Home > Windows > Researchers find holes in XP SP2 Researchers find holes in XP SP2 Eugenia Loli 2004-08-19 Windows 65 Comments Two software flaws could let virus writers and malicious hackers sidestep new security features. About The Author Eugenia Loli Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker. Follow me on Twitter @EugeniaLoli 65 Comments 2004-08-19 5:59 pm that didnt take long 2004-08-19 6:05 pm Does this mean there will be an SP3? Or just a patch to patch SP2 that was a patch in itself? 2004-08-19 6:05 pm “For example, users can open files using text commands issued through the Windows command prompt, a standard Windows feature, without being warned about the risk associated with opening the file. The “flaw” is that if you download an application and run it through cmd.exe it won’t warn you first. download app, run cmd.exe cd to /path/to/app then manually run it. or drag and drop the app to a CMD icon. The article intentionally avoids pointing out just how minor this flaw is and seems more focused on creating problems. 2004-08-19 6:06 pm Did you guys even read the article? My guess is no. 2004-08-19 6:08 pm http://secunia.com/advisories/12321/ 2004-08-19 6:11 pm Oh yes, and as usual despite many valid problems with SP2 the tech media seems more concerned with things that inspire knee-jerk reactions from the pupputs. What does it feel like to have people think for you? 2004-08-19 6:13 pm I read parts of it “Neither security hole could be exploited by a remote attacker, and both require Windows users to take actions, such as opening the Windows command shell, or renaming files to overwrite other files on Windows, he said.” 2004-08-19 6:18 pm NOTE: Even though the PoC depends on the user performing a drag and drop event, it may potentially be rewritten to use a single click as user interaction instead. —- so much for percieved security advantages. good luck is getting this patched again 2004-08-19 6:25 pm http-equiv has posted a PoC (Proof of Concept), which plants a program in the startup directory when a user drags a program masqueraded as an image. Go download this program: http://www.mlin.net/StartupMonitor.shtml Problem solved. As for the vunerability in the article linked: Unless you run the file from cmd.exe or rename it before launching, and ASSUMING the file is of a malicious nature, this shouldn’t be a problem. 2004-08-19 6:56 pm Isn’t this a mirror story to the actual Heise story on here earlier? 2004-08-19 6:59 pm Honestly. Those of us who work with the Redmond platform on a daily basis were surprised. 2004-08-19 7:02 pm Darius, the average computer user isn’t gonna use a startup monitor program. The average Joe is gonna drag and drop a file to his desktop and never realize what hit him. I think it’s safe to say that 99% of the security warnings for Windows do not affect power users who understand security, but the stupid masses who can barely operate a computer. We’ll need a patch to patch a patch that patches a patch that patches an OS. Whew. 2004-08-19 7:13 pm If these “holes” make you afraid, you better stop using computers… 2004-08-19 7:14 pm Nah, that won’t worry me – all of my users are too thick to do that on their own & would ring IT to find out how… 2004-08-19 7:16 pm Or stop using Windows 🙂 2004-08-19 7:17 pm The proof of concept mentioned in the Secunia advisory can be found here: http://www.malware.com/wottapoop.html 2004-08-19 7:29 pm Were these people on the Beta team? How many people waited for bug hunting until it was released just so they could have the dubious glory of finding holes in the released product? If they had joined the team they could have stopped this “problem” at the source [/pun] and been helpful. Now I just think they’re attention whores. 2004-08-19 7:38 pm Darius, the average computer user isn’t gonna use a startup monitor program. The average Joe is gonna drag and drop a file to his desktop and never realize what hit him. Agreed. As I said before, SP2 is the ‘dumb-ass user’ patch, but it seems that even that isn’t enough. God help these people if they ever switch to Linux. Security on Windows isn’t exactly brain surgery, so they wouldn’t stand a chance. 2004-08-19 7:46 pm Major Linux flaw has been found. When the user logs into the root account, removes the password from that account, and allows remote connections, an attacker will be able to invade the computer and wreck havoc. </sarcasm> Sorry folks, but nothing will prevent stupid people from being stupid. 2004-08-19 8:01 pm I predict they’ll find more. 2004-08-19 8:52 pm meh as said before, this isn’t really a security issue… ok so what they don’t prevent dumb users from being dumb. 2004-08-19 9:03 pm “If they had joined the team they could have stopped this “problem” at the source…” Also they could have simply told MS without making it public and tipping off the malware people. 