Microsoft Corp. warned consumers Wednesday about four critical new flaws in its popular Windows software as the company shifted to monthly alerts for serious problems that could let hackers break into computers. In the meantime, Windows XP SP2 is to be getting backported security enhancements from the Longhorn codeline.
Just patched up my Windows boxes – see, Windows security isn’t that hard
Of course, this sort of thing must be a pain in the ass for Windows sys admins and IT professionals (who may have dozens or hundreds of machines to patch), unless they’ve found a way to do it like a batch process.
It’s not so much that, IT professionals, do or they should test patches for compatiblity issues. Windows Update is know to break stuff, they have to make sure it’s not breaking anything that it importatnt to how the company functions.
Window security isn’t hard ?
Have you patched IE and his 31 KNOWN BUT NON CORRECTED flaws ?
http://www.google.fr/search?q=cache:E2UQe7SL0YEJ:www.pivx.com/larho…
“Window security isn’t hard ? Have you patched IE and his 31 KNOWN BUT NON CORRECTED flaws ?”
Yes, I installed Mozilla Firebird 0.7 just a few hours ago.
that was a great answer!
4 updates but atleast they aren’t multi-MB monsters.
Might wanna be wary here. I just updated my folks WinXP and found myself with a 800*600 4-bit screen (Kinda nostalgic actually. Reminded me of a Spectrum). Problem went away after installing the latest Nvidia drivers (Or possibly reinstalling, I didn’t make note of the original version number).
Same applies to most drivers under windows update. I always stick with the manufacturer release of the driver. The windows update version also typically does not include the extra utilities that the manufacturer puts out (i.e. nView for Nvidia drivers, or Hydravision for ATI) – either that or it removes/breaks them. Same goes for a lot of NIC drivers. So my 2c is that updating hardware drivers using Windows Update is generally speaking a bad idea.
>>Just patched up my Windows boxes – see, Windows security >>isn’t that hard
Maybe for a small number of PCs.
I work in the IT department of a small university. We have a mixed environment of Windows boxes (Win98, 2000, XP and
Windows 2000 & 2003 servers. All told, there a slightly more than 1100 PCs here.
If we had to do one set of patches it might be doable. But new patches every few dyas is just an intolerable situation.
We are currently evaluating Microsoft’s SUS to at least keep the Win2k and XP boxes updated a little easier.
I guess it is job security, but I have added quite a few gray hairs in the past few weeks!
Inevitably, complex software will have flaws. However, the frequency of severe security vulnebarilities–ones that allow a remote attacker to have total control of the victim–is unacceptable. It is highly likely that new critical vulnerabilities in Windows will appear before the end of the year.
The problem lies, in my view, in the deficient software architecture. Millions of lines of code interact with the outside world. A single flaw is all it takes for a particular process to be compromised, which in turn can usually compromise the entire system. Microsoft Windows–and for that matter, other operating systems–will continue to have frequent new (technically, newly discovered) vulnerabilities unless the software will be fault-tolerant by design, that is unless the architecture ensures that vulnerabilities in a piece of code affect only those functions which the code is expected to perform.
I installed a new copy of windows the other day and it ended up with the Nachi worm before I could update the box. I have to deal with the network problems all these worms and outlook bugs create. The computer I am on has a worm and with the slow dialup connection I don’t have the time or bandwidth to update it.
I ran stinger and it didn’t even pick up the worm. I know most anti virus programs are useless but it is never usually a problem till MS ENABLES SERVICES BY DEFAULT IN LISTENING STATE without even offering an install option or version that does not do this.
Give me netstat -a|wc = 0 or give me death.
It is a commonly known fact in the security world that security is not something you can retrofit into a software system, it has to be designed in from the start. Windows NT was designed to be a secure system, but many of the changes that Microsoft has made since NT 3.5, in addition to all the software present in a Windows system, were not designed with security in mind. By their own admittance, Microsoft did not design with security as a primary goal until recently. Now, it is quite clear that they are struggling with trying to retrofit security into Windows.
“The problem lies, in my view, in the deficient software architecture. Millions of lines of code interact with the outside world. A single flaw is all it takes for a particular process to be compromised, which in turn can usually compromise the entire system. Microsoft Windows–and for that matter, other operating systems–will continue to have frequent new (technically, newly discovered) vulnerabilities unless the software will be fault-tolerant by design, that is unless the architecture ensures that vulnerabilities in a piece of code affect only those functions which the code is expected to perform.”
Well, it is the same for linux. Its design is very poor concerning security (there is even no design at all, in a way). But it is in a way more secure: the implementation matter. Most security flaws are unchecked buffer, and franlky, it has nothing to do with design. Ok, you can avoid them by using a more high level language than C, etc… but unchecked buffers is more a question of implementation.
The thing is that microsoft never wondered about code quality before 2001-2002… And they have millions lines of code to review. This will take time.
By the way, before speaking about secure code, why not make config by default more secure on consumer products ? IE, Outlook, windows home are horrible compare to other OS on this point.
