Oct 2003 08:45 UTC

I'm sorry but saying market share is THE factor is rubbish.

Agreed. It's a significant one of several.

Even if the Merc where as common as the Ford it would still be a lot harder to break into.

A poor, if deliberate choice of vehicles, but in basic principle the analogy is somewhat valid.

If there were ninty-odd times as many, say, BMWs on the road as there were Audis and Mercs, which type of vehicle out of the three would you expect the feature most prominently in statistics like crashes and thefts ?

Re: @drsmithy
by Interfacer on Tue 7th Oct 2003 10:17 UTC

"Tell me what you can't do as an Administrator in Windows (well, except recompile your kernel, or course) that you can as root. Real important stuff, you know, something that would actually make your point relevant. "

deleting your kernel image for one thing. relevant enough?

i have developed real time kernel process on linux.
with windows you can indeed shoot yourself in the foot with an admin account.
with linux you can do the same, except you use an atomic bomb instead of a gun.

kind regards,
Int

RE: @drsmithy
by Wrawrat on Tue 7th Oct 2003 10:32 UTC

Simply put, BS. Being an Administrator on a Windows system is practically the same as being root on a *nix system. Tell me what you can't do as an Administrator in Windows (well, except recompile your kernel, or course) that you can as root. Real important stuff, you know, something that would actually make your point relevant.

Actually, drsmithy is right. I believe the equivalent of root in NT is SYSTEM.

To: Peter Moss
by Wahur on Tue 7th Oct 2003 11:33 UTC

Around here the owner of MB has lot higher probability to have ones car stolen or broken into, security measures or not, even if Ford is far more popular. So your comparison was good, interpretation 180 degrees wrong.

Wahur

RE: could it be that people are to blame?
by Anonymous on Tue 7th Oct 2003 11:50 UTC

I wouldn't think that I am to blame that an *.exe can be downloaded and executed by merely **visiting** a homepage, not even clicking at anything...

Re: Marcus Sundman (IP: ---.kotikaista.weppi.fi)
by Marcus Sundman on Tue 7th Oct 2003 11:58 UTC

> > Google is your friend.
> > The first hit is an introduction to the subject:
> > http://www.skyhunter.com/marcs/capabilityIntro/
>
> Translation: dynamic ACLs.

That's an extremely bad translation! I suggest you read "Capability myths demolished" to get a clue.

> This approach wouldn't work as it suffers from the big
> problem of dialog-box-overload.

Showing dialog boxes is an implementation issue and has nothing to do with wether the security is based on capabilities or ACLs. As a matter of fact showing lots of dialog boxes even maps better to ACLs where you can have the dialog-box code just behind the access API.
The difference is that the email client won't give the untrusted application capabilities to open windows or network connections. And even if it did it would still be impossible for the untrusted program to be able to get a capability that the email client doesn't have. No dialog boxes needs to be shown. If the untrusted application doesn't have a capability for opening network connections it can't even ask for a connection to be opened so there is no security checking involved (read: there is no security checking in which there could be a bug or some identity-checking that the untrusted program could fake).

> > I also recommend reading "Capability Myths Demolished"
> > available e.g. at http://zesty.ca/capmyths/
>
> A quick read indicates that this document might address
> the myths listed and possibly even demolish them, but it
> doesn't address the problems that would be encountered in
> actual implementation.

So why don't you check out some real implementations then?
Some starting pointers:
- http://www.erights.org/
- http://www.combex.com/tech/
- http://www.cap-lore.com/CapTheory/
- http://www.eros-os.org/mailman/listinfo/

Posts like yours really contribute a lot to the mass ignorance that I mentioned. Sigh..

RE: Running Win2K as 'Root'
by Brian on Tue 7th Oct 2003 12:04 UTC

I have yet to find an application that I have to run as ROOTADMIN under W2KXP... Granted installation requires admin mostly to write reg keys and drop files in certain locations. We just finished a huge migration to windows xp with around severeal hundred apps on our base image and we found no applications we could not get to work without admin rights. Granted we did have to change permissions on some reg keys and some select files but using a regmon and filemon we were able to find and document theese changes and then provide feedback to the devlopers so they could fix theese issues. Most problems with apps is when they are designed to run on 9xment2kxp all with one code base... slowly but surely devlopers are getting the point about security... Anyone else notice some of you newer games gives you a choice about wether everyone should be able to run this game or not (I think this is mostly Microsoft Games) but others will soon follow.

rebuttal article is bullshit
by appleforever on Tue 7th Oct 2003 12:56 UTC

First, the guy starts off with a strawman, saying people are arguing that linux is invincible. Nobody said that at the Register. They said Linux is MORE secure, not perfectly secure.

Second, I love how the guy tries to get past the fact that in linux (or OS X) only the user's data can be destroyed, not the system files. He asserts it's no big deal to rebuild the system, just stick in a few floppies. This is false. If Windows go south with some unexplainable virus, you might have to rebuilt the entire thing including the system and reinstall all drivers and apps. Lot of work. Second, it's hard to back up the whole system because of the size, while backing up user data (at least data like calendar, email, text type documents) is feasible.

Anyways, at the end of the day, does it really matter why windows is plagued by virus, worms, spyware, adware? It is. That's the simple truth and it ain't going away.

RE: drsmithy
by Peter Moss on Tue 7th Oct 2003 13:14 UTC

> If there were ninty-odd times as many, say, BMWs on the road as there were Audis and Mercs, which type of vehicle out of the three would you expect the feature most prominently in statistics like crashes and thefts ?

I would say a joy rider would choose the easiest one to break into, I would say a professional car thief would spend more effort in stealing/breaking into the car with the most value (which relates to Wahur's point).