2004-08-19 9:05 pm Starts to make you wonder what an advanced AI would think of this. Hmm, the problem is obviously users. Ergo we must remove all users. Commencing countdown… 2004-08-19 9:40 pm Well this isn’t really a security bug. It’s more like a flaw in the system. Microsoft introduced the marking of internet content as a help to the user. It shouldn’t be that the commandline ignores that mark. So somehow it is a bug, but I won’t put in in the category “security”. 2004-08-19 9:42 pm “The ZoneID records the Internet Explorer security zone from which the file originated. Internet Explorer security zones assign different levels of security permission to different sources of files and data.” This sounds like a good idea, until you factor in the rest of the Windows security stack on top of it. Although Windows is not my main OS, I’ve found the security on recent Windows distros to be very comprehensive, but very complex. I don’t feel safe unless I understand the whole of what the computer is doing. It seems like they keep on adding layers, but the weak link is that the user simply does not have a clue what all those layers are doing, and how they interact. 2004-08-19 10:01 pm I tried the proof of concept at http://www.malware.com/wottapoop.html and windows gives me a warning before I can run the file. Where is the security hole people are talking about? 2004-08-19 10:05 pm Nevermind, just noticed that it copied itself to my startup folder. That is a problem. 2004-08-19 10:11 pm There seems to be this air of superiority from a lot of geeks who apparently think people deserve to get malware just because they’re not as experienced with computers as the geeks are. No doubt, I could find some automotive forums where they regularly ridicule anyone who can’t rebuild their own transmission. By that line of reasoning, I guess some of us ought not be driving since we’re stupid. 2004-08-19 10:44 pm You laugh, but my flatmate did exactly that while playing with Mandrake on his laptop. His argument? Nobody on the [house] network would screw with it. Which was true. Until he plugged in the wireless card. 2004-08-19 10:52 pm Seriously, if you get tricked by it you don’t belong in front of a computer…. Actually, I’m afraid for you walking into a store. When they tell you that your car will run forever without a problem, do you believe them too?! I’m no Windows defender, I’m usually condemning it’s antics, but in this case….PLEASE! 2004-08-19 11:11 pm That is what researches say: Attack Vector. A virus author could create an e-mail worm like this: Attached: access.gif Hello, attached you find the copy of your access data you requested. For security reasons, the file is scrambled and can only be viewed with cmd. To view it, save the attached file, execute “cmd” from the start menu, drag&drop the file into the new window and hit return. cmd will descramble the file for you. If the user follows these instructions, the attached file is executed without any warning. ———————- In my opinion, if user follows this type of instructions, even inherently more secure (Linux) or inherenty more friendlier OS (Mac) has a hole in it. 2004-08-20 12:26 am well, im not sure what permissions are like on osx, but a user without root access is not able to compromise a system on *nix. worst thing that could happen is they trash their files by following something like “type rm -Rf ~ in a terminal” 2004-08-20 12:49 am No doubt, I could find some automotive forums where they regularly ridicule anyone who can’t rebuild their own transmission. By that line of reasoning, I guess some of us ought not be driving since we’re stupid. I used to think along those lines. The problem is that stupid users affect EVERYONE on the net. A few stupid users can wreak havoc with spam, DDOS, worms, virus propogation, etc. If you can’t fix your own transmission you bring it to a professional, there is no harm in that. If you try to fix your own transmission and you have no clue how, you could cause serious problems for those around you. That’s not only stupid, but irrsponsible. Back on subject though. This is not that big a deal. All software has flaws and if this is the worst they have come up with then it’s not such a big deal. As soon as they find another remotely exploitable flaw that will allow the propogation of worm, which then affects all of us, I will jump back on the MS-bashing bandwagon. I still hate MS but this is too minor to even mention. I can’t stand MS users comparing minor flaws in Linux with catastophes in Windows that lost billions of dollars for companies, so the last thing anyone needs to do is give them ammunition by hyping this crap. 2004-08-20 1:34 am Sure sure the iptable DoS wasn’t a prob at all. I mean, if an attack could freeze windows when you enable the firewall, i’m sure no one would laught ? (source: http://www.gentoo.org/security/en/glsa/glsa-200407-12.xml) You know what ? no one spoke about it. It was recent. It happens every month or so for a hole of this scale. What’s important is that they fix problems, even if they’re sometimes minor, being Linux or Windows. But Windows ain’t that evil anymore, it’s just some media food for our media controlled mind and society. 