Here is were copying UNIX came in handy. Linux’s implementation wasn’t designed for security from the ground up. It didn’t matter — the kernel has been essentially rewritten several times, and the later times, it was implemented with an eye to security. The overall design of the kernel, however, was throughly based in UNIX, something that has proven itself to be secure.
Haha. The Linux trolls are out in full force. Those horrible patches, fixing those security patches. I suppose they would prefer not fixing vulnerabilities, or flat out denying they exist. You can never win with a zealot…
cyberbear, can’t you just do a WAKE ON LAN to wake up all the PCs, and remote install the patches on everysingle one?
I think Microsoft should remove support from Visual C++ for all standard C library calls and Win32 APIs that do not support bounds checking (strcpy, gets, etc). Visual C++ should not compile any code that use these routines. If their build process did not allow such code to be compiled it would remove some of these problems immediately. This would certainly break a lot of code and cause some performance issues under certain circumstances, but they need to code for security and reliability first, performance second.
The following code doesn’t even product a warning when the highest warning level is used in Visual C++ 6.0 (/W4)
char buffer[10] = {0};
strcpy(buffer, “0123456789-10-11-00000000000000000000”);
cyberbear (IP: 64.207.85.—):
We are currently evaluating Microsoft’s SUS to at least keep the Win2k and XP boxes updated a little easier.
Software Update Services is *great* for the most part, unless you have systems on which there is trouble applying patches. I’ve been using it since slightly after the second DCOM exploit was discovered at work, and so far it’s been wonderful.
I also used the DCOMBobulator (http://grc.com/dcom/) to disable DCOM on all my systems as well.
Rayiner Hashem (IP: —.res.gatech.edu):
It is a commonly known fact in the security world that security is not something you can retrofit into a software system, it has to be designed in from the start.
I’d simply say that secure programming in lower level languages like C/C++ does not scale. Frankly I am amazed when something as large as qmail can be created and have the security record it does; I think it can be mostly attributed to DJB’s genius and excellent design skills, along with his insistance on using Unix facilities to their utmost.
Windows (2000/XP/2003) is one of the largest programming systems products on earth, and greatly increases in complexity with each release. Microsoft has realized that keeping such a product secure when so much of it is implemented in native code by thousands upon thousands of different people, with very few who have an excellent grasp of the codebase, is an impossible task. I believe we’ll begin to see this addressed in Longhorn; I expect to see large portions of the codebase rewritten in .NET, which will sandbox them within the .NET framework, which will prevent the most common security vulnerabilities we see in native code applications (i.e. buffer overflows). Of course, this isn’t a silver bullet, and we’ll be sure to see some vulnerabilities caused by other problems like race conditions which can’t be solved by switching to .NET.
Microsoft’s latest solution, “securing the perimeter” through automatically updated distributed (and assuredly cryptographically signed) firewall/netfilter rules, sounds like the best approach, provided you trust Microsoft not to supply malicious firewall rules. Several have raised concerns about this, which is a good thing as the people who distrust these rules are surely to be amoung those who audit them, and raising hell if Microsoft attempts to use them in an anticompetative manner (it certainly worked for Opera with MSN). As filter rules merely depend on a working filter and don’t require a reboot, most of the problems with automatic patching are eliminated.
Of course, filtering/firewalling is only a stopgap solution until patches can be applied, but it should be enough to prevent another Slammer/Blaster/Welchia worm.
>>>that was a great answer!
Great answers my ass. The Pivx list was so out of date that Pivx themselves no longer published them.
http://www.pivx.com/larholm/unpatched/
What Pivx had been doing was just listing specific IE vulnerabilities to specific IE version — most of the vulnerabilities were for the plain old IE 6. But they don’t retest those same vulnerabilities when IE6 SP1 (or even later patches) came out.
I think Microsoft should remove support from Visual C++ for all standard C library calls and Win32 APIs that do not support bounds checking (strcpy, gets, etc).
Can you show me a recent vulnerability in a popular software package that was caused by exploitation of strcpy()? It’s always broached as an example of an “unsafe” routine but it can be used quite effectively:
char *my_strdup(const char *src)
{
char *ret = (char *)my_malloc(strlen(src) + 1);
strcpy(ret, src);
return ret;
}
As a simple example…
I think you’ll find most buffer overflows are the result of signifantly more (unnecessarily) complex code. In the case of network protocols, it can be the result of an overly complex protocol which consequently require overly complex input validation routines. An example of an overly complex format is ASN.1. Buffer overflows in OpenSSL’s ASN.1 processor were the cause of the two most recent OpenSSL vulnerabilities. I’ve detailed this in the FAQ of a protocol I’m creating, which is available at http://pdtp.org/faq.php
I think it’s reasonable to tell customers, don’t hire anybody who writes code like this:
char buffer[10] = {0};
strcpy(buffer, “0123456789-10-11-00000000000000000000”);
But many buffer overflow bugs aren’t so obvious because the source string or destination buffer may be aliased through a pointer which is initialized in a different routine. So a compiler check that caught the case you gave might give users a false sense of security, as it wouldn’t necessarily catch this one:
typedef struct {
char * pBuffer;
int someInt;
} stuff_t;
void foo( stuff_t * pStuff )
{
char * pSrc = getSourceString();
strcpy( pStuff->pBuffer, pSrc ); // might overflow
}
You beat me to the punch.
