Linked by Amjith Ramanujam on Sat 19th Jul 2008 19:01 UTC, submitted by cypress
Linux and UNIX-like operating systems in general are regarded as being more secure for the common user, in contrast with operating systems that have "Windows" as part of their name. Why is that? When entering a dispute on the subject with a Windows user, the most common argument he tries to feed me is that Windows is more widespread, and therefore, more vulnerable. Apart from amusing myths like "Linux is only for servers" or "does it have a word processor?", the issue of Linux desktop security is still seriously misunderstood.
Permalink for comment 323949
To read all comments associated with this story, please click here.
To read all comments associated with this story, please click here.
Recent Original Stories
Recent Comments
Headlines
Random Comments
Random Stories
Random OS Link
Member since:
2006-01-16
Thanks for joining the discussion as an MS employee.
. This is no overlooked security problem. It is insecurity by intention, due to other reasons though. Doesn't help the user much..
I just want to answer your questions on WMA/OGG and ActiveX. I don't believe that MS produces more buggy code than others. I know there are many talented people working in your company and I guess they should all be well aware of buffer overflows and other bugs which can be exploited and avoid them. Sure there could be as likely exploitable input processing in OGG as in WMA. But we are talking about a different issue here.
The problem here is philosophy.
Neither OGG nor MP3 or any other sane media format includes the possibility to define a website where a decoder should be downloaded and afterwards instantly run. WMA includes this, so people want to listen to a WMA filed and asked by WMP to "install necessary codec?" which they say "Yes" to and there they have the virus. It even silently transcodes MP3 files on the user's machine to (infected) WMAs just because MP3 doesn't come with this "feature".
ActiveX are objects which have the same power as executables. But they are not treated us such by MS's software, instead they can be distributed in various different ways which I would call unsuited at best. A website can deploy an ActiveX object which Internet Explorer is more than willing to install (it's like "install this active x component?" Yes). Because MS wanted to market ActiveX and use it as a "killer feature" to dominate the web (after the failure to overtake Java, court case won by SUN) it was in the vendor's interest to make it as easy and unquestionable to the user as possible to say Yes to just every ActiveX around. Then there were some rough security bounds ("zones") but hundreds of ways were found to get beyond those borders. Some years ago you could read about new ActiveX holes at least once per week!
The program can be as robust as it can be, if the philosophy behind it is weak. Every sane person knows that it is never a good idea to automatically download and execute code from the internet. As we saw, software like the Windows Media Player still does exactly that. MS obviously still didn't learn the lesson, or perhaps just refuses to do so (we have virus scanners everywhere for that now