2004-08-20 3:11 am While I agree that there is a lot of elitism here, I think your analogy is rather flawed. People need to get a drivers license to legally drive a car, if they are too “stupid” to get a license that simply proves that they shouldn’t be driving. There’s a huge difference between knowing how to drive and knowing how to build or repair a car, just as there’s a huge difference between knowing how to use a computer and knowing how to build/repair one. In theory, I think it would be nice to require a license for people to get an internet account. However, it would be impossible to introduce such a thing. So let’s just pray that the schools are doing a decent job at educating the next generation of computer users. A computer that’s connected to the net can in fact harm innocent people, so it would be nice if the user learned how to operate the machine, but people just don’t seem to think about the possible consequences of their actions. So if some virus erase all their documents perhaps they will start thinking about what they are doing and educate themselves a bit more. So those arrogant people actually do have a point. 2004-08-20 4:00 am ‘worst thing that could happen is they trash their files by following something like “type rm -Rf ~ in a terminal”‘ For some people, this is everything, who cares if they get root access. I’d be mighty pissed if all my project files were deleted by some asshat hacker. Sorry, but this is just as bad, if not worse in some cases. I’ll stick with Windows thanks. 2004-08-20 5:11 am um…. that was the command to do a recursive delete. i believe the equivilent dos command is deltree, but im not sure (i have only basic knowledge of the windows cli) someone following instructions to delete all their files isnt a linux problem, its just a user being exceptionally dumb. what this is about is a user installing a trojan/worm. the biggest difference that i see is instead of an exceptionally dumb deleting their files, instead they start sending spam to my inbox. that being said, we have to be talking about true idiots here, i would consider this a minor issue that ms didnt take into consideration. 2004-08-20 5:55 am @me firstly would you be stupid enough to do that ? would anyone be stupid enough to do that? “Hello this is an Irish virus. We don’t have the sophisticated tools others have, so please delete all of your files and reboot the computer. Tankya very much Paddy o harry” That comment reminds of the above joke.. I’m sorry people can be stupid, incredibly stupid and are even more stupid behind computers, all sense of logic seems to leave em. But if they follow the instructions of the email, word for word they deserve to have their files wiped.. They will learn next time to not be so naive. and how many people would genuinely follow this advice, its not like installing a fresh copy of windows, putting it onto the net to get the patches and have the computer affected by sassar (or whatever.. cant remember its name cba to search for it right now) It has happened to me before, taught me to connect a fresh installed windows box live on the net without using a firewall. imho your security is a joke if that just happens. True the service packs patch this, but its not a good state of events for tested software to have that sort of flaw, it shows theres something fundamentally wrong with your security. Yeah sure I can sit down and pre patch my windows cd make whatever cds and install that, but why should I ? thats the question. Theres a lot of things in windows that leaves a bad taste in my mouth I’ve paid for the damn thing and I expect it to just work.. But it never quite seems to, it always gets screwed up. Thats the fundamental flaw, thats why we have millions of zombie spam bots (controllable open relays) sitting on the net annoying every one. This is not one Linux addresses, Linux does not pretend to be the “tv” no you don’t just switch it on to watch your program.. It’s more like a vcr you have to read the damn manual before you learn how to use the thing. Some people will never get used to this, some just cant