Microsoft has decided to rush out a fix for a flaw in Windows, saying that the problem has become too serious to ignore. The flaw, which will be patched on Tuesday, was originally disclosed to Microsoft in December, but it was not publicly reported until last week. The bug lies in the way Windows processes .ani Animated Cursor files, which are used to create cartoon-like cursors in Windows.
I know any OS, with as wide target base and as many lines of code as Windows does, is vulnerable to attack. However this has to be, by far, the funniest securiety threat i’ve heard to date!
(At least Microsoft are going out of their way to correct this problem though.)
Edited 2007-04-02 22:04
Is it funnier than leaving telnet open?
Isn’t that changing the subject?
Archiesteel: Learn something from honest writers here like MollyC. Why does you ass burn everytime someone say negative about Linux or *nix.
And really have you ever honestly criticized Linux in your life? I don’t think so….
That’s not the point, CrazyDude (and yes, I have been critical of Linux *and* I’ve said nice things about Windows before).
The article is *not* about Linux/*nix. It’s about a flaw in Windows. The fact that the OP tried to deflect criticism of Windows by changing the subject is what *you* should be concerned about. That’s a logical fallacy, as you can find out for yourself.
At least be man enough to admit that Windows does have security flaws, and that this one is, by and large, quite embarassing. I mean, come on: an *animated cursor* being able to compromise the system?
Edited 2007-04-03 01:20
“(At least Microsoft are going out of their way to correct this problem though.)”
They’re going out of their way only because they sat on their behinds on this bug. This bug could’ve been patched in any of the Jan, Feb, or March updates, and there would’ve been no need for a rushed out-of-cycle patch. Atrocious decision making.
Edited 2007-04-02 22:53
Seriously.
Considering they knew about this bug since December 2006, “rush out a fix” makes about as much sense as saying Windows Vista was rushed out.
>> However this has to be, by far, the funniest
>> securiety threat i’ve heard to date!
Oh I don’t know… the .jpg buffer overflow that effected EVERY operating system that used the reference code – meaning linux, MacOS and Windows – was a bit funnier IMHO.
I suspect this is something similar, where a programmer got lazy and didn’t bother with range checking. I’m often amazed at how often programmers will try to save a few clocks by not bothering with making sure memory accesses don’t go out of the expected range, especially on image decoders.
“However this has to be, by far, the funniest securiety threat i’ve heard to date!”
How about a remote, hostile takeover of clippy? :o)
Edited 2007-04-03 07:55
Oh yeah, and use the control to kill clippy
How does a major security threat like this take almost 4 MONTHS to be patched? The largest, richest software company in the world can’t manage to do something that a group of “volunteers” manages to do all the time?
I’m really beginning to think that Microsoft and many of the other commercial software companies just don’t care. Vulnerabilities are fine, sh*t happens, but for f*ck sakes, patch them before they can be exploited!
You just answered your own question.
One word: bureaucracy.
>> How does a major security threat like this take
>> almost 4 MONTHS to be patched?
Probably because dozens if not hundreds of programs call the vulnerable part of the API, since cursor and icon handling is part of the base of most every program – fixing it is one thing, fixing it and making certain you don’t break every application out there is something quite different.
ESPECIALLY when you can’t expect everyone to just ‘recompile’ all the effected programs (a drawback of binary distribution) like you can in the open source world, or worse, because it’s all binaries you get programmer trying to take ‘shortcuts’ for speed or just out of ignorance.
Remember, writing a program for linux takes actual skill and knowledge, while any twelve year old script kiddy can make a program in visual basic… and if MS broke those programs from this fix, you’d have a LOT more complaints than you would from waiting a few months to fix a vulnerability.