You know what blows my mind? People used C for OSs for a long time, because they claimed that high-level (safe) languages were too slow. Now, you have high-level languages that run at 90% the speed of C, but they insist on using a medium-level language like C#, which almost never runs that fast! There is no point in putting a large JIT inside the kernel. Currently available compiler technology can do complete bounds and type checking (all that a JIT buys you in terms of safety) with less than a 10% performance hit, and much less memory overhead. Sigh…
You know what blows my mind? People used C for OSs for a long time, because they claimed that high-level (safe) languages were too slow. Now, you have high-level languages that run at 90% the speed of C, but they insist on using a medium-level language like C#, which almost never runs that fast!
Well, for better or for worse this is what Microsoft appears to be doing in Longhorn. As to how much of a performance hit we’ll see we can only wait and find out, but it should begin to help mitigate many security issues as they move away from native code.
No. I can’t give you an example. The point is that since it doesn’t perform any bounds checking it can be exploited. Refer to the following:
http://destroy.net/machines/security/P49-14-Aleph-One
http://www.courtesan.com/todd/papers/strlcpy.html
I’m specifically referring to stack smashing. The example that I always think of is the Internet worm caused by the use of gets() in the finger daemon (November 1988 – see ‘Expert C Programming ISBN: 0131774298’). That’s right, we haven’t learned after 15 years.
Your example ensures that the heap-based buffer is large enough to hold the input string. Even if you hadn’t allocated a large enough buffer the strcpy() call would not have affected the stack. I know that you can use strcpy() safely, but programmers like you are not the problem. I have seen it misused at my current employer on numerous occasions in network based code. The fact remains that if a build process stops potentially unsafe functions from being used, then developers will be forced to think about these things. Most projects are not run like OpenBSD. Most development projects are rushed, forcing programmers to work long hours, where quality assurance is an after thought.
I’m sure that most buffer overflows involve code that is more complex than my example. That wasn’t the point. I was merely trying to illustrate that the compiler didn’t issue a warning (when the highest warning level was on) when using a potentially unsafe function.
The exploit you provide a link to contains the following description:
Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values.
Was the cause of this an unnecessarily complex protocol or how the OpenSSL code- base implemented support for it?
Check out http://www.linuxsecurity.com and cry over the fact that every Linux distro have 10-20 security holes a month.
But you don’t see that get reported, do you? Nope. Instead, XP has four patches this month and it’s big trollbait, yet we ignore that Red Hat’s security errata is an incredible hassle due to the endless stream of security patches.
I wouldn’t hire or keep a programmer that would write that code. That wasn’t the point.
The struct you pass on the stack contains an int and a pointer. It doesn’t contain a buffer. Even if the buffer pointed to by pStuff->pBuffer overflowed it would not affect the stack because the buffer is allocated on the heap. My point was that the use of any function that writes to a stack allocated buffer that doesn’t perform bounds-checking is unsafe, assuming that the target platform doesn’t provide the facilities to stop the execution of stack and heap based data. If it is unsafe, then the compiler should at least issue a warning. Don’t assume all programmers are as meticulous as you. The build process should catch this kind of stuff.
Hey Bob, I also got the Nachi worm on a fresh installation of Windows 2000 before I could get the patch downloaded. So, I was not the only one. After installing Windows 2000, I set up my dial up connection and connected at 26.4K which is all that is possible with the old telephone lines in my neighborhood. After trying Internet Explorer for a few minutes I then started downloading all the critical patches. It took a long time to download all the patches and afterwards I installed the McAfee virus scanner and it said I already had the Nachi worm and deleted it.
Up until that point I had only been using Linux lately but had decided to add Windows 2000 for occasional use. Most of my friends had all had at least one of the recent worms. I had told them how I had not had that problem because I used Linux. Well, I added Windows 2000 and one hour later I had a worm too! At least I did not throw my computer in the trash and buy a new one as a result like one person I know did.
I use Red Hat 9 Linux most of the time and spend about equal amounts of time downloading patches at 26.4K. With Windows I am logged in as Administrator while online for several hours downloading the patches. Under Linux I do it while logged in as an ordinary user. I need to find out how to download the Windows patches while logged in as Rick instead.
I just noticed where beach claimed that “Red Hat’s security errata is an incredible hassle.” Well, I would disagree with that part of what he said. Patching Red Hat Linux is no more of a hassle than patching Windows. The process is much like Windows. I click on an icon on the taskbar and a few seconds later it tells me which patches I need. I then click on the patches I want and it then downloads them and installs them automatically. It’s easy just like Windows.