do it, for them theres windows or Mac OSX.. Linux will however “always” require some education.. It even educates the user about the drive etc while installing. So it tends to give knowledge.. A lot of the beginners wont be able to do everything but its picked up along the way.. Generally the community on the net tends to be quite friendly to beginners after all most of use were beginners at one stage, but thats the key it tries to educate the end user, instead of cutting security to keep them dumb. How many of you after using linux for two months cant say that they learned something new about their comp or about how it works.. I was learning like a maniac at first, it can have quite a large learning curve no matter how polished the eye candy appears, (Like vcrs of today it can auto setup itself aswell).It is after all industrial strength, what you are running for your desktop can quite easily be adapted to being a server the kernel will sit there happily and deal with the load. Thats another of its strengths its layered well, It can be anything with the right applications. I’m sorry I don’t mean to start a flame war with this. This is just my thoughts that have been nagging me for a while. End user ease is a good thing but as long as it doesn’t become counter-intuitive. The computer is an electronic device it can be used as a games console or an entertainment console. Its a multi purpose tool, its complexity far out weighs the complexity of a vcr, yet a vcr comes with a comprehensive manual with the obvious always stepped out. 2004-08-20 6:31 am Okay, so in order to get past the attachment user flaw is to download the malicious code, rename it to a trusted filename such as notepad.exe and execute it and its something that cannot be done remotely. Something the average user isnt going to do. I can see joe user now, DUUUUH lets rename this file and execute it becuase I just want to. Is this an actual flaw or an attempt to spread more FUD about SP2? Seriously people, grow up. 2004-08-20 7:20 am “In theory, I think it would be nice to require a license for people to get an internet account. However, it would be impossible to introduce such a thing. So let’s just pray that the schools are doing a decent job at educating the next generation of computer users. ” Ha. Keep dreaming. I work in a school and the teachers are even better at doing stupid things than the students are. And the coursework is even more superficial than it was ten years ago (e.g. I was taught ten years ago to use styles when word processing in grade 9. Today’s grade 12 do the “style” section of the course completely bypassing proper styles.) The security section of there course covers no modern day security issues like the web and email, whilst covering viruses and trojans superficially. 2004-08-20 10:06 am For some people, this is everything, who cares if they get root access. I’d be mighty pissed if all my project files were deleted by some asshat hacker. Sorry, but this is just as bad, if not worse in some cases. I’ll stick with Windows thanks. ———- apparently for someone who cant differentiate between having root access and normal user access in a system you better stick with windows. if a user deletes all of his files as a normal user only his files gets deleted. this is the maximum possible security ANY operating system can provide. its not about losing a project file to a cracker(not a hacker), its about accidentally deleting your OWN files and still not lose the system 2004-08-20 1:04 pm There seems to be this air of superiority from a lot of geeks who apparently think people deserve to get malware just because they’re not as experienced with computers as the geeks are. Well, I’m talking inparticular about the people who continue to double click on anything that comes down the pipe, even after they have been REPEATEDLY told not to do so, and some of them do it even after they’ve been nailed by a virus. 2004-08-20 1:16 pm For some people, this is everything, who cares if they get root access. I’d be mighty pissed if all my project files were deleted by some asshat hacker. Sorry, but this is just as bad, if not worse in some cases. I’ll stick with Windows thanks. ———- apparently for someone who cant differentiate between having root access and normal user access in a system you better stick with windows. if a user deletes all of his files as a normal user only his files gets deleted. this is the maximum possible security ANY operating system can provide. its not about losing a project file to a cracker(not a hacker), its about accidentally deleting your OWN files and still not lose the system ——————– The fact is that today computers have more than one account on the system. Even if I agree with the fact that lossing all is document is already too much, I don’t see it more clever to let other user lose their data in the same wave. But in the case of a rm -rf *, it irrelevant because, I think, windows also have a per user security per default (I’m not sure) But in case of spying/virus/etc…, it sure make the difference. 