Linked by David Adams on Mon 6th Oct 2003 19:34 UTC
Bugs & Viruses It's an oft-repeated maxim that one of the reasons that Windows operating systems are plagued by so many viruses, worms, and security exploits is because they are so popular. Extrapolating on this, many have remarked that if Linux, MacOS, or other OSes become more popular, they will attract the attention of virus writers. That may be true, but the increased attention will not necessarily yield the same quantity of viruses and other exploits, says a Register article. Update: Rebuttal article.
Permalink for comment
To read all comments associated with this story, please click here.
Re: Great Cthulhu (IP: 209.47.215.---)
by drsmithy on Wed 8th Oct 2003 02:10 UTC

Yes, the capability is bad, because it serves practically no purpose.

For you.

What good use is there to execute attachments?

Internal software distribution, patching, etc.

Heck, I just like to be able to run those silly little games without having to save the file somewhere else first.

And despite what you're saying, it is exactly the issue. The user should not be able to execute a file just because it has a .exe, .bat, .vbs or .scr extension.

The user should be able to do it if they want to.

Your equating some frivolous (and annoying) habit some people have of making complex HTML [...]

Something you consider frivolous, other people may consider extremely useful. Some people consider the ability to drag & drop between applications frivolous. Some people consider universal cut & paste frivolous. Heck, there's a lot of people out there who think anything more than a screen full of xterms is frivolous.

[...] messages that don't display well on all mail clients (even on Windows) with the potential security risk that someone may gain access to your files and/or system and scrap it or use it for malicious purposes.

Only due to coding bugs. The concept itself is sound.

This kind of attitude is exactly why computer security is in such a sorry state.

Yes, yes. We should all go back to serial terminals hanging off mainframes - they were secure.

Making things harder and more tedious reduces the risk. Every bit help.

Making things harder and more tedious drives users away from your platform. Every little bit helps.

Incidentally, this whole debate around email attachments that is supposed to be indicating poor OS design is doing nothing of the sort, since it's an application issue, not an OS one.

Well I think that people do educate themselves about these things. It takes time, but habits do change.

You've got more faith that I do. 15 years you had to call a company up and convince someone you were from the IT department so they'd give you their password. Today you send them an email promising porn. In 15 years you'll probably be able to walk past them with a bluetooth dongle in the subway and download their entire credit history from their e-wallet because they didn't change the default password.

History does not suggest these habits are going to improve.

Again, these have nothing to do with vulnerabilities that are intrinsic to the OS, such as the aforementioned ability to run any file with a *.exe, *.bat, *.vbs, *.scr extension [...]

That's an application issue. If you want to call it an OS issue it's like saying unix is intrinsically vulnerable because anything set +x is executable.

[...] or the fact that a non-Administrative user can install *.dll files that can be run at a higher level of privilege.

That was a rather interesting assertion. I'd be very interested to see a) an explanation and b) proof.

Certainly if it's really as bad as he suggests, every worm in the world would be using it.

These are basic vulnerabilities that are present regardless of the OS's popularity.

Things like sudo and SUID binaries are basic security design flaws as well. Every OS has its share.

Making the system more popular won't create new vulnerabilities.

It will, however, make the more popular OS more likely to be exploited.

Actually, if you look back at PC history, Windows rarely came preloaded before Win95.

Eh ? Perhaps you're forgetting the massive impact (at the time) and spread of Windows 3.0 and 3.1. And that whole per-processor licensing kerfuffle that the Microsoft-haters love to talk about ? That was *DOS* and *Windows 3.x*. Windows 95 wasn't even *conceived* when that was happening.

Microsoft's massive market share was established by DOS and cemented by Windows 3.0 and 3.1. Windows 95 and followers were following a path already well trodden. Saying Windows 95 made any major contributions to Microsoft's commanding marketshare is just pure revisionism.

Preloaded systems are generally credited as making Win95 a success (boxed set sales were disappointing).

Huh ? Boxed set sales of Windows 95 (and 3.0 and 3.1) were *massive*. People lining up for blocks to buy it at midnight. The most popular selling piece of software at the time. Etc, etc.

This is all back in the days of OS/2 vs. Windows.

I'm well aware. I lived it as an OS/2 user.

This doesn't create security problems.

That's true, it creates usability ones.

And as we use computers more and more everyday, security becomes paramount, even at the price of some features.

Won't happen. The technology will need to improve to offer better security at the same level of convenience.

It would be much more convenient if I didn't have to lock my car doors, or need a key to start it, but because someone might steal it I have to accept a certain loss of convenience.

Oh, come on. The technology exists *today* to completely remove the need for car keys and needing the manually lock and start cars.

Such as?

Think about any time you want to distribute any form of executable code to large number of users and make it trivially accessible.

You assume that all breeds of cows are similarly vulnerable to viruses [...]

Yes, I do, because as of yet no-one has presented a convincing argument otherwise.

That is not what he says in the article.

Yes, it is. His reasoning - like yours - is circular.

"Windows is fundamentally insecure !" They cry.
"How do you know ?" We ask.
"Because it gets exploited more." They answer.

<A tumbleweed rolls through OSNews. The wind whistles. Crickets chirp.>

There are very few examples in the article - and elsewhere - that are not drawn from this circular reasoning. One is the email attachments issue which - ignoring for a second the fact it's an application, not OS related problem - at *worst* makes Windows maginally more vulnerable by removing a single, simple step. Another is some mysterious issue related to installing rogue DLLs that I've never heard of and, quite frankly, don't believe until I read about it from a few independent sources.

This is also ignoring the fact the quite of few of these "dangerous defaults" are there *because users want it that way* and that they are *implementation* problems, not *design* problems. The Administrator-as-default-user, for example, is there because loads of old software needs admin privileges to run. There's nothing in the design of the *system* to require users running as admin all the time, it's the *applications*.

Sure, but OS are NOT equally vulnerable.

Prove it. Heck, just support it with more than a few anecdotal examples and without circular reasoning.

Some serious flaws exist in Windows - flaws which you acknowledge, and even try to argue that they are actually good design decisions - and these flaws now represent a serious security risk.

These "flaws" listed thus far are either application problems or implementation decisions.