One nice thing I experienced while patching Linux is that two minor bugs in a couple of programs were taken care of by the patchs. I am not an expert, but I do not know of any Linux users that have had viruses or worms. However, I do believe that a Linux computer should be kept patched just like Windows. For years most Linux distros came with a good firewall by the way. Linux requires patching too, but I believe it has better with security overall for various reasons.
There goes another one..
If onyly you Microsoft apolpgists could realise one simple thing. Just because something is included in the distro doesn’t mean it’s on my machine..
A flaw apache? I don’t care, it’s still on the cd on the shelf. That would make pretty hard to expolit now, wouldn’t it? A flaw in IIS? You’d better care, no matter what windows distro you are running.
A flaw in mysql? I still don’t care. I don’t use that either.. A flaw in MSQL? You never know where it hides.
I could keep going on quite a while, but that would be a waste of time. Either you realize by now that in linux _you_ decide what gets installed and choose your risks. In windows you get the whole packet, no choise, all flaws included.
(Preparing to be modded down..)
You cannot build secure system with languages that let you do anything (asembler, C, C++). At least on a large scale – I mean you can write a function that is 100% secure but not operating system that has 50 millions lines of code.
The solution is to move control to the compiler. But it requires new generation of languages like for example Oberon. Here you buy security for a ‘freedom’ (no pointer aritmetics, strong type control). Another solution is Java or C# where applications run in a sandbox. But if the sandbox is written in C you still have the same problem.
A.
Announcement and download: http://www.microsoft.com/downloads/details.aspx?FamilyID=d531bf00-d…
Overview ( French language ) http://www.touslesdrivers.com/index.php?v_page=3&v_code=1261
You cannot build secure system with languages that let you do anything (asembler, C, C++).
Dan J Bernstein certainly seems to have done just that with qmail, djbdns, and other packages… although he certainly seems to take a radically different approach to software development compared to most programmers. The entire functionality of the program is broken up to multiple, small parts which each implement a single portion of the functionality (i.e. the old Unix axiom of “Do one thing and do it well”) Contrast this to the typical monolitic daemon approach utilized by the programs DJB’s software is intended to replace, primarily sendmail and BIND.
Bascule wrote:
> Dan J Bernstein certainly seems to have done [it]
Maybe. Sorry, I do not know his work. I can also imagine that with their excellent knowledge and skills Edsger Dijkstra, Denis Ritchie, Niklaus Wirth or Donald Knuth would be able to write quite good piece of code even with asembler or C++.
But what about millions of everage programmers who everyday fight with leaking memory or pointers to nowhere? All we need support from the compiler. Especially, if you must do your work fast (typical situation).
A.
I agree with Bascule here. qmail is a good example of this. However, Bernstein is a CompSci/Math professor and qmail is not really a commercial product that is pushed out the door to generate sales. The average programmer’s ability is probably considerably lower than his. Couple this with tight deadlines, and you can see why the quality of qmail is not the norm in the industry.
Inexperience Programmers + unrealistic schedules + very little QA == Really buggy software.
Management is okay with this until it starts to affect revenues.
“A flaw apache? I don’t care, it’s still on the cd on the shelf. That would make pretty hard to expolit now, wouldn’t it? A flaw in IIS? You’d better care, no matter what windows distro you are running. ”
BS and FUD. That’s plainly false. My windows XP home ha NO IIS. Same for MySQL. A IT guy who install IIS on all his workstations is… well, insane. Since W2K3, IIS is not launched by default in server editions, and it is of course a GOOD thing. By the way, when you launch the install of W2K, you are aksed if you want to install IIS or not. But I assume it is too difficult.
I do agree that microsoft has many problems with things enable by default. For example, people who install windows and have worms : it is useless to install windows, go to the internet and get the patchs ! Get the patchs first on a safe machine (with linux, for example), install them and THEN, connect to the internet. FOr the blaster thing : you know that you can switch off the service where the flaw was, do you ?
Patchs is NOT the problem : the problem is how patching all windows computers in a nice, useful and not harmful way. Something that MS is learning.
MS has an horrible reputation problem; they want to earn money. They face their greater opponent, linux. I am sure they will improve in security, standart, etc… Because they will have no choice. In a few years, I would not be surprised to see MS Office having open standart files formats, simply because they will have to.
Linux is really the best thing ever for MS users.
>>cyberbear, can’t you just do a WAKE ON LAN to wake up all >>the PCs, and remote install the patches on everysingle one?
Trouble is that not all the computers have that capability, and some fall under the control of ‘lab managers’ who want us to leave their equipment alone but who can’t manage their labs and need to call us to bail them out.
We are looking into various solutions.
BS and FUD? hmm. “My windows XP home ha NO IIS. Same for MySQL.” ?? Is it your XP box that hasn’t mysql, or is it mysql that hasn’t IIS?
“I do agree that microsoft has many problems with things enable by default.”
At least we agree on something. Problem is -I don’t trust that code, I don’t need it and I don’t even want it on my disk. Period. That way I don’t have to care about “disabling services” “using a safe box to access the Internet”.
“Get the patchs first on a safe machine (with linux, for example), install them and THEN, connect to the internet.”