Especially with the number of ‘corporate’ programs that are written in VB, and as such the intellectual equivalents of what a 12 year old script kiddy could churn out in an hour. (and probably took the corporate programmer with multiple doctrates in computer science two weeks to get to the point of being functional)
Edited 2007-04-03 03:08
{Remember, writing a program for linux takes actual skill and knowledge, while any twelve year old script kiddy can make a program in visual basic}
Your statement is unfortunately now out of date, since February this year.
http://reddevnews.com/features/article.aspx?editorialsid=708
“Mono enables Windows .NET developers to code in C# or VB.NET using Visual Studio and .NET 1.1 or 2.0 development technologies, and then compile and run .NET code base on multiple platforms, including Windows, Linux, Sun Solaris, Unix and Mac OS X. Mono supports multiple languages, and both open source and commercial compilers. In February, Mono released the Mono Visual Basic Compiler, which .NET developers can use to program in Visual Basic.NET. The new compiler is written in Visual Basic and is “self-hosting.”
>> Your statement is unfortunately now out of date,
>> since February this year.
Which would mean something if most corporations aren’t still maintaining applications written in VB5 and earlier – which means all that .NET stuff means exactly two things.
… and Jack left town, took his **** with him.
Ever been at a company where they expect you to maintain a decade old VB3 application, and when you suggest rebuilding it on a new platform run the risk of getting fired for daring to SUGGEST such a ‘radical and dangerous change’?
Also worth mentioning that while mono lets you RUN .NET code, it doesn’t have an equaivalent development environment for the *nix platform. Sorry, but Stetic is a tinker toy (even it’s developers admit that).
As a certain MS executive said: “Developers, Developers, Developers, Developers, Developers, Developers, Developers, Developers, Developers, Developers, Developers, Developers, Developers!!!”
… and they don’t care how stupid they are. Even with mono the entrance fee on the IQ meter is pretty damned high.
Edited 2007-04-03 03:38
This just shows how much BS is coming out of Redmond. MS has nothing over OSX period.
Thats just a silly statement.
OSX is potentially just as insecure as Windows is, it’s just less of a target because the number of OSX installs is vastly smaller than the number of systems running Windows.
Say, for example, if i was to compare the security of my house to Buckingham Palace. There’s been far fewer attacks on my house than Buckingham Palace yet does that make my house more secure? Nope – it just means that Buckingham Palace is a bigger target.
OSX is like my house – it has it’s flaws but it’s not usually worth peoples time hacking it.
[edited – i should learn to proof read]
Edited 2007-04-02 23:03
{ Say, for example, if i was to compare the security of my house to Buckingham Palace. There’s been far fewer attacks on my house than Buckingham Palace yet does that make my house more secure? Nope – it just means that Buckingham Palace is a bigger target. }
There are more black hats attacking Windows, more systems running Windows for people to attack, more vulnerable point in Windows to attack, and far, far more “tools” to use in attacks (eg existing viruses and other malware to modify to get past virus checkers) against Windows than is the case for either Mac or Linux.
Windows has: more attacks against it, more ways to be attacked, more points of weakness to attack, more people attacking it, and it presents a more attractive target to attack.
So, using which OS are you likely to be less secure?
Actually that’s not technically true. If ‘hackers’ wanted to turn their attention to OSX then they could and I’m sure they would with great success (remember the guy who found a hole in OSX everyday for a month?)
Granted Windows code isn’t always that secure, but then theres been loads (and I mean /LOADS/) of vulnerabilities found in OSX as well.
So as I said before, just because Windows is a bigger target, that doesn’t make it less secure, it just makes it an obvious target. Saying OSX is secure because it’s not an obvious target is no different to saying my house is safer than Buckingham Palace (with it’s dedicated guards et al)
I just wish people would learn the distinction between ‘whats the biggest target’ and ‘whats the most secure’ because the two don’t have to mean the same thing.
{So as I said before, just because Windows is a bigger target, that doesn’t make it less secure, it just makes it an obvious target. }
I agree with that. Windows isn’t less secure just because it is the bigger target, but rather the other way around. Windows is the bigger target because it is less secure.
{The reason I ask is because I bet if Ubuntu was used as commonly as Windows is now and Windows was the new comer, Ubuntu systems would be going down left right and centre because of the technically inept downloading “i love you” shell scripts.}
I very much doubt it. Windows security model is akin to … “it is OK to run if it has an .exe extension”.
Windows security model is after all set on a design path a la Windows 95 … a single-user, non-networked OS, wherefrom the Win32 API was generated.