2004-08-20 1:32 pm SP2 was pre-announced for so long now as the final security patch to make XP secure. Just like XP was announced way in advance to be the most secure OS from Microsoft. Just as NT4 was supposed to be….. SP2 probably includes some security patches, but if vulnerabilities are found after less than 1 week…. how good will it do to install it? It’s still full of security holes as researchers demonstrated. Until Microsoft revises the architecture of their OS (which they won’t for sound business reasons), Windows will never be secure. Windows is one big blob and Microsoft now shows clearly they can’t patch it or make it right. Linux has a much better architecture, and in the rare case a vulnerability is found, it is patched in a day, rather than after 6 months in the case of certain security holes in Windows and other Microsoft products (article in news.com a few months ago). The discovery of security holes in SP2 is a cold shower to the heavenly vision Microsoft has been trying to sell us for a year now, since they said SP2 would be available in October 2003. Sorry to sound negative, and i will probably be moderated for expressing a negative opinion on Microsoft on this site, but it’s just facts. Microsoft products are not architectured to be secure. Therefore they will never be secure. 2004-08-20 1:56 pm XP lite, anyone? 2004-08-20 2:55 pm Oh boy, another guy spreading FUD. Did you read the article? What are you talking about? Linux better architecture? Do you know what the heck are you talking about? Do you know linux kernel internals or windows nt kernel internals? Do you know how to program??? Please, stop spreading FUD. 2004-08-20 4:51 pm Did you read the article? What are you talking about? Linux better architecture? Do you know what the heck are you talking about? Do you know linux kernel internals or windows nt kernel internals? Do you know how to program??? Actually, my answer is YES to all your questions. Stop criticising people a minute and understand some on this board have a broader understanding than yours 🙂 2004-08-20 6:28 pm Microsoft products are not architectured to be secure. Therefore they will never be secure. Well, you’re half right anyway, at least in the case of Windows. Just because it is not secure out of the box doesn’t mean that it can’t be secure in the hands of the right user with very little effort. I can sit down for 20 minutes with someone who has little more than a basic understanding of Windows and show them what to do and what not to do in order to stay secure. I mean, don’t use IE, don’t double click on attachments with these extensions .. you don’t exactly have to have an IT degree in order to understand this tuff. 2004-08-20 6:55 pm I mean, don’t use IE, don’t double click on attachments with these extensions .. you don’t exactly have to have an IT degree in order to understand this tuff. You are right, and they usually get it. But the next day, they have forgotten about it….. I talk based on corporate experience. These people are not IT experts. They have other expertises and in the course of their work, they will open an attachment. The proof is in the fact viruses spread. Even if people are told not to open attachments for example, they open them. This is why a secure OS is important. This is why relying on training users to use Windows in some ways but not in other ways is not a solution. Users need a tool, not a constraint that slows their own productivity. Windows is not secure. And many MS apps are not either. On top of my head: Windows, Outlook, VBA, IE, Etc……. It’s appaling how many viruses and holes Microsoft products have shown *over the years*. Those (not you) who think this is FUD have actually not been in IT for long, but they think they know it all and trust the press. Anyone with at least 10 years experience will *remember* and agreee that Security has never been a priority for MS. And now it’s too late to fix things. It would cost MS far too much. I am amazed at how PR can be effective with uneducated minds 🙂 2004-08-20 8:02 pm Windows is not secure. And many MS apps are not either. On top of my head: Windows, Outlook, VBA, IE, Etc……. ————— Well, My Microsoft Flight Simulator 2004 has no security hole yet 😉 2004-08-20 9:16 pm All right, I suppose I could have worded that differently. My only point is that people don’t deserve to have their pcs rebooted by Sasser