Do you even listen to yourself? In other words I’m supposed to have 2 boxes? 1 just to get the fixes in a safe way to the other one?
“they want to earn money. They face their greater opponent,”
Completly agreed; that’s the only way to make them respond. Hit their bottom-line. Problem is that they seem more bent on forcing their “solutions” on people than fixing up their code. I’m talking about things like sites and services that is inaccessible with anything else than their software, effectively making “the net” theirs, aided by “useful idiots”.
“MS Office having open standart files formats”
Not very likely, that would be to throw away their most effective lock-in.. It could be a good thing if they did, but openness and respecting the user has never been on their agenda.
“Linux is really the best thing ever for MS users”
I’m not sure it’s for everyone, but on the other hand I’m not sure windows is either, not at this rate of patching, anyway.
“Is it your XP box that hasn’t mysql, or is it mysql that hasn’t IIS? ”
My mistake : of course, I talked about MS SQL, not MySQL. Windows for worksation (2000 pro, XP home, XP pro) has no IIS by default, no MS SQL either. So it is FUD on that point, or your mistake.
MS aimes at security, but they have a huge amount of code to change, without speaking about behaviour. I think they are changing : MS visual C++ is a good compiler, and almost respect ISO C++. W2K3 is better for mixed networks than former versions. C# is a standart.
Far from perfect ? sure.
“Period. That way I don’t have to care about “disabling services” “using a safe box to access the Internet”.
But it is the same on linux !!! I use mainly two OS : windows XP and debian. Debian enables root login on ssh daemon by default. Let’s imagine 90% of computers conected to the net have ssh daemon. Let’s imagine one virus/worm whatever you want using the recent OpenSSL unchecked buffer thing. The problem would be the same. The thing about patching before connecting is mainly concerning MS, and that precise fact is mainly due to the quasi monopole of MS. Whatever OS with the same marketshare would face the same. I don’t say security problems are only coming from the ~90% marketshare for home users, but it is not helping, for sure.
The thing is : windows has a lot of security problems, but patchs isn’t really a problem in itself. Because there are patches for all OS I know, and there are more patchs on linux than on windows; this means stricly nothing. The number of patchs means nothing, or OSS software would be shit. Open source development model works that way, patches (ok, it is source patch, and not binary patch). Unpatched linux is not safer than windows, really. In my former university, there was one big server with bash… 1.* ! which means I can easily be root on this one with enough hacking skill (there are local root exploits for bash 1.*, I think).
I am really against the idea that linux is safer than windows, because it means nothing: security is more a way of thinking. I had to tweak my debian box (why the hell is root login enabled by default with ssh daemon !!!!) AND my windows box ( remote RPC, remote registry, etc…) to have a reasonably safe box.
I am moving to Linux and/or buy a Mac. This has just become stupid. It has gone way beyond ridiculous. I understand that there will be mistakes when writing OS’s. They are written by humans, of course, but this has reached the point of complete absurdity.
I’ve read some of the replies here and it seems that some people just don’t get it. Windows is a huge complex ball of code which tries to be everything to everyone. From being a good, easy to use desktop up to a stable and scalable server. Security issues will occur, the issue is how they are handled.
Security issues aren’t a problem if they’re handled properly. Unfortunately both Microsoft, third party software vendors and so-called “IT-Experts”.
Third parties need to work more closely with Microsoft to ensure that their products will work with a service pack and quick-fix, Microsoft needs to make sure that the quick-fix works with their own software and the last link in the chain is for these so-called “IT-Experts” to do their job and patch those bloody machines instead of “stuffing around picking their behind”.
As for the opensource advocates bringing out things to be used a examples. How about listing the number of security holes in Red Hat 9. SuSE 9 had security issues before it was even shipped. What are we paying the distributors for? isn’t that part of their job? check the software and ensure that the whole package works together?
The fact remains that there is no such thing as secure software and as much as many of you people hate it, Microsoft released patches that fixed vulnerabilities exploited by Blaster!. People who are infected aren’t victims but stupid end users who don’t take responsibility for their system by updating their operating system regularly; checkinging twice a week for any updates.
All systems will need patches….thats just the way it goes. Ive got simple scripts for deploying *nix patches that of course dont require reboots, but with windows its a whole different story. The process is so manual for an IT shop to manage all their PCs that its getting insane. The fact that several patches also require reboots before you can install other patches also makes it worse. We were looking at MS SAS software for taking care of this problem. It looks like it would, in fact, do the job marvelously….but one problem. MS is really proud of their solution to fix their own problem. In order to relieve my IT staff in dealing with MS patches, MS wants 1) Another server with Windows server license, 2) MS SQL licenses for all your users, and 3) SAS licenses for all your users. So thats 10s of thousands of dollars we have to pay MS just to more efficiently patch their <explecative> software.
My mistake : of course, I talked about MS SQL, not MySQL. Windows for worksation (2000 pro, XP home, XP pro) has no IIS by default, no MS SQL either.