Of course the analogy goes further. A Merc with top security is worse than a Ford if you forget to lock the doors.

@drsmithy
by Great Cthulhu on Tue 7th Oct 2003 15:09 UTC

No, it doesn't. Malicious executable code just needs to be executed to cause damage (eg: it contains system calls to delete hard disk partitions). Something like a .scr file has to get itself "run" by something that has to know which handler to pass it on to. Even then, it has to be passed to an exploitable handler to do damage (eg: must be run by explorer, explorer must have .scr file associated with something, the associated app must be vulnerable to an exploit and *then* the system calls to delete hard disk partitions are run).

Which is my point: the system is vulnerable by default, and it requires some serious tweaking to make it secure. Even then, there have been exploits around this "feature."

"So you have to hack your system to make it more secure?"

No, you have to configure it to be secure, just like you do with any other platform.


Actually, KMail won't run executables from an e-mail, ever. I'm talking executables, here, not data files that launch an app or viewer: real executables, programs and scripts.

Funny, my default kMail install launches things like PDFs and jpegs into an appropriate viewer after giving an "are you sure" prompt. Seems to me it's using exactly the same process as Windows and hence is vulnerable to the same sort of attach. Mail.app on OS X also behaves like this IIRC.

No it isn't. You can't execute a PDF or jpeg. You're playing with words, here. A jpeg won't erase your hard disk.

"The user has to make them executable first. Did you read the article?"

Yes. The process described for launching an attachment is identical to using Outlook in Windows.


No it isn't! You don't have to make an attached .exe or .scr executable in Outlook for Windows - you can execute it just by double-clicking on it. With KMail you can't even execute malicious code in HTML mails, a bug which affects some versions of Outlook!

Yes, it does. If I double click a .pdf or jpeg in GNOME or KDE, they hand the file off the an associated handler in the same way Windows does. As does Finder in OS X.

Data files are not the problem, executable files are! You're deliberately playing on words because you do not have a point!

"Well one should expect that people who have important data on their hard drives keep CD-ROM backup of the most valuable stuff."

One would. Of course, they don't and with a multitude of Linux zealots running around preaching how Linux's superior security will stop viruses from erasing files, they wouldn't be likely to suddenly start, either.


That doesn't make any sense. Whether one uses Linux or Windows, one should always back up their important data; this has nothing to do with zealotry or security - as I've said, your computer could get stolen, or a hardware failure could make it difficult to recover your files. And you know what? I know a lot of people who do make backups - thanks to one Linux advocate (me) who has explained to them how important it is. Stop thinking that all users are idiots.

Kill any processes on the system. Delete open files. Modify files where Administrator has not been given write or delete access. Basically all the stuff one could do to a system that Administrator can't - root has no restrictions at all on the typical unix box.

Administrator can kill nearly all processes using some tools - it's not because you can't do it with Task Manager that you can't at all. Deleting open files has more to do with the filesystem than with privileges. And Administrator can give himself write or delete access to any file, and can therefore modify them. You do know that you can do the same thing in *nix, right? You can make files non-writeable and root won't be able to write or delete them unless he chmod +w them first.

I also find it entertaining how no-one is lambasting Apple for "integrating" a HTML engine. Presumably since they're already a monopoly, it's ok.

Apple isn't really a monopoly, not if you consider "personal computers" as a whole. This is an old and tired argument.

Windows is more vulnerable because it is more common (more targets, higher probability target is vulnerable).

Not true. The vulnerability of an OS is independant from its popularity. Either a system is vulnerable, or it isn't. If it's vulnerable but rare, then no one cares. If it's vulnerable and very common, then we have a problem.

Windows is more vulnerable because it exposes greater functionality.

What does having "greater functionality" (which overall isn't true anyway) have to do with the fact that it's more common? Windows is more common not because it has more functionality (it doesn't) but because it came preloaded on every PC back in the days of Win95.

The added "functionality" that does make Windows more vulnerable is that you can run executables that you receive via e-mail without having to set the executable bit. But the fact is that this does not have any real utility: how often do you need to execute an attachement (not open attached data, which is quite different)? Seriously, think of how often you receive a legitimate executable as an attachment - that is a false argument and you know it.

Windows worms and viruses cause more damage because it is common.
Windows worms and viruses can spread more quickly because it is common.


This is true. However, that does not mean that Windows is more vulnerable - it just means that whatever vulnerabilities it has can cause more damage. That is a fundamental point which you're refusing to acknowledge.

The author's comments on "monoculture" are a tacit admission commanility is a fundamental aspect.

Again you refuse to understand: "monoculture" doesn't make Windows more vulnerable. It just makes any vulnerabilities more dangerous. Since you seem to misunderstand this, let me find another example. Let's say I have made a breed of cows. For some reason, that breed is quite vulnerable to the flu and will quickly die if exposed. That breed is therefore highly vulnerable. However, I have the only herd in North America. Therefore, even if the flu hits, no more than a couple dozens cows will die. Now let's say that this breed - for whatever reasons - becomes highly popular and becomes the prevalent breed in North America, with 90% of the cows being from that breed. Then the flu hits, and 90% of all cattle in NA die, sending the industry in a crisis. Now, the cows aren't more vulnerable because they've become the dominant breed - in fact, they are as vulnerable, no more, no less, then when I only had a couple of dozen of them. But the impact of their vulnerability is much, much higher because they have become a monoculture, and therefore affect the entire cattle industry and the economy at large.

"He's saying that viruses can do a lot more damage in a monoculure."

Yet his primary thesis is that OS popularity is independent of damage that can be wrought.