In Outlook, rather than fix the fundamentally broken security in Windows, whereby attachments on e-mails could just run without being given permissions, Outlook just effectively banned attachments.
After all, it is in a certain large software vendor’s best interest if it can just run code on YOUR system without you giving your permission …
Edited 2007-04-03 02:56
That’s really not the case any more. Windows is now built on NT technology and can be locked down against running applications for specific users (to use your example)
Also just to add:
Would you say the security of an OS was determind by the lowest IQ user or by the average learned user?
The reason I ask is because I bet if Ubuntu was used as commonly as Windows is now and Windows was the new comer, Ubuntu systems would be going down left right and centre because of the technically inept downloading “i love you” shell scripts.
Windows biggest problem is that it caters for the stupid so there for half the successful attacks on Windows are down to the users stupidety. Why doesn’t this happy on Linux or OSX now? because the average user isn’t that stupid. If they know what Linux or OSX are and specifically chosen that system for what it offers then that, in itself, requires a higher level of technical experience than your average Packard Bell customer (who basically buys their system for porn, word and excel) would care to learn.
I hate coming to Windows rescue in these forums because personally i’m not massively fond of Windows myself, but I think some of the comments made on here are as ignorant towards Windows as Windows fanboys are to OSX.
Hey!
We Linux fans love porn too.. just more into the ASCII variety
Windows biggest problem is that it caters for the stupid so there for half the successful attacks on Windows are down to the users stupidety. Why doesn’t this happy on Linux or OSX now? because the average user isn’t that stupid. If they know what Linux or OSX are and specifically chosen that system for what it offers then that, in itself, requires a higher level of technical experience than your average Packard Bell customer (who basically buys their system for porn, word and excel) would care to learn.
I take it from that statement you have no idea of the way the *nix security model actually works ?
I can set up a linux pc for joe user, let him browse porn/warez sites to he has had his fill, let him click on everything that pops up…. and his machine will still work.
Windows problems are not caused mostly by the user, but by very bad design.
I’m running about 3 different versions of *nix across 3 different systems right now – i know how they work.
The main reason Linux doesn’t get attacked on porn sites is because it’s not worth peoples time writing hacks for Linux systems when the vast majorety of platforms will be Windows. If you can trick a Joe User into downloading an VBS in Windows then you can trick them into downloading a shell script in Linux.
Don’t get me wrong – i’m not saying ALL systems are equal. Far from it – i’m saying the problem with Windows is emphasised by it’s user base.
You can build a stable secure Windows system and I have done just that with a Windows 2000 system with no crashes or successful attacks against it in 7 years (and yes – i have been on some very dodgy sites (etc) yet as I know how to set up a Windows system correctly I’ve been safe thus far)
>> If you can trick a Joe User into downloading an VBS
>> in Windows then you can trick them into downloading
>> a shell script in Linux.
and probably get them to type in their root password as well!
Though I don’t know of any *nix programs that will download and attempt to execute files without your asking… something that is ALWAYS a problem with IE and Outlook.
Which is not so much the underlying operating system’s fault, as it is that most users aren’t smart enough to realize they shouldn’t be using those in the first place.
As I tell my users all the time, if a page doesn’t work in Opera or Firefox, or you are having trouble with a e-mail in M3/Thunderbird that’s probably because it’s trying to **** your computer.
Not always true, but true often enough to not be worth the risk – and no matter how many times you explain it that STILL doens’t prevent them from doing stupid shit like visiting the same online game site in IE even after it’s borked their windows install TWICE. (which is when you block the IP address at the router!)
Edited 2007-04-03 07:33
Oh I couldn’t agree more.
Ditching Outlook and IE is the 1st thing I advice people to do. It maybe an integral part of windows but it’s just common sense that you use the best software available to you.
It’s just like setting up an Apache server on *nix – you’re not going to use an outdated version when there’s a newer build around with a few security fixes.
Most Windows users lack common sense though – but then that’s the desktop market Microsoft went for – the technically inept.
I did not mean that to come across as a personal attack, I actually meant to highlight a part statement.
