Linked by David Adams on Mon 6th Oct 2003 19:34 UTC
Bugs & Viruses It's an oft-repeated maxim that one of the reasons that Windows operating systems are plagued by so many viruses, worms, and security exploits is because they are so popular. Extrapolating on this, many have remarked that if Linux, MacOS, or other OSes become more popular, they will attract the attention of virus writers. That may be true, but the increased attention will not necessarily yield the same quantity of viruses and other exploits, says a Register article. Update: Rebuttal article.
Permalink for comment
To read all comments associated with this story, please click here.
@drsmithy
by Great Cthulhu on Tue 7th Oct 2003 21:18 UTC

No, it isn't. The end user must take deliberate steps to run an executable from a mailer in both OSes. Barring coding bugs, it is not the default and it is not automatic.

It's arguable that allowing the capability at all is bad, but firstly that's getting into "slippery slope" territory (who decides what capability is good or bad), secondly it's not really the issue and thirdly there's a fair chunk of people out there (like me) who think it's a nice option to have.


Yes, the capability is bad, because it serves practically no purpose. What good use is there to execute attachments? And despite what you're saying, it is exactly the issue. The user should not be able to execute a file just because it has a .exe, .bat, .vbs or .scr extension.

I'm pretty sure an .scr is just a data file and the exploit using it was utilising a buffer overflow in the screensaver code. That's something any handler application is potentially vulnerable to.

You make the incorrect assumption that .scr is only used for screensavers. The extension is actually used for more than this, one of the use being for executable scripts:

http://filext.com/detaillist.php?extdetail=SCR
http://www.corbinball.com/articles_security/index.cfm?fuseaction=co...

I've seen lots of HTML emails out there using fancy things whose creators wouldn't like it much if they suddenly stopped working.

Your equating some frivolous (and annoying) habit some people have of making complex HTML messages that don't display well on all mail clients (even on Windows) with the potential security risk that someone may gain access to your files and/or system and scrap it or use it for malicious purposes. This kind of attitude is exactly why computer security is in such a sorry state.

The point I'm making is that whether the end user has to select a different option in a dialog box or run a single shell command is largely semantic - the "hard" part is convincing them to do either.

Making things harder and more tedious reduces the risk. Every bit help.

I don't think users are idiots, I think they make poor choices relating to using computers - and will continue to do so.

Well I think that people do educate themselves about these things. It takes time, but habits do change.

Any definition you use to call Microsoft a monopoly, also marks Apple as one.

What, Apple holds 90%+ of the personal computer OS market? It has a 90% monopoly over the Office suite market?

Again, this is an old, tired and incorrect argument. Oh, and of course, the courts have ruled that MS does indeed represent a monopoly, and have abused their monopoly status. Until U.S. courts decreed that Apple is a monopoly, I will stand by this statement: MS has a monopoly, Apple doesn't. 'nuff said.

Perhaps in some academic sense, this might be true. In the real world, the more common an OS is, the more likely it is to be attacked, the more likely it is to be used in riskier scenarios, the more likely attackers will find a weakness and the more attractive target it makes to exploit that weakness.

Again, these have nothing to do with vulnerabilities that are intrinsic to the OS, such as the aforementioned ability to run any file with a *.exe, *.bat, *.vbs, *.scr extension, or the fact that a non-Administrative user can install *.dll files that can be run at a higher level of privilege. These are basic vulnerabilities that are present regardless of the OS's popularity.

"Either a system is vulnerable, or it isn't."

And this *certainly* isn't true.


Well, let me rephrase that, then: either vulnerabilities exist in a system, or they don't. Making the system more popular won't create new vulnerabilities.

"[...] but because it came preloaded on every PC back in the days of Win95.

If you want to argue that, then you'll need to go back further than Windows 95. Of course, even then - just as at all times - it's been possible to buy PCs without Windows, or any OS at all.


Actually, if you look back at PC history, Windows rarely came preloaded before Win95. Preloaded systems are generally credited as making Win95 a success (boxed set sales were disappointing). This is all back in the days of OS/2 vs. Windows.

Or, to play devil's advocate and turn it on its head, the functionality lacking on the unix side is having file attributes carried along with an attached file.

This doesn't create security problems. And as we use computers more and more everyday, security becomes paramount, even at the price of some features. It would be much more convenient if I didn't have to lock my car doors, or need a key to start it, but because someone might steal it I have to accept a certain loss of convenience. Same thing applies to computers.

"But the fact is that this does not have any real utility: how often do you need to execute an attachement?"

Within a corporation, I can see some uses.


Such as? I can't see any. In a development framework, you'd use some kind of source control mechanism and file sharing. There is no good reason to justify the ability to run attachments - or even to arbitrarily try to execute some files based on file extension.

Actually, [monoculture] makes vulnerabilities more likely to be found, exploited and propogated.

Finally, you concede that a "monoculture" doesn't make an OS more vulnerable. Good. I was beginning to think you were in bad faith.

Even if we assumed Windows and other OSes are at equal levels of "vulnerability", we'd still expect to see a vast bias towards Windows in terms of actual exploits and damage caused.

Sure. That doesn't have anything to do with basic vulnerabilities found in the system, either through bugs or bad design decisions. The two are unrelated.

There are many breeds of cow. Some breeds are vulnerable to some viruses, other breeds are vulnerable to different viruses. However, one breed of cow has become dominant, making up 90% of the cows in the country. Statistically speaking, which breed of cows would you expect to suffer the most casualities do to sickness? Which breed of cows would you expect to see contract illnesses more often? Which viruses would you expect to see spread the fasest throughout the bovine population?

You assume that all breeds of cows are similarly vulnerable to viruses, but in fact some breeds are stronger than other. The cows are not more vulnerable because they are prevalent. However, having a vulnerable species being prevalent increases the damage that may be caused by an epidemic.

The reason this guy perceives Windows as "more vulnerable" is because it gets exploited more often, exploits spread faster and the damage caused by exploits is greater.

That is not what he says in the article. I know that's what you're trying to have him say, but in fact the guy presents specific issues (such as executable attachements and file extensions, plus .dll that can be installed by a normal user but that run as root) that show that there are some security flaws intrinsic to Windows, which are made worse because Windows is so prevalent.

EVEN IF EVERY OS WAS EQUALLY VULNERABLE, YOU WOULD *STILL* EXPECT THIS TO HAPPEN BECAUSE WINDOWS MAKES UP THE VAST MAJORITY OF THE MARKET.

Sure, but OS are NOT equally vulnerable. Some serious flaws exist in Windows - flaws which you acknowledge, and even try to argue that they are actually good design decisions - and these flaws now represent a serious security risk.

BTW, shouting won't make your point any more valid, and may cause your post to be modded down.