No, he's saying that OS popularity is independent from vulnerability, not the overall damage that can be wrought. This is a fundamental difference - ignoring it to make a point won't make it any less true.

The author may be a "Security Consultant", but that article is nothing more than anti-Windows FUD

Yeah, as long as it's critical of Windows, it's anti-Windows FUD, right?

....
by bzz... on Tue 7th Oct 2003 15:38 UTC

The point truely is the fact that Windows is (hands down) the most exploited OS on the planet. No ifs or ands about it.

It doesn't matter if popularity is a security breach or if ignorance is. The educated fact is any other OS is less hacked, therefore more secure and stable <period>.

rebuttal and virii
by mp on Tue 7th Oct 2003 17:16 UTC

brando (IP: ---.labs.win.psu.edu)
MS does have the most viri because there are so many computers, that is what makes it hit so hard everytime there is a virus, but that isn't why they write them.
Translation: MS does have the most men because there are so many computers
marc (IP: ---.triad.rr.com)
Writing Virii for Windows is so much easyer that writing for Linux or MacOS X. Windows is more exploitable than anything else, everyone knows that.
Translation: Writing men for Windows is so much easyer that writing for Linux
Virus and viruses either DNA or RNA: the causative agent of an infectious disease. Programming: a computer program usually hidden within another seemingly innocuous program that produces copies of itself and inserts them into other programs and that usually performs a malicious action (as destroying data) - Webster on line

Vir and viri from latin man and men. brando one point for correct spelling of the word. marc zero points

Bascule (IP: ---.atmos.colostate.edu)
"No, the above assertion is certainly correct, even if your interpretation of it is not. Compare the number of hosts infected by the Slammer worm to the number of home users compromised by other worms such as MSBlast and Welchia, neither of which are problems if DCOM has been disabled, but of course no home users are likely to have done that."
Disabling DCOM is not enough, and completely closing port 445 works only on W2k. Besides I would lke to see faces of Exchange/MS SQL admins when one shut down DCOM. In case of Winxp closing 445 will stop lan browsing. Under Winxp using tcp filtering does not work. Trying to close any port will shut down all ports (like ICF). Tcp filtering worked fine under win2k. patching is not good enough as msblaster example shows as soon another hole in RPC was found. In other words one need to close all unused ports and this is not possible under winxp. Firewall is not the best option: One can bring infected laptop and connect to LAN behind firewall.

Marshall (IP: 202.7.32.---)
"Pretty much no game will run without being admin on windows (BF1942 popular example if memory serves which often it doesn't)."
That is not true. Install regmon from sysinternals, check for access denied while running game as a user then modify game rights to access/write to registry

Will (IP: ---.oc.oc.cox.net)
"don't recall the product. Among the assorted products, I've had some that simply say "Must be admin to install" and abort, and I had one that asked me for the Admin password, but the install failed.
On a single user machine, I think that Windows (or even Unixen here) can use an ACL trick (or simply changing the owner) to open up /dev/video to the logged in user as part of the login process. Thus making this nominally root owned system device (the display) usable by the logged in user vs just making it, essentially, world writable/readable."
Win or unix (like) while installing (compling/installing) you have to have admin rights so use su for root under unix or Run as in case of windows. People are complaining about run as, but n general it should work.


Peter Besenbruch (IP: ---.hawaii.rr.com)
"I wonder whether my Windows 2000 system is
any less secure than my Linux systems.

As a home user, I tend to shut down non-essential
services. I regularly restrict what programs I allow
to start at boot. I scan regularly for viruses and
spyware. I use a firewall that allows program by
program access to the LAN and the Internet (Internet
Explorer gets no permission to do anything)."

You are happy man: ever checked last IE security hole? Not need to run IE to exploit it.

ACL s not a cure for everything as long as programs with security holes are running with root priviledges

The article mixes for unknown reason several things: bad administration which is OS unrelated, security holes in programs (OS unrelated too) and viruses (MS specific security issue as number shows). But linux is not very secure either (but better than MS) Quick look at windows and RH advisories shows that both are even it terms of security. Even hardened distros like immunix or engarde can not be considered really secure when compared to OpenBSD. Least secure BSD (Free) has less security problems that above distros. However fixing security under any disto of linux is easier than in windows case because of modular character of OS.
Unless MS completely re-write the code and change atitude towards security, I dont belive that windows will ever be secure and because it is imposible to re-write windows then it will allways be insecure.

@mp
by Anonymous on Tue 7th Oct 2003 17:25 UTC

would you PLEASE change your quoting style! It is very hard to read the way you run the quote together with your reply. Not to mention the way you just changed style half way through this last post!

Re: Great Cthulhu (IP: 209.47.215.---)
by drsmithy on Tue 7th Oct 2003 17:56 UTC

Which is my point: the system is vulnerable by default, and it requires some serious tweaking to make it secure.

No, it isn't. The end user must take deliberate steps to run an executable from a mailer in both OSes. Barring coding bugs, it is not the default and it is not automatic.

It's arguable that allowing the capability at all is bad, but firstly that's getting into "slippery slope" territory (who decides what capability is good or bad), secondly it's not really the issue and thirdly there's a fair chunk of people out there (like me) who think it's a nice option to have.

No it isn't! You don't have to make an attached .exe or .scr executable in Outlook for Windows - you can execute it just by double-clicking on it.

I'm pretty sure an .scr is just a data file and the exploit using it was utilising a buffer overflow in the screensaver code. That's something any handler application is potentially vulnerable to.

With KMail you can't even execute malicious code in HTML mails, a bug which affects some versions of Outlook!