One of the major strengths of *nix over Windows, is that *nix can never covertly install and run programs the way Windows does.
If a piece of malware was on a website, and you visit that website, then the malware will fail install, as it does not have access priviliges.
Now, there might be a download that asks for root password, and users might give it…. that is a totally different thing. That is a compromise, not a vunerability.
The difference is that the user has to do something to let the attack work….
“I can set up a linux pc for joe user, let him browse porn/warez sites to he has had his fill, let him click on everything that pops up…. and his machine will still work.”
Sure, but all his work, ie home directory, could be thrashed by remote code execution bugs. Remote code execution bugs could also start malware processes running as Joe User. Etc etc. Just because the machine itself can’t be breached doesn’t mean there can’t be problems.
What good is a running machine to Joe when all his mp3’s are gone?
If you did manage to get malware onto a linux machine, and manged to get the user to give the root password, then of course you could get a script to run something like
rm -R -f /*
but what would that accomplish ?
you would ruin one machine.
Joe User would of course loose his mp3 and porno, but he should have backups anyway, they are HIS files after all… but then saying and doing are two different things…
now, back to the scenario…
you have managed to get your malware on a mcahine, excalated its rights to actually run,(with user assistance), and borked the machine….
end of story.
the malware has not been able to replicate or pass on to another, where you are going to have to start the whole process again.
now the next thing… remote code execution… hmmm on linux ? like to see that in action to be honest. I have heard it is possible theoretically, but I want to see it, and I want to see it elevate its rights….
“get a script to run something like
rm -R -f /*”
I said the user’s homedir, not /.
“but he should have backups anyway, they are HIS files after all”
Because there are a lot of affordable 100Gb backup systems that Joe User can manage, right?
“you have managed to get your malware on a mcahine, excalated its rights to actually run,(with user assistance), and borked the machine….”
Malware does not need to escalate privs to run, it will run fine as Joe User. I don’t know where this misconception that malware needs to be root come from but it’s patently wrong. Malware don’t care about your box, it cares about being able to comminucate with other malware and last time i checked (like 5 second ago) regular users can make outgoing connections and listen on local ports (above 1024). That’s all a botnet need, for example.
The unix security model is great but this is not something it was designed to prevent.
backup is easy on any platform, in the uk PCworld are currently doing a removable 400GB USB hard disk for £80 which is not out of anyones price range.
A simple copy of important data on any platform MacOSX, Windows and Linux is accessible to any type of user.
“in the uk PCworld are currently doing a removable 400GB USB hard disk for £80”
Neat, I didnt know that. I’m not going to find anything at that price here though and even if I could 80$ is still a serious amount of pesos.
“backup is easy on any platform, in the uk PCworld are currently doing a removable 400GB USB hard disk for £80 which is not out of anyones price range.
A simple copy of important data on any platform MacOSX, Windows and Linux is accessible to any type of user.”
Backups are useful against harddrive failure, but not so much against malware attacks. The reason being, how do you know if a file was deleted or compromised before doing the next scheduled backup?
Let’s say malware mucked with a spreadsheet file (didn’t even delete it, but just altered it). Unless you actually accessed the file, you wouldn’t notice this (and might not even if you did). The next time you do a backup, the compromised spreadsheet is backed up over the good copy, and you’re screwed after that. Even if you were so diligent as to use two 400GB USB discs with a leap-frog backup redundancy scheme, both drives would contain compromised backups after two backup sessions. Don’t expect home users to go beyond that (e.g. maintaining incremental backups for each of the past 52 weeks or whatever, or take the time to track down which of those backups has the “good” spreadsheet file).
{Malware don’t care about your box, it cares about being able to comminucate with other malware and last time i checked (like 5 second ago) regular users can make outgoing connections and listen on local ports (above 1024). That’s all a botnet need, for example. }
No, for several reasons.