That’s kind of the point, now, isn’t it? Whenever a security advisory comes out for a distro such as RedHat, it not only covers the OS, but a plethora of applications as well: Apache, Sendmail, MySQL, etc.
Whenever MS comes out with a security advisory, it relates to core OS components – including stuff which shouldn’t be core OS components, such as IE and Outlook express.
Also, one should consider the severity of security advisories as much as their numbers/frequency. A lot of OE, IE and Windows Messenging Service flaws reported in the last year can be exploited remotely and some can give remote root access. The latest one is potentially quite dangerous:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/…
In comparison, there haven’t been that many Linux “core OS” flaws that gave remote root access over the past year…
“How about listing the number of security holes”
You cant compare Linux securitiy issues to Windows ones.
It’s not like the number of issues determens how secure one system is. In general Linux issues are NOT the ones that will allow hackers to take over your system…
The fact that someone can write something like Blaster! says enough about Windows.
I dont see anyone writing this for BSD or Linux.
“SuSE 9 had security issues before it was even shipped”
Im really growing tired of uneducated people saying this kind of stuff. Are you aware that SuSE pro (any version) ships with over 4000 applications and services that you can choose from. No !@#$%^&* batman there is gonna be some security patches for said software. You also have to remember that most holes in linux software are fixed before theyre exploited or never get exploited because of other security inherent in Linux. Most of the nasty windows worms are just a simple few lines of code and are easily spread across the internet. Funny you never see Blaster for Linux or SQL slammer for MySQL…..oh ya, I almost forgot, despite having its own regular patches, Linux IS more inherently secure than windows is.
“I dont see anyone writing this for BSD or Linux”
which doesn’t mean it is not possible. Worms exist for linux. Their number is much smaller than for windows, but they exist.
One random link
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14…
If 90% Home computers would work with Apache, it would be the same.
The problem is not that writing worm is possible, but the fact that too many potentially harmful options are enabled by default on windows BOX.
I installed those critical patches and as soon as I rebooted I my DSL connection even disappeared from the network connections. I removed 2 patches and my connection came back. The user’s are the one’s to suffer when things go wrong from things like these. Good thing I’m not a regular user.
“If 90% Home computers would work with Apache, it would be the same. ”
That is a terrible example. Why on earth would 90% of desktops need to run a hosted publicly addressable webserver?
“Worms exist for linux”
Im not aware of worms for the Linux kernel…..maybe for other third party software that runs on Linux. Unlike Windows, where most of the worms attack the core OS itself not third party or extra services. IE also makes things worse being integrated in the NT kernel and having some 30 vulnerabilities that no patches yet exist for.
“That is a terrible example. Why on earth would 90% of desktops need to run a hosted publicly addressable webserver? ”
No, it is not. Of course it is stupid for most Joe users to have a http server. And that’s stupid to enable remote rpc, remote registry bu default on Windows.
That’s exactly why I chose that example: the problem is not the patch, but more by default settings on a windows box for home users.
“Unlike Windows, where most of the worms attack the core OS itself not third party or extra services. IE also makes things worse being integrated in the NT kernel and having some 30 vulnerabilities that no patches yet exist for.”
And ? I don’t see the point. And you seem to misc being in kernel space and being integrated in the kernel…
“SuSE 9 had security issues before it was even shipped”
Im really growing tired of uneducated people saying this kind of stuff. Are you aware that SuSE pro (any version) ships with over 4000 applications and services that you can choose from. No !@#$%^&* batman there is gonna be some security patches for said software. You also have to remember that most holes in linux software are fixed before theyre exploited or never get exploited because of other security inherent in Linux. Most of the nasty windows worms are just a simple few lines of code and are easily spread across the internet. Funny you never see Blaster for Linux or SQL slammer for MySQL…..oh ya, I almost forgot, despite having its own regular patches, Linux IS more inherently secure than windows is.
And the above person is the reason why I stopped using Linux and moved to Solaris/FreeBSD.
SuSE chooses to bundle 4000 packages with their distribution, they aren’t forced to and from my experience, most users don’t ask for 4000 applications because by the time it is released, 2 updates have already come and gone for most of the bundled software.
Red Hat Linux, for the kernel alone has had well over 4 security holes fixed within a space of a few months. I am looking at the default install and Red Hat, IMHO has a shocking record. Even FreeBSD + X11 + KDE has less security issues.
No sorry bro, but youre still wrong and its still a bad example. Remote rpc is a built in windows feature thats on by default. Its part of any standard Windows installation. Apache has nothing to do with Linux outside of Linux being one of its supported platforms…..it also runs on Unix and Windows. Nor is apache in the Linux kernel or installed by default on any Linux distro Im aware of. Your example would work if remote rpc was a third party app that wasnt installed and/or turned on by default and not a core OS service. Only thing you can compare Apache to in my book is IIS, and Id say Apache wins that comparison too.
The point I was making on the other part was that the Windows OS itself is vulnerable six ways to sunday and I thinks its fair to say 99% of all users are logged in with administrator rights. Linux itself really isnt vulnerable and users are not logged in as root in unless theyre not so bright. The installation of 3rd party software and opening up ports can make it vulnerable in a very limited way.