Yes, because kMail has less HTML functionality than Outlook. Again, it's arguable whether this is good, or bad - but I've seen lots of HTML emails out there using fancy things whose creators wouldn't like it much if they suddenly stopped working.

The point I'm making is that whether the end user has to select a different option in a dialog box or run a single shell command is largely semantic - the "hard" part is convincing them to do either.

Stop thinking that all users are idiots.

I don't think users are idiots, I think they make poor choices relating to using computers - and will continue to do so.

Apple isn't really a monopoly, not if you consider "personal computers" as a whole.

Any definition you use to call Microsoft a monopoly, also marks Apple as one.

This is an old and tired argument.

And correct, as well. Have you ever looked at the market definition that was used to call Microsoft as a monopoly ?

The vulnerability of an OS is independant from its popularity.

Perhaps in some academic sense, this might be true. In the real world, the more common an OS is, the more likely it is to be attacked, the more likely it is to be used in riskier scenarios, the more likely attackers will find a weakness and the more attractive target it makes to exploit that weakness.

Either a system is vulnerable, or it isn't.

And this *certainly* isn't true. At least, not for any systems that are available to the general public.

If it's vulnerable but rare, then no one cares. If it's vulnerable and very common, then we have a problem.

Even it's just as vulnerable as the alternatives and ninety-odd times as common, then it's still going to represent a greater proportion of exploited hosts.

What does having "greater functionality" (which overall isn't true anyway) have to do with the fact that it's more common?

Because it's one of the factors that have made it more common.

Windows is more common not because it has more functionality (it doesn't) [...]

It certainly does. The article gives numerous examples thereof.

[...] but because it came preloaded on every PC back in the days of Win95.

If you want to argue that, then you'll need to go back further than Windows 95.

Of course, even then - just as at all times - it's been possible to buy PCs without Windows, or any OS at all.

Windows is popular because it's "good enough" - same reason unix is (in their relevant market circles).

The added "functionality" that does make Windows more vulnerable is that you can run executables that you receive via e-mail without having to set the executable bit.

Or, to play devil's advocate and turn it on its head, the functionality lacking on the unix side is having file attributes carried along with an attached file.

Instead of having to set an executable bit you have to ignore a dialog and change the default option from "Save" to "Execute". How long do you think that's going to hold back the average punter who wants to see some boobies - particularly when instructions are conveniently laid out in the email ?

But the fact is that this does not have any real utility: how often do you need to execute an attachement (not open attached data, which is quite different)?

Within a corporation, I can see some uses.

Not to mention just passing data off to a handler is also potentially dangerous, if the handler is exploitable.

Again you refuse to understand: "monoculture" doesn't make Windows more vulnerable. It just makes any vulnerabilities more dangerous.

Actually, it makes vulnerabilities more likely to be found, exploited and propogated.

Even if we assumed Windows and other OSes are at equal levels of "vulnerability", we'd still expect to see a vast bias towards Windows in terms of actual exploits and damage caused.

Heck, even if we were to swing the other way and assume Windows was half as vulnerable and OS X and Linux, you'd still expect to see a massive bias towards Windows.

Since you seem to misunderstand this, let me find another example. Let's say I have made a breed of cows. For some reason, that breed is quite vulnerable to the flu and will quickly die if exposed. That breed is therefore highly vulnerable. However, I have the only herd in North America. Therefore, even if the flu hits, no more than a couple dozens cows will die. Now let's say that this breed - for whatever reasons - becomes highly popular and becomes the prevalent breed in North America, with 90% of the cows being from that breed. Then the flu hits, and 90% of all cattle in NA die, sending the industry in a crisis. Now, the cows aren't more vulnerable because they've become the dominant breed - in fact, they are as vulnerable, no more, no less, then when I only had a couple of dozen of them. But the impact of their vulnerability is much, much higher because they have become a monoculture, and therefore affect the entire cattle industry and the economy at large.

How about this:
There are many breeds of cow. Some breeds are vulnerable to some viruses, other breeds are vulnerable to different viruses. However, one breed of cow has become dominant, making up 90% of the cows in the country.

Statistically speaking, which breed of cows would you expect to suffer the most casualities do to sickness ? Which breed of cows would you expect to see contract illnesses more often ? Which viruses would you expect to see spread the fasest throughout the bovine population ?

Bear in mind we're working with raw numbers here, not normalised ones.

*You* are the one who doesn't understand. The reason this guy perceives Windows as "more vulnerable" is because it gets exploited more often, exploits spread faster and the damage caused by exploits is greater.

EVEN IF EVERY OS WAS EQUALLY VULNERABLE, YOU WOULD *STILL* EXPECT THIS TO HAPPEN BECAUSE WINDOWS MAKES UP THE VAST MAJORITY OF THE MARKET.

No, he's saying that OS popularity is independent from vulnerability, not the overall damage that can be wrought.

And he is wrong. Commonality is a fundamental aspect. This is inescapable if the metrics being used are not normalised against marketshare and AFAIK, none of them are.

40 linux viruses?
by Anonymous on Tue 7th Oct 2003 18:12 UTC

Prove it. What are there names and how many computers did each infect? How come I have never head of one of them?

@drsmithy
by Great Cthulhu on Tue 7th Oct 2003 21:18 UTC

No, it isn't. The end user must take deliberate steps to run an executable from a mailer in both OSes. Barring coding bugs, it is not the default and it is not automatic.

It's arguable that allowing the capability at all is bad, but firstly that's getting into "slippery slope" territory (who decides what capability is good or bad), secondly it's not really the issue and thirdly there's a fair chunk of people out there (like me) who think it's a nice option to have.


Yes, the capability is bad, because it serves practically no purpose. What good use is there to execute attachments? And despite what you're saying, it is exactly the issue. The user should not be able to execute a file just because it has a .exe, .bat, .vbs or .scr extension.