or sent to porn sites by the Coolwebsearch malware just because they make mistakes. I’m not even ripping on Windows here, but like Omega I’m saying the computer(or rather the OS)has to protect people from themselves. Like Abraxas pointed out, they make mistakes and the whole Net is affected. But yet people must use the internet, must get used to using it. E-Commerce is a great thing, research and communications capabilities are without parallel to where I don’t know we ever survived without the internet. And like Bill Joy pointed out, we’re just lucky most of these malware people are not writing the kind of hardrive devouring virii that could really shut down parts or most of the web. Also it’s one thing to have a Lex Luthor type of evil genius criminal messing with people’s computers from afar, but when some fat bald kid from Minnesota can do it, then it’s simply too easy. 2004-08-20 10:11 pm is that the previous version of windows update did not require Background Intelligent Transfer Service to be running in order to download and install updates but now, in order to even get the viewable list SP2 files, you must have it running on your system. I’ve got mine turned off for a reason. Less services to exploit and less resources my PC must continuously support in the background. Why do they have to have a back door service running in order to install an update? Can I turn the service on long enough to install the updates and then turn it off after I have everything installed or will that crap out my machine if I do? Since I already use both a hardware and software firewall, antivirus program, three different spyware programs to redundantly check my system, don’t use either IE or OE, have all non-required services turned off via services.msc and msconfig, and have XPlite installed, I’m leaning towards not even bothering with attempting to jump through the hoops they now require. 2004-08-20 11:11 pm a user without root access is not able to compromise a system on *nix. You may be surprised to learn how much damage a user without the root access can do to himself or Internet by running malware. Use your imagination. Can user run a program? Can user send tons of emails? Can user open Mozilla and start hitting same Web site over and over? So can malware running under user account, and much faster. It can also run and listen for commands from remote host. Yes, you’ve got it right: a malware making computer a zombie does not need root access. But wait, there is more! If hacker planted malware to run under user account, he has only to wait until the next local Linux exploit is found. This year, the wait between exploits is not that long. Neve3r mind, they tell us: local access is required. Well, duh! As soon as exploit is published, a hacker can upload it to malware running under user account, execute it and get root. See, it was not that hard. worst thing that could happen is they trash their files I would guess, you keep nothing on your computer but songs and movies you downloaded for free and don’t worry to lose. For most people worst thing could happen is malware trash user files. OK, OK, to explain you in terms you can grasp: look around you room. It is all your stuff around a computer. Now, imagine it all gone, all I say, just the empty walls are left. There is running water, there is electricity, there is heat/air- but nothing else. You are sitting on the floor, naked, in the empty room of your empty apartment. How would you like that? Sure, now you would say that having all your valuable posessions lost is still a big deal. Who cares about the damn building! Not to be cynical, but for you it will not differ very much if you are sitting naked on the grass in front of empty lot which was your building, trying to realize where building and all your stuff dissapear- or you sitting naked inside empty building trying to understand where all you stuff gone. No difference at all. 2004-08-21 1:09 am use linux today? lol 2004-08-21 4:46 am For some people, this is everything, who cares if they get root access. I’d be mighty pissed if all my project files were deleted by some asshat hacker. That’s why backup exists. You should always backup your computer at regular intervals. What if the hard disk dies a horrible death? What if your computer gets stolen? What if you delete a file by accident. Malware isn’t the only reason to do backups, you know? Meanwhile, malware that has administrative rights can do far worse than erase your files – it can set up your box as a relay (for spam, DDoS, illegal FTP, or just good old fashion telnet/ssh hacking). I’m sorry, but if you’d rather stay with Windows due to malware reason, then you’re a 100% certified MS fanboy. 