Firstly, the “paradigm ” on Windows systems is all wrong, from a security perspective. Users are routinely expected to install stuff. They often run as root. The typical means to install stuff is by running an uncredentialled executable, as root. There is no central, vetted repository of stuff to install, and users are expected to search for it themselves. Users have absolutely zero means of vetting or auditing the quality of stuff they install. Malware (for Windows systems) can hide in millions of places by virtue of the myriad closed-source applications. Finally, the vendor of the OS does not have user’s interests in mind, but rather the vendor’s own interest drives the functionality of the system.
The other paradigm on Windows systems is that “data files include executable instructions”. As already mentioned, installation packages are typically executables, rather than passive data files. Picture files have executable hooks … witness the .wmf security hole of recent times. Even mouse cursor definition files have executable hooks … witness the .ani security hole of very recent times. CDROMS include “autoexecute” files. Office files include executable macros … and so on, and so on. This type of “security hole just waiting to be exploited via embedding instructions in data” is absolutely riddled throughout the Windows world.
Finally, no-one can “hide” malware in open source programs. Open source programs are vettable and auditable, and are necessarily written in the user’s best interest (otherwise other code would “win” in the meritocracy … this is the major win of the open source paradigm versus the closed source model). So, if you simply adopt a straightforward policy on a Linux system which goes “only install stuff from repositories using your package manager” … then you are guaranteed to never get malware.
There are no botnets for Linux.
Edited 2007-04-03 23:57
“No, for several reasons.”
Yes, botnets etc does not need root access.
“Firstly, the “paradigm ” on Windows systems is all wrong, from a security perspective. ”
Well, sure, but malware does not need to rely on that.
“The other paradigm on Windows systems is that “data files include executable instructions”.”
Uh, no they don’t But certain apps has had bugs that allowed code execution when data files are loaded. A buffer overflow is not the same as data files including executable content though. Buffer overflow problems aren’t unique to Windows and there have been several bugs like this in Unix apps.
“Finally, no-one can “hide” malware in open source programs.”
That’s not the point. Malware can spread by exploiting application vulnerabilities.
“There are no botnets for Linux.”
Really, are you sure about that?
http://blogs.securiteam.com/index.php/archives/304
In case you don’t know who gaid (Gadi Evron) is, he’s one of the worlds premier botnet and malware researchers.
{Uh, no they don’t But certain apps has had bugs that allowed code execution when data files are loaded. A buffer overflow is not the same as data files including executable content though. Buffer overflow problems aren’t unique to Windows and there have been several bugs like this in Unix apps. }
Semantics, IMO. You can get the system to run what you want to just by embedding data into a data file.
The .wmf exploit came about because of a provision for “end print” (or somesuch) allowed one to embed a call to the OS with paramaters extracted from the .wmf data file. This is in effect embedding executable code in the data file itself.
This new .ani exploit is similar, aparently. Instructions for the way that the mouse cursor is to animate are embedded in the .ani files.
http://www.eweek.com/article2/0,1895,2110151,00.asp
http://www.desktoplinux.com/news/NS3993153601.html
“”ANI” stands for Animated Cursor Image format. When any version of Windows from NT to Vista opens up a corrupt ANI file with USER32.DLL, the program that loads ANIs, you’ve just turned your computer over to the malware’s author. You can be smacked by it by opening a Web page or HTML email message that’s been loaded with an ANI attack.
How bad is it? According to Determina Security Research, the company that discovered it in back December of 2005, the .ANI vulnerability lets attacks run code remotely just as if they were the logged in user. All this from a trivial toy of a program that makes your cursor do pretty things!
…
Think you can stop it by blocking .ani files? Nope, SANS reports that crackers are renaming the .ani files as .jpegs and your Windows system will still get smacked.”
Edited 2007-04-04 07:01
“Semantics, IMO.”
Perhaps, but whatever you call it it’s not a problem unique or inherent to Windows.
“now the next thing… remote code execution… hmmm on linux ? like to see that in action to be honest.”
Google is your friend
http://mail.nl.linux.org/xchat-announce/2004-04/msg00000.html
http://www.securityfocus.com/bid/22826
http://www.securityfocus.com/bid/19980
Did you actually READ any of the links you supplied ?
They are full of “Could” and “it might be possible”
Also all three are exploits in Applications not the system.