I'm pretty sure an .scr is just a data file and the exploit using it was utilising a buffer overflow in the screensaver code. That's something any handler application is potentially vulnerable to.

You make the incorrect assumption that .scr is only used for screensavers. The extension is actually used for more than this, one of the use being for executable scripts:

http://filext.com/detaillist.php?extdetail=SCR
http://www.corbinball.com/articles_security/index.cfm?fuseaction=co...

I've seen lots of HTML emails out there using fancy things whose creators wouldn't like it much if they suddenly stopped working.

Your equating some frivolous (and annoying) habit some people have of making complex HTML messages that don't display well on all mail clients (even on Windows) with the potential security risk that someone may gain access to your files and/or system and scrap it or use it for malicious purposes. This kind of attitude is exactly why computer security is in such a sorry state.

The point I'm making is that whether the end user has to select a different option in a dialog box or run a single shell command is largely semantic - the "hard" part is convincing them to do either.

Making things harder and more tedious reduces the risk. Every bit help.

I don't think users are idiots, I think they make poor choices relating to using computers - and will continue to do so. ¨

Well I think that people do educate themselves about these things. It takes time, but habits do change.

Any definition you use to call Microsoft a monopoly, also marks Apple as one.

What, Apple holds 90%+ of the personal computer OS market? It has a 90% monopoly over the Office suite market?

Again, this is an old, tired and incorrect argument. Oh, and of course, the courts have ruled that MS does indeed represent a monopoly, and have abused their monopoly status. Until U.S. courts decreed that Apple is a monopoly, I will stand by this statement: MS has a monopoly, Apple doesn't. 'nuff said.

Perhaps in some academic sense, this might be true. In the real world, the more common an OS is, the more likely it is to be attacked, the more likely it is to be used in riskier scenarios, the more likely attackers will find a weakness and the more attractive target it makes to exploit that weakness.

Again, these have nothing to do with vulnerabilities that are intrinsic to the OS, such as the aforementioned ability to run any file with a *.exe, *.bat, *.vbs, *.scr extension, or the fact that a non-Administrative user can install *.dll files that can be run at a higher level of privilege. These are basic vulnerabilities that are present regardless of the OS's popularity.

"Either a system is vulnerable, or it isn't."

And this *certainly* isn't true.


Well, let me rephrase that, then: either vulnerabilities exist in a system, or they don't. Making the system more popular won't create new vulnerabilities.

"[...] but because it came preloaded on every PC back in the days of Win95.

If you want to argue that, then you'll need to go back further than Windows 95. Of course, even then - just as at all times - it's been possible to buy PCs without Windows, or any OS at all.


Actually, if you look back at PC history, Windows rarely came preloaded before Win95. Preloaded systems are generally credited as making Win95 a success (boxed set sales were disappointing). This is all back in the days of OS/2 vs. Windows.

Or, to play devil's advocate and turn it on its head, the functionality lacking on the unix side is having file attributes carried along with an attached file.

This doesn't create security problems. And as we use computers more and more everyday, security becomes paramount, even at the price of some features. It would be much more convenient if I didn't have to lock my car doors, or need a key to start it, but because someone might steal it I have to accept a certain loss of convenience. Same thing applies to computers.

"But the fact is that this does not have any real utility: how often do you need to execute an attachement?"

Within a corporation, I can see some uses.


Such as? I can't see any. In a development framework, you'd use some kind of source control mechanism and file sharing. There is no good reason to justify the ability to run attachments - or even to arbitrarily try to execute some files based on file extension.

Actually, [monoculture] makes vulnerabilities more likely to be found, exploited and propogated.

Finally, you concede that a "monoculture" doesn't make an OS more vulnerable. Good. I was beginning to think you were in bad faith.

Even if we assumed Windows and other OSes are at equal levels of "vulnerability", we'd still expect to see a vast bias towards Windows in terms of actual exploits and damage caused.

Sure. That doesn't have anything to do with basic vulnerabilities found in the system, either through bugs or bad design decisions. The two are unrelated.

There are many breeds of cow. Some breeds are vulnerable to some viruses, other breeds are vulnerable to different viruses. However, one breed of cow has become dominant, making up 90% of the cows in the country. Statistically speaking, which breed of cows would you expect to suffer the most casualities do to sickness? Which breed of cows would you expect to see contract illnesses more often? Which viruses would you expect to see spread the fasest throughout the bovine population?

You assume that all breeds of cows are similarly vulnerable to viruses, but in fact some breeds are stronger than other. The cows are not more vulnerable because they are prevalent. However, having a vulnerable species being prevalent increases the damage that may be caused by an epidemic.

The reason this guy perceives Windows as "more vulnerable" is because it gets exploited more often, exploits spread faster and the damage caused by exploits is greater.

That is not what he says in the article. I know that's what you're trying to have him say, but in fact the guy presents specific issues (such as executable attachements and file extensions, plus .dll that can be installed by a normal user but that run as root) that show that there are some security flaws intrinsic to Windows, which are made worse because Windows is so prevalent.

EVEN IF EVERY OS WAS EQUALLY VULNERABLE, YOU WOULD *STILL* EXPECT THIS TO HAPPEN BECAUSE WINDOWS MAKES UP THE VAST MAJORITY OF THE MARKET.

Sure, but OS are NOT equally vulnerable. Some serious flaws exist in Windows - flaws which you acknowledge, and even try to argue that they are actually good design decisions - and these flaws now represent a serious security risk.

BTW, shouting won't make your point any more valid, and may cause your post to be modded down.