2004-08-21 4:51 am Okay, so in order to get past the attachment user flaw is to download the malicious code, rename it to a trusted filename such as notepad.exe and execute it and its something that cannot be done remotely. Well, couldn’t all of these steps be done through a program or script? It doesn’t really matter if the bug is minor or not. It’s the timing of it: so soon after the release of SP2, which MS has loudly touted as a security revamp of the OS. Makes you wonder what other, more serious security flaws there are in there…from a marketing point of view, this is an embarrassment. But don’t let that get in the way of your typical MS cheerleading… 2004-08-21 4:58 am I would guess, you keep nothing on your computer but songs and movies you downloaded for free and don’t worry to lose. I see some people are taking advantage of the fact that Report abuse doesn’t work… Ah, the MS faithful…always ready to fight the impossible fight and claim with a straightface that the malware problem is as prevalent and/or serious on Linux as it is on Windows. I guess that’s why there is 2500 times more viruses and trojans for Windows than for Linux (that’s 70 times more when market share is taken into account). Sure. Keep waving those pompons. 2004-08-21 5:01 am You are sitting on the floor, naked, in the empty room of your empty apartment. How would you like that? Easy, I pop in my last backup disk and all my stuff comes back. Having a computer stolen from you will tend to encourage this wise behavior. So, what’s your point, exactly? Oh, yeah, I remember: Windows can do no wrong, blah blah blah. Got it. 2004-08-21 11:49 am Easy, I pop in my last backup disk and all my stuff comes back. Dare to test it on one of regular home users? Delete all their files and then tell them to find out backup. I am sure you can only get out with that if you can run fast. So, what’s your point, exactly? Oh, yeah, I remember: Windows can do no wrong, My point is: a malware without root access can harm UNIX/Linux user very badly. Memorize it so I don’t have to repeat it again and again. 2004-08-21 1:28 pm That’s why backup exists. You should always backup your computer at regular intervals. What if the hard disk dies a horrible death? Well, your solution is to tell users that they need to DO SOMETHING to protect themselves. How is this any different than telling them not to use IE in Windows or not to double click on attachments? Again, NO OS, not even Linux, can protect against stupidity. Meanwhile, malware that has administrative rights can do far worse than erase your files – it can set up your box as a relay (for spam, DDoS, illegal FTP, or just good old fashion telnet/ssh hacking). I think it has been demonstrated that these things could be done on a Linux box without root access, and even if it couldn’t, I think Joe Sixpack would argue that having all his important data deleted would be WORSE than having his box set up as a spam relay. Not worse for you, but worse for him 2004-08-21 1:34 pm You sir resort name calling etc, instead of well reasoned arguements. “Sure. Keep waving those pompons.” “Windows can do no wrong, blah blah blah. Got it.” “then you’re a 100% certified MS fanboy.” “I see some people are taking advantage of the fact that Report abuse doesn’t work…” Yes some people are, aren’t they? 2004-08-21 6:34 pm Russian Guy Dare to test it on one of regular home users? Delete all their files and then tell them to find out backup. Again, they only need to have their computer stolen (or lost in a fire) once to understand the value of making backups. In fact, a lot of novice users do do backup of important personal files. A friend of mine used to do it on floppies, until I told her that floppies had a relatively short life. So I set up a FTP server for her so she could easily copy important personal files on another location. The fact is that more and more people are learning the importance of backups. My point is: a malware without root access can harm UNIX/Linux user very badly. Yeah, too bad NO SUCH MALWARE exists in the wild for Linux/Unix. In other words, malware could theoritically be a problem for Linux, but in the real world, it isn’t. I’m interested in the real world – you’re interested in defending MS and Windows at any cost. Darius (In all fairness, not a cheerleader, more like a Devil’s advocate.) Again, NO OS, not even Linux, can protect against stupidity. Of course not – but some basic steps can be taken to reduce the negative effects of stupidity. Having files tagged as executable through their file extension, for example, is a very bad security liability. ActiveX was another. Giving some Administrative rights to ordinary users is another. MS long ago made the choice of user-friendliness