And the Xchat one actually needs you to set your proxy server up correctly before it will connect home…..
Now, I am not saying Linux is immune, but I asked for an example of a remote exploit that we can see working….
“They are full of “Could” and “it might be possible”
You are aware that many advisories says that, right? Proof-of-concept often comes after the advisory has been made.
“Also all three are exploits in Applications not the system.”
It is clear that you do not understand the problem domain. The problem is bugs in applications, not in the system. Botnets do not need system-level access to function.
“but I asked for an example of a remote exploit that we can see working….”
Actually, you didnt ask for that. You just said there havent been any remote execution bugs in nix apps and that statement is so patently wrong it’s not even funny.
now the next thing… remote code execution… hmmm on linux ? like to see that in action to be honest. I have heard it is possible theoretically, but I want to see it, and I want to see it elevate its rights….
if you go back and read it, I actually said…
now the next thing… remote code execution… hmmm on linux ? like to see that in action to be honest. I have heard it is possible theoretically, but I want to see it, and I want to see it elevate its rights….
also….
“Also all three are exploits in Applications not the system.”
It is clear that you do not understand the problem domain. The problem is bugs in applications, not in the system. Botnets do not need system-level access to function.
The actual article is about a system exploit, yet you had to give example of exploits in applications. You cannot compare apples to oranges, if you did, you would notice that two of the examples you give are also Windows and OSX apps.
{
}
Exactly my point though – most of Windows successful attacks these days are worms, trojens, etc and are down to Windows users being too stupid to use their system correctly.
{
}
If a program has elivated its rights, then it’s clearly got the power to self replicate. To say that malware on Linux with elivated rights only has the power to delete files is a little nieve i think. I could write a shell script tomorrow that replicated itself using echo commands, so clearly a more advanced program would have greater scope of malice.
[edit]
just so you don’t get teh wrong idea – i’m by no means saying Windows is more secure than Linux!
Just that Windows /can/ be secure in the right hands.
Edited 2007-04-03 10:32
This is possible in theory. In practice, Linux malware is basically non-existent. There are less than 100 known viruses for Linux, and only two or three are known to be in the wild. As far as I know, none of these attack a user’s files.
Contrast this to the 100,000+ pieces of malware available for Windows, which cost hundreds of millions each year, and you have a good portrait of how the situation really is.
So while you guys continue to elaborate your highly hypothetical scenarios, those of us concerned with the real world know that malware is a *grave* problem on Windows, while it is virtually *non-existent* in Linux.
Do you have concrete examples of this happening?
The fact that, in Linux, a file can’t be made executable simply by giving it the right extension really helps make the OS more secure for “Joe User”.
“So while you guys continue to elaborate your highly hypothetical scenarios, those of us concerned with the real world know that malware is a *grave* problem on Windows, while it is virtually *non-existent* in Linux.”
I have never said this isn’t he case. In fact, I agree that it is the case at this point in time but that’s not what we are talking about. We’re talking about what could happen if someone put their mind to it and/or if Linux was a viable target.
“Do you have concrete examples of this happening? ”
The point is that it could happen, not that/if it has happened.
“The fact that, in Linux, a file can’t be made executable simply by giving it the right extension really helps make the OS more secure for “Joe User”.”
“chmod +x” isn’t a lot harder than changing the file extension.
The fact that it has *not* happened yet (with all the people having anti-Linux/FOSS agendas out there) should tell you something. It’s *not* just a popularity issue, but rather the fact that, fundamentally, Linux is *less* vulnerable to malware than Windows.
No, the point is that it has not happened, despite the fact that it could have.
You’re completely missing the point. Doing “chmod +x” requires an intervention from the person *receiving* the malware. Determining the file extension in Windows (i.e. making the file executable) is done by the person *creating* the malware (or redistributing it).
If Windows users *had* to change the file extension to be infected by malware, you can bet it wouldn’t be as prevalent on that platform. The fact that most malware is executed automatically (or with a simple double-click in the case of Trojan horses) *is* what makes it such a dismal security problem on Windows.