On another note
by Anonymous on Tue 7th Oct 2003 22:03 UTC

This kid who wrote the Blaster worm is basically a young punk. He didn't look too bright to me. But is it really that easy, that a child like that can write so time consuming and destructive a worm?

Random poking at random points
by Wrawrat on Tue 7th Oct 2003 23:30 UTC

And Administrator can give himself write or delete access to any file, and can therefore modify them. You do know that you can do the same thing in *nix, right? You can make files non-writeable and root won't be able to write or delete them unless he chmod +w them first.

Now that you mention it, I once had fun with my Linux system and I was able to delete even non-writeable root-owned files, so I don't think the comparison is entirely valid.

I'm pretty sure an .scr is just a data file and the exploit using it was utilising a buffer overflow in the screensaver code. That's something any handler application is potentially vulnerable to.

No, a SCR is simply a binary program... Open one with Notepad and you'll see the infamous "MZ" string that begin every DOS/Win32 program. You can also rename any SCR to EXE and it'll run like a normal program. I did some screensavers with Delphi... The only thing particular is that you must support some parameters (like foobar /run for running it... no parameter leads you by default to the configuration options).

Well I think that people do educate themselves about these things. It takes time, but habits do change.

You're living in a dream world, Neo...

Again, these have nothing to do with vulnerabilities that are intrinsic to the OS, such as the aforementioned ability to run any file with a *.exe, *.bat, *.vbs, *.scr extension, or the fact that a non-Administrative user can install *.dll files that can be run at a higher level of privilege.

Wait. Putting DLLs in %system% is something, being able to be run at a higher level of privilege is another one. If this was true, hackers would just have to make a special DLL and make a program calling that DLL... If you are sure that is true, please give me one or two sources independant of each other to back up your claim.

You assume that all breeds of cows are similarly vulnerable to viruses, but in fact some breeds are stronger than other. The cows are not more vulnerable because they are prevalent. However, having a vulnerable species being prevalent increases the damage that may be caused by an epidemic.
[...]
Sure, but OS are NOT equally vulnerable. Some serious flaws exist in Windows - flaws which you acknowledge, and even try to argue that they are actually good design decisions - and these flaws now represent a serious security risk.


I think smithy understand that... but you seem to be hopelessly biased against Windows. You puke on Windows like it was rotten horse manure while you're praising Linux like if it was the Holy Grail of computing. I think his point is quite fair: if Linux was much more popular, it would probably have as many exploits as Windows, and I add that it would be especially because crackers (not hackers) have access to the source. Yes, programmers would be able to patch their holes, but if people ain't patching their Windows system, do you think they would patch their Linux one? Don't assume users would be smarter, more educated or shit like that. Many Unix systems are being r00ted because of unfixed holes, after all.

I don't think Windows is more secure than Linux, but you can't claim the opposite either. You shouldn't compare numbers in a linear way, but rather in a exponential/logarithmic one. If you are so sure that Linux (or any other open-source OS) is the Holy Grail and would be better if it had the same market share as Windows, then why don't you back up your points with credible sources?

@wrawrat
by Great Cthulhu on Wed 8th Oct 2003 00:07 UTC

Now that you mention it, I once had fun with my Linux system and I was able to delete even non-writeable root-owned files, so I don't think the comparison is entirely valid.

Hmm...you're right about this, you can actually delete them, but you can't write to them.

"I'm pretty sure an .scr is just a data file and the exploit using it was utilising a buffer overflow in the screensaver code. That's something any handler application is potentially vulnerable to."

No, a SCR is simply a binary program...


You do know that you're answering drsmithy here, right? I gave a link to support what you just said.

"Well I think that people do educate themselves about these things. It takes time, but habits do change."

You're living in a dream world, Neo...


Just because change happens slowly doesn't mean it doesn't happen at all. Most people I know now use a firewall when connected to the Internet, and a lot of people use anti-virus system. The situation is improving, altough not at the kind of pace we'd like to see...

If this was true, hackers would just have to make a special DLL and make a program calling that DLL... If you are sure that is true, please give me one or two sources independant of each other to back up your claim.

I was referring to the article but what about replacing a DLL - normally called by a program - with a corrupted one, and letting that one do the damage? Isn't that what happens with some viruses? Please give me one or two sources independant of each other to prove that this can't happen.

I think smithy understand that...

That doesn't seem to clear from what he's writing.

but you seem to be hopelessly biased against Windows. You puke on Windows like it was rotten horse manure while you're praising Linux like if it was the Holy Grail of computing.

Er, no. I don't know where you got that, but you're overreacting. I suggest you sit down and take a deep breath. I use Windows everyday, I've used it since version 3.0. I certainly don't puke on it, and don't consider Linux to be the Holy Grail or whatever.

What I do see, however, is that one cannot criticize Microsoft's security record without drawing the ire of MS zealots. I really do believe that there are severe security flaws in Windows, such as the fact that a file extension can determine if a program can be executed or not (and therefore can execute files received via e-mail, even automatically execute them in the case of a software bug).

I think his point is quite fair: if Linux was much more popular, it would probably have as many exploits as Windows, and I add that it would be especially because crackers (not hackers) have access to the source.

I disagree. I don't think that Linux would have as many exploits as Windows, because of the aforementioned design flaws (at least drsmithy admitted that these flaws exist, and actually said they were useful features). I think the author of the article made a compelling point, and that drsmithy does not.

I don't think Windows is more secure than Linux, but you can't claim the opposite either.

Well, right now in absolute and proportionate numbers, it is. So in fact I will claim it. I can't prove that if Linux had the same market penetration it wouldn't have as many flaws as Windows, but then again you can't prove to me that it would. So it is my opinion, based on the aforementioned flaws, that it wouldn't.