“It is a commonly known fact in the security world that security is not something you can retrofit into a software system, it has to be designed in from the start.”
Microsoft always reminds me of a cheap-furniture manufacturer who does a beautiful polishing job on the outside of the dressers, then you have to use 2 hands to pull the drawers open, and don’t be stupid and touch the exposed interior wood unless you want slivers. And Lord help you if you accidentally try to put drawer A into hole C instead of hole B.
One of the biggest pieces of baloney I ever heard from MS against Linux developers was that they didn’t have a sense for “fit and finish.” Microsoft does, and I commend them for that. Unfortunately, they don’t seem to have been able to apply that principle throughout, only where it shows.
uh … it’s prolly a good idea to install your Anit-Virus software first, and update it, before installing any patches.
Ok looks like we have yet another rpc vuln in Windows with no patch currently available:
Researchers have found a new vulnerability in Microsoft’s DCOM/RPC service that has already been exploited. The vulnerability isn’t covered by the MS03-039 Security Bulletin and there is no patch available at this time.
Successful attacks cause denial-of-service on vulnerable machines that have MS03-039 installed, and will also provide remote access to machines that only have MS03-026 installed. Although some public security researchers think this vulnerability may eventually allow hackers to execute arbitrary code on fully patched targets, there is no evidence of this yet.
Technical details
=================
Windows XP and Windows 2000 systems are vulnerable — even those patched for
MS03-039.
Suggested workarounds include:
* Block RPC network traffic at the firewall (ports 135/tcp, 139/tcp,
445/tcp, 593/tcp and 135/udp, 137/udp, 138/udp, 445/udp)
* Disable COM Internet Services (CIS) and RPC over HTTP. See
http://support.microsoft.com/default.aspx?scid=kb;%5BLN];825819
* Disable DCOM. See
http://support.microsoft.com/default.aspx?scid=kb;%5BLN];825750
CERT is tracking this as vulnerability VU#547820.
“of course, I talked about MS SQL, not MySQL. Windows for worksation (2000 pro, XP home, XP pro) has no IIS by default, no MS SQL either. So it is FUD on that point, or your mistake.”
Maybe. I don’t remember about xp, I distinctly remember the win2k installer speaking of configuring IIS. If I’m not completely misinformed it’s used to run the “help” system.
Perhaps I was unclear about ms sql. My piont was that you might be running it without even knowing it..
http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=10&tabid=13
“But it is the same on linux !!!”
My friend, you are confusing a distribution with linux in general.. Maybe it’s so on debian, shame on them then. But debian != linux. There is no OS called “linux-2.4.22” It’s a GNU system running on the linux kernel. It’s a put together system running on the linux kernel. It could just as well be BSD/linux as GNU/Linux. (You as a debian user should know this..=) ) In other words, what is true on YOUR distro is probably not in someone elses.
There are other distros wich doesn’t permitt such folishness (I’ve never even tried such a stupid thing, but my current distro doesn’t allow root to login via ssh).
Now I think I rest my case as others has made my point clear – notably “Great Cthulhu”
All you people are just retarded. Granted there are far more worms and viruses written to target windows…..but rest assure when Linux has even close to the amount of market share windows does you will see just as many written to target those OS’s
Speak for yourself, CooCooCaChoo. I go with Suse specifically because of the all the packages, because it saves me the trouble to download and install a bunch of software which doesn’t come with some other distros. Too me, there no such thing as too many apps. Of course, you can uninstall whatever you don’t use. And you’re paying the same or less for Suse than you are for other distros.
I don’t understand people who like skinny distros. Imagine a guy standing on the corner passing out apps, and you tell him, “No thanks, I’m tryin’ to cut back.”
Speak for yourself, CooCooCaChoo. I go with Suse specifically because of the all the packages, because it saves me the trouble to download and install a bunch of software which doesn’t come with some other distros. Too me, there no such thing as too many apps. Of course, you can uninstall whatever you don’t use. And you’re paying the same or less for Suse than you are for other distros.
Ok. I’ll give you MY experience when running SuSE Linux. I installed it on my computer. Went the full monty and installed the whole DVD. Everything booted, however, I found that X-CDRoast didn’t work, virtually 60% of the games in the menu failed to load, or if they did load, they would spotaneously segfault for no reason. Funny part is, it would never happy on any of the other distro.
More packages means more complexity which means more testing which means higher costs which then need to be passed onlong to the consumer. I would be VERY interested in knowing whether during the beta testing, the beta testers actually install the whole distro or do they just install the default and that is it.
If SuSE can’t guarentee that the packages they include with their distribution actually work “out of the box” then maybe SuSE should go back to the drawing board and start prioritising their product design.
The average user doesn’t want thousands of packages, they want an operating system bundled with a moderate amount of pre-compiled packages that work out of the box. Standardise on ONE desktop, ONE office suite, ONE media player and support for the alternative toolkits/desktops by supplying the respective libraries required.