Popularity is not the only reason. A popular OS with few attack vectors would be relatively safe. Some design decisions are also responsible for Windows’ dismal security record over the past decade. Some of these are still in use today, such as the fact that you can make a file executable just by giving it the correct extension. The fact that IE and OE were so integrated into the OS has also been problematic over the years.
Claiming that the only reason Windows is insecure is because it has the largest installed base may seem like a reasonable claim, but once you start digging deeper you realize that this is far from being the whole truth.
I know the whole truth, in my less responsible days I used to be a hacker myself (curiousity rather than malision)
I just think Windows problems are exaggerated by it’s user base.
As i said on other forums – once OSX gets more popular (which is happening with the rise of Apples profile) then you’ll start to see more security alerts on OSX that rivel Windows.
Edited 2007-04-03 07:25
Firefox is not integrated with the OS, but Firefox is more vulnerable to this flaw because it uses the same Windows API to handle the cursors; instead, IE7 under Windows Vista is NOT at risk due Protected Mode.
So if a software is integrated into OS doesn’t mean is unsafer than anether one, because all software can use the same libraries and API with or without integration. IE just uses the HTML/Internet libraries which come with the OS, but it runs with the the same user’s privileges like another not integrated browser.
Integration makes no differences in security.
Why people doesn’t complain about linux’s Konquerror which is integrated in KDE as well Internet Explorer is integrated in Explorer?
Why people doesn’t complain about Safari browser which is integrated with Mac OS X?
Why people doesn’t complain about Thunderbird wich use the same Firefox gecko engine?
IE is not more integrated than other browser, IE is just a program which use HTML/Internet libraries included into OS like in every modern linux’s distribution you have HTML/Internet libraries
Edited 2007-04-03 15:50
{
}
While I understand the point you’re trying to make, you’re not entirely accurate on several points there:
1stly: Though both Firefox and IE use the same APIs to render cursors, IE has vulnerabilities in the way it runs web pages and executes scripts on there. Vulnerabilities which are not present in firefox or Opera (though both Firefox and Opera have other vulnerabilities not present in IE). So it’s the vulnerabilities in IE that expose windows rather than the fact that IE is integrated or not.
2ndly: According to the BBC news, it was announced that people who use Firefox and Opera would be safe from the attack. I can’t verify the accuracy of this (seeming as I’m not prepared to compromise my own system just to run a test.) but one would hope that a bold claim like that on a national news site would be accurate. link: http://news.bbc.co.uk/1/hi/technology/6509865.stm
3rdly: IE /is/ more integrated into the Windows OS. While earlier versions of Windows (98 to be precise) was proven not to require IE despite MS’s claims, I’d doubt that’s still the case with 2000 and XP.
Edited 2007-04-03 16:14
Note that in my last post I wasn’t referring specifically to this new vulnerability, but to the long history of IE vulnerabilities over the past 10 years. Some of these vulnerabilities would *not* have been so critical if IE hadn’t been so tightly integrated with the OS.
KDE is just a Desktop Environment, it’s not an actual OS. I do believe that IE is more integrated with the underlying Operating System than Konqueror is.
(Remember, at some point Microsoft claimed that they could not ship a version of Windows without IE, because it was a required component of the OS…)
Ah yes, I believe you’re referring to this case:
http://en.wikipedia.org/wiki/United_States_v._Microsoft
Incidentally (and I don’t know if this is reported in the cited article) a group of ‘hackers’ (i hate that term) managed to remove IE from Windows thus proving that Windows does not require IE to operate. This was several versions of the OS ago though and I wouldn’t be at all surprised if IE is even deeper entwined into the core of the OS of the present versions of Windows
MS never claimed IE couldn’t be removed from Windows. The claim was that it could not be removed without breaking several Windows systems and applications such as Windows’ help system, and many third-party applications that used IE’s components for their functionality.
Also, IE has never been tied to the core of the OS. It’s always been just an application. A few dlls provide the capabilities for rendering various formats and understanding various protocols. The IE people interact with simply provides the UI for these components, as do several third-party applications that host the components. It’s no different that how applications use webkit or gecko for similar reasons.