That said, I would love for Linux and Windows to have the same market penetration. That would take us away from the monoculture and let both OSes square off in healthy competition. Would you support such a scenario?

If you are so sure that Linux (or any other open-source OS) is the Holy Grail and would be better if it had the same market share as Windows, then why don't you back up your points with credible sources?

I have a better idea. Show me where Windows has a better security model than what you find in Linux and other open-source OSes, and show me proof (from credible sources, of course) that Open Source helps crackers find exploits, as you imply.

In the meantime, I'll continue to believe that some bad design decisions by Microsoft have introduced some severe security flaws in Windows. I'll also continue to be virus free, no matter what attachments people send me.

À bon entendeur, salut.

Re: Great Cthulhu (IP: 209.47.215.---)
by drsmithy on Wed 8th Oct 2003 02:10 UTC

Yes, the capability is bad, because it serves practically no purpose.

For you.

What good use is there to execute attachments?

Internal software distribution, patching, etc.

Heck, I just like to be able to run those silly little games without having to save the file somewhere else first.

And despite what you're saying, it is exactly the issue. The user should not be able to execute a file just because it has a .exe, .bat, .vbs or .scr extension.

The user should be able to do it if they want to.

Your equating some frivolous (and annoying) habit some people have of making complex HTML [...]

Something you consider frivolous, other people may consider extremely useful. Some people consider the ability to drag & drop between applications frivolous. Some people consider universal cut & paste frivolous. Heck, there's a lot of people out there who think anything more than a screen full of xterms is frivolous.

[...] messages that don't display well on all mail clients (even on Windows) with the potential security risk that someone may gain access to your files and/or system and scrap it or use it for malicious purposes.

Only due to coding bugs. The concept itself is sound.

This kind of attitude is exactly why computer security is in such a sorry state.

Yes, yes. We should all go back to serial terminals hanging off mainframes - they were secure.

Making things harder and more tedious reduces the risk. Every bit help.

Making things harder and more tedious drives users away from your platform. Every little bit helps.

Incidentally, this whole debate around email attachments that is supposed to be indicating poor OS design is doing nothing of the sort, since it's an application issue, not an OS one.

Well I think that people do educate themselves about these things. It takes time, but habits do change.

You've got more faith that I do. 15 years you had to call a company up and convince someone you were from the IT department so they'd give you their password. Today you send them an email promising porn. In 15 years you'll probably be able to walk past them with a bluetooth dongle in the subway and download their entire credit history from their e-wallet because they didn't change the default password.

History does not suggest these habits are going to improve.

Again, these have nothing to do with vulnerabilities that are intrinsic to the OS, such as the aforementioned ability to run any file with a *.exe, *.bat, *.vbs, *.scr extension [...]

That's an application issue. If you want to call it an OS issue it's like saying unix is intrinsically vulnerable because anything set +x is executable.

[...] or the fact that a non-Administrative user can install *.dll files that can be run at a higher level of privilege.

That was a rather interesting assertion. I'd be very interested to see a) an explanation and b) proof.

Certainly if it's really as bad as he suggests, every worm in the world would be using it.

These are basic vulnerabilities that are present regardless of the OS's popularity.

Things like sudo and SUID binaries are basic security design flaws as well. Every OS has its share.

Making the system more popular won't create new vulnerabilities.

It will, however, make the more popular OS more likely to be exploited.

Actually, if you look back at PC history, Windows rarely came preloaded before Win95.

Eh ? Perhaps you're forgetting the massive impact (at the time) and spread of Windows 3.0 and 3.1. And that whole per-processor licensing kerfuffle that the Microsoft-haters love to talk about ? That was *DOS* and *Windows 3.x*. Windows 95 wasn't even *conceived* when that was happening.

Microsoft's massive market share was established by DOS and cemented by Windows 3.0 and 3.1. Windows 95 and followers were following a path already well trodden. Saying Windows 95 made any major contributions to Microsoft's commanding marketshare is just pure revisionism.

Preloaded systems are generally credited as making Win95 a success (boxed set sales were disappointing).

Huh ? Boxed set sales of Windows 95 (and 3.0 and 3.1) were *massive*. People lining up for blocks to buy it at midnight. The most popular selling piece of software at the time. Etc, etc.

This is all back in the days of OS/2 vs. Windows.

I'm well aware. I lived it as an OS/2 user.

This doesn't create security problems.

That's true, it creates usability ones.

And as we use computers more and more everyday, security becomes paramount, even at the price of some features.

Won't happen. The technology will need to improve to offer better security at the same level of convenience.

It would be much more convenient if I didn't have to lock my car doors, or need a key to start it, but because someone might steal it I have to accept a certain loss of convenience.

Oh, come on. The technology exists *today* to completely remove the need for car keys and needing the manually lock and start cars.

Such as?

Think about any time you want to distribute any form of executable code to large number of users and make it trivially accessible.

You assume that all breeds of cows are similarly vulnerable to viruses [...]

Yes, I do, because as of yet no-one has presented a convincing argument otherwise.

That is not what he says in the article.

Yes, it is. His reasoning - like yours - is circular.

"Windows is fundamentally insecure !" They cry.
"How do you know ?" We ask.
"Because it gets exploited more." They answer.

<A tumbleweed rolls through OSNews. The wind whistles. Crickets chirp.>

There are very few examples in the article - and elsewhere - that are not drawn from this circular reasoning. One is the email attachments issue which - ignoring for a second the fact it's an application, not OS related problem - at *worst* makes Windows maginally more vulnerable by removing a single, simple step. Another is some mysterious issue related to installing rogue DLLs that I've never heard of and, quite frankly, don't believe until I read about it from a few independent sources.