over security, and now they pay the price for it. I think it has been demonstrated that these things could be done on a Linux box without root access It has been claimed, not demonstrated. Perhaps you can tell me how to set up my Linux box as an internet relay node or FTP server without root access… I think Joe Sixpack would argue that having all his important data deleted would be WORSE than having his box set up as a spam relay. Both are invasion of privacy. And with adminstrative rights, you can do both… Bill Sykes (Who has never been critical of Microsoft, and regularly spreads FUD about OSS/Linux) You sir resort name calling etc, instead of well reasoned arguements. Name calling? Hardly – unless you’re an oversensitive pro-MS advocate. I notice you didn’t try to challenge my argument that Windows has (proportionately to market share) 70 times more malware than Linux. “Sure. Keep waving those pompons.” Not name-calling. Simply pointing out that a lot of pro-MS posters will go to great lengths to defend Windows, no matter what the evidence suggests. “Windows can do no wrong, blah blah blah. Got it.” Where do you see name-calling in that? Nowhere. Sarcasm, maybe. But in fact this is exactly what MS fanboys say, when you get down to it. Windows can do no wrong, and any perceived criticism must be responded to, no matter how valid it may be. In other words: zealotry. “then you’re a 100% certified MS fanboy.” Claiming that the malware situation is as bad on Linux as it is on Windows, despite massive evidence to the contrary, is not a logical statement. Therefore, it is motivated by other non-rational reasons: emotional attachment, fear of the unknown, personal interest, etc. The “fanboy” label is justified – although I could have also used “zealot”. “I see some people are taking advantage of the fact that Report abuse doesn’t work…” Yes some people are, aren’t they? Except I didn’t abuse the terms in any way. I still don’t understand why so many of you feel the need to go out of your way to defend a multi-billion dollar monopoly – as if it couldn’t take care of that itself! Oh well, time to move to the other similar thread, I guess… 2004-08-21 8:55 pm “I still don’t understand why so many of you feel the need to go out of your way to defend a multi-billion dollar monopoly – as if it couldn’t take care of that itself!” Maybe for simple reason that poeple like you go out thier way to attack it. You know that the “drag and drop” vulnerability is a total stretch. There is no way you can ever protect any internet connected home PC from total idiots. 2004-08-21 10:57 pm well, maybe its just me, but i would much rather lose my files, then lose my files and have to reinstall and configure my system, but thats just me. i guess ive lost enjoyment for reinstalling my os every few months since i dropped windows…. 😉 (see, i can troll too) and i think you will find people who actually use their computer for work are very well trained to do backups. ive actually got a cron job that runs every week and backs up important files to my fileserver. all it takes is one virus and people learn. you are right, the fact that userspace apps can be used for things like dos or spamming. but its also extremely easy to get rid of, and very easy to detect. if it ever becomes a problem, im sure a simple log parser could give a warning of stuff looking suspicious. but hey, all this is largly rhetorical anyways, as next to no malware exists for linux. whats the point? 99.99999999% of idiot users (“computer illiterate”) use windows, and windows is installed on about 95% of all the computers in the world. if you want the biggest bang for your buck, youre gonna write your virii for windows. honestly, i would be rather upset if companies such as linspire succede with their focus of ease of use over security. linux would be far less attractive with the kind of attention windows gets. honestly, i consider this whole discussian failrly redicules, as this “hole” requires stupidity of epic proportions on the users part. but hey, this is osnews, where you go to have pointless arguments over things that dont matter too much 2004-08-22 5:58 am Maybe for simple reason that poeple like you go out thier way to attack it. One doesn’t need to go out of their way to attack Microsoft, it does a pretty good job of of damaging its own credibility itself. Now, please indicate to me where in this thread I “attacked” Microsoft? Right, nowhere. Pointing out that the timing for this vulnerability is bad from a marketing point of view is simply stating the obvious. Same goes for saying that the malware situation is much more worse for Windows than it is for Linux, when even accounting for differences in market share.