It seems they are the student that just rearranges the words on the paper to make it look like a new report.
and so much for their “code audit”…
(actually just a Chrious Poker at systems i could learn from)
I have to state that this statement that windows gets attacked more because there is more windows installs is bogus. Yes there are more computers running Windows and 99% of them are dull (why would anyone take the time to breach security on a system to look at photos of grandma’s 90th birthday?) The Interesting computers run non windows platforms for example most high profile web-servers run on a Unix like OS, high security systems usauly run Trusted Solarus and we all know how banks love OS/2.
Personly I went for targets that I could learn something from and windows offered no educational value one could easily Warez a copy of NT 3 and install it on a 486 and learn Windows servers but getting ones hands on a Sun SPARCstation or a HP-UX Workstation was cost prohibitive.
I am not saying windows is a horrid desktop OS its just that windows boxen are BOREING!!! and as a result an unattractive target.
I have to state that this statement that windows gets attacked more because there is more windows installs is bogus. Yes there are more computers running Windows and 99% of them are dull (why would anyone take the time to breach security on a system to look at photos of grandma’s 90th birthday?)
(Emphasis mine.) They would take the time to hack gradma’s PC to put stuff on it, not take stuff from it. Think about botnets.
I remember not being able to drag n drop certain icons in x11 without crash after crash, every OS has had its embarassment, windows just gets publicity. I use Linux (gentoo) and MacOS X at work, and love them both, but there have been much simpler takedowns of both systems in the past,and windows has had its share as well, but if you measure the amount of people looking, compared to found the number is probably very simular. its like people think the colleges that hired the programmers for thier OS was different in some way, people make mistakes in every OS. But if nobody is watching them, does that make it not a vulnerability?
Seems to me the problem here is that it took so long to fix the bug. That’s it, that’s all.
It isn’t about Win VS.OSX VS. Linux
It’s about how responsible Redmond is with their operating system.
It’s about the seeming lack of concern over a serious bug.
It’s about not doing anything until it becomes public. It’s about Microsoft and their apparent lack of concern for their customers.
How exactly does this scenario come to be? Did someone in Redmond say “Aw heck no one knows about it yet why fix it now? We’ll get to it next quarter.”?
Microsoft cries foul when a vulnerability is released to the public before Microsoft has been made aware of its existence and yet when Microsoft is told about a serious flaw they do nothing because no one is yet exploting the code? What kind of policy is that? According to the article:
“Microsoft’s patch has been in the works since security vendor Determina brought the flaw to Microsoft’s attention late last year”
I don’t understand how the security community is able to create not 1 but 2 patches for this before Microsoft can. It’s not as if Microsoft doesn’t have all the source code to work with.
Edited 2007-04-03 04:52
Don’t tun this into an OS flame war.
But I thought that’s what OSNews was all about.
I don’t understand how the security community is able to create not 1 but 2 patches for this before Microsoft can. It’s not as if Microsoft doesn’t have all the source code to work with.
1) Security community doesn’t have to analyze the fault and check for same or similar problems in the rest of the source tree.
2) Security community doesn’t have to run a gazillion of tests to make sure nothing else breaks after fixing this particular problem.
etc.
It’s about not doing anything until it becomes public. It’s about Microsoft and their apparent lack of concern for their customers.
It was already scheduled to be part of the April patch tuesday, but was rescheduled because it’s in the wild.
In general, you don’t speed out a patch with all possible haste if you don’t have to.
Even various open source projects wouldn’t speed out a patch unless it’s critical that it gets released ASAP.
Anyway – i’m sick of these OS wars – most of the people who argue that Windows is sh*t don’t use the system anyway and are likely never to side with MS even if they were on fire and Bill Gates had the last ever bottle of water.
The only use Windows because Linux doesn’t run Cubase, but I’ve been more than happy with the Windows system I run. Equally I prefer to play around in BSD these days. It’s just using the right environment for the right job.
Shouldn’t they mention versions affected? Or is it the whole bunch?
It affects Windows 2000, XP, Vista and Server 2003
Weak OS + untrained user + animated mouse + porn site = $ to me to repair.