This is also ignoring the fact the quite of few of these "dangerous defaults" are there *because users want it that way* and that they are *implementation* problems, not *design* problems. The Administrator-as-default-user, for example, is there because loads of old software needs admin privileges to run. There's nothing in the design of the *system* to require users running as admin all the time, it's the *applications*.

Sure, but OS are NOT equally vulnerable.

Prove it. Heck, just support it with more than a few anecdotal examples and without circular reasoning.

Some serious flaws exist in Windows - flaws which you acknowledge, and even try to argue that they are actually good design decisions - and these flaws now represent a serious security risk.

These "flaws" listed thus far are either application problems or implementation decisions.

RE:Re: Mike (IP: ---.ecsu.ctstateu.edu)
by Anonymous on Wed 8th Oct 2003 02:46 UTC

Name some *design* features present in other OSes that are lacking Windows. Please remember the difference between *design* and *implementation*.

common sence?

Actually that's a pretty poor example. The only environments where the default auto-login is left enabled will be ones where the people are implicitly trusted - home users and small offices.


I may trust the user but do i trust the software? It is much easier to trust software that is installed as administator and run as normal user than software that is run by administrator

None of the Unix or Linux viruses became widespread - most were confined to the laboratory."

It is true that administrators have as much problem with worms etc as on windows but mere users don't have to worry that they will do something wrong unlike their windows compadres

"Further, due to the strong separation between normal users and the privileged root user, our Linux user would have to be running as root to really do any damage to the system. He could damage his /home directory, but that's about it."

It is true that they are the important files but how many virus do you know that damage files? Most simply don't

Administrator != root. Acquiring root privileges exposes a system much more than acquiring Administrator privileges. An Administrator *can't* do "anything he wants to the computer", a root user *can*.

This is only true because it is needed to protect against the thousands of virus. And in reality a Administrator can do everything with some planning and a reboot. The same can be implemented quite easy on *nix if there was a need for it

Using the system's HTML engine to render HTML in other applications *is* good design. It's a textbook example of modularity and code reuse which, last time I checked, were considered good software engineering practices.

Normally you would be right but HTML engines for browsers are so incredible complicated that it is just better to make a simple HTML engine without the high probablity that it contains a know public hole(was there ever a time that there was not a publicly known hole in explorer without a patch)


You also forgot to adres one important thing: There was a time not even that long ago that windows had virus that only did things allowed by the specification Nix hasn't had those kind of problems for a very long time if ever.

re
by Anonymous on Wed 8th Oct 2003 02:59 UTC

So basically your saying that windows is not suitable for home use... How many homes users actually make informed "implementation decisions"? No they take whats given to them. All these wonderful "features" that make viruses spread so easily could not have been turned off by default? I'll tell you one thing, Apple tends to have the best user experience out there and they seem to be able to lock down their system prior to shipping it to unwitting customers.. Why is that?

@drsmithy
by Great Cthulhu on Wed 8th Oct 2003 03:22 UTC

"What good use is there to execute attachments?"

Internal software distribution, patching, etc.


There are other, much more efficient (not to mention safer) ways to achieving this. As I said, there's no justification for such security holes.

Heck, I just like to be able to run those silly little games without having to save the file somewhere else first.

You do realize that's how a lot of viruses are transmitted, right? Those silly little .exe games that friends send to each other are the ideal vectors for trojans.

"The user should not be able to execute a file just because it has a .exe, .bat, .vbs or .scr extension."

The user should be able to do it if they want to.


And infect their machines...right, I see you fully support the "dumb user" approach to security. Well, some of us actually care about keeping malware out, thank you very much.

Making things harder and more tedious drives users away from your platform. Every little bit helps.

Making people understand that it's for their own good is what's important, not lulling them into a false sense of security (which is what you were accusing Linux advocates of doing in the first place).

Incidentally, this whole debate around email attachments that is supposed to be indicating poor OS design is doing nothing of the sort, since it's an application issue, not an OS one.

The fact that file extensions determine what is executable or not is an OS issue, the fact that Outlook doesn't prevent it is an application issue.

That was a rather interesting assertion. I'd be very interested to see a) an explanation and b) proof.

http://securityresponse.symantec.com/avcenter/venc/data/w32.invictu...
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.ii...


"This doesn't create security problems."

That's true, it creates usability ones.


Security problems supercede usability ones - because when your system is hosed due to malware you can't use it at all!

Won't happen. The technology will need to improve to offer better security at the same level of convenience.

Yeah, right. One of the most vulnerable link is social engineering. Believe me, once you get your system infected, you learn how to protect yourself. People do learn.

"Sure, but OS are NOT equally vulnerable."

Prove it. Heck, just support it with more than a few anecdotal examples and without circular reasoning.


No. You prove that all OS are equally vulnerable. You have said yourself that there are security flaws in Windows, supposedly because users "want it", as if it was the user's faults these security flaws had been incorporated...when was the last time MS asked YOU what features you wanted, warning you at the same time that it could lead to your system being damaged?

In any case, you have admitted that Windows is less secure because of these features, which proves my point.

competition
by Anonymous on Thu 9th Oct 2003 17:20 UTC

Windows misses competition which means everybody uses the same security setting, even stupid things like autorun of executives, and if they don't run with the standard security settings than they are smart enough to work around the problems. On linux on the other you have competition normal user may run highly secured computers so a programmer has to make sure that it will also work on those machines so compition makes the whole eviroment more secure

31 un-patched holes in IE
by Anonymous on Thu 9th Oct 2003 17:23 UTC

that is bad