If SuSE’s main focus is KDE, then great, however, don’t try to be everything to everyone. Don’t try to aim for the tweaker, aim for the end user who doesn’t want to be confused by having multiple applications that all do the same thing but different.
“My friend, you are confusing a distribution with linux in general.. Maybe it’s so on debian, shame on them then. But debian != linux. There is no OS called “linux-2.4.22″ It’s a GNU system running on the linux kernel. It’s a put together system running on the linux kernel. It could just as well be BSD/linux as GNU/Linux. (You as a debian user should know this..=) ) In other words, what is true on YOUR distro is probably not in someone elses. ”
Yeah, sure… What a great argument : linux is not an OS, blah, blah and blah. I know what a dstribution is, I know why some guys want to call it GNU/Linux, and I don’t care. Why always giving this so poor argument ?
My argument for root login enabled by default is true with debian, mdk and RH, as far as I know. So it should be true on 3/4 installed linux, even more, I don’t know. Whatever distro you are using, you have to tweak something to have a relatively secure box, period. Thinking that installing linux means security is really stupid.
And the argument of root login in window is plainly stupid, because it is exaclty the same than on linux. Nobody prevents you from being root all the time. The thing is that the concept of login is too difficult for the average user. He doesn’t care. I personally think one have to find something more easier to use.
“No sorry bro, but youre still wrong and its still a bad example. Remote rpc is a built in windows feature thats on by default. Its part of any standard Windows installation. Apache has nothing to do with Linux outside of Linux being one of its supported platforms…..it also runs on Unix and Windows.”
No, you didn’t get my point: the problem relies in the by default setting for windows. Remote RPC and so on are built in features, sure, but who the hell needs it ? not the average user. It is potentially harmful. So why enabling it by default ?
Apache was just an example showing that worm exist on linux plateforms, that’s all (see the link I gave). If something like Apache, or SSH server, etc… were enabled by default on all linux machines, it would be terrible for linux’s security. If dcom, etc… were off by default, we wouldn’t have heard from blaster, for example.
“The point I was making on the other part was that the Windows OS itself is vulnerable six ways to sunday a
”
I don’t have figures, but I am pretty sure that 95% of security related problems on windows are due to unpatched server/home machines and very bad configuration (something like Active directory is very difficult to use).
Frankly, I don’t see where linux is INHERENTLY more secure than windows, except maybe on the executable bit thing. I am convinced that most security problems today are in the implementation.
I suspected that you knew what a distro is.
However if you know that, how can you still make the mistake of putting all distros in one lump called “linux”? A BSD system running on the linux kernel is not impossible, and would in many ways be different than your debian-box. But it would still be linux.
Point is that linux can and is so many things, and many of them aren’t neither RedHat nor SuSE.
“If something like Apache, or SSH server, etc”
Well, they are NOT. If they are there and you don’t need them it’s because YOU put them there. Either because you didn’t manage to override your dependencies or because you are a slackard.
Face it, it’s very simple. If it’s not there, it can’t be exploited.
“Well, they are NOT. If they are there and you don’t need them it’s because YOU put them there. Either because you didn’t manage to override your dependencies or because you are a slackard.
Face it, it’s very simple. If it’s not there, it can’t be exploited.”
That’s exactly what I wanted to point here Because ssh, apache, etc… are not enabled by default, most distro are more secure “out of the box” than windows. But once you install some servers, if you don’t know what you’re doing, you’re doomed.
Anyway, linux is not suse, RH, debian, whatever, right. But I suspect that most servers in use in the world are RH, although I don’t know the figures. Everbody here says linux servers with apache are spreading; if most of them are RH, all the patch thing found on RH site are totally comparable to windows… If you prefer, you can compare RH and windows, but I think telling linux!=RH (which is true) is a bit unfair here, as it must be by far the most used distro for servers.
I make part of my money servicing computers and setting up small networks for small buisnesses…when i fix a computer and something like this happens i get yelled at by my coustomers…they think its my fault no matter how hard i try to explain that its software…ordinary users and pros a like want stuff that works GOOD…Microsoft is a very wealthy corparation…there products are very expensive and they are full of flaws…products simply cannot be this poor in quility …i mean a freash box gets infected just by being on the net…reacently i got to a point where when somone has a problem with a comp i format … install a full mandrake and disable all the services for a normal user and i think it works better…i seem like im not making any sense because im pissed the point im trying to make is that there product is very poor and thats the bottom line..for the money they are charging they need to improve it…nothing is perfect but its just rediculas…im gonna stop ranting now go to lunch…long live open source and more importanly open standards!
“f you don’t know what you’re doing, you’re doomed.”
That goes for everything – like riding a bike, or driving a car.
I’m not suggesting that linux is a “magic bullet” wich absolves you from having to know anything. I’m saying that it’s more secure because it’s simpler (as in “vim /etc/somefile), and easier to get an overview. No programs run without me knowing, unless someone roots me in a particulary nasty way. It’s a possibility, but thats not very easy.
Windows is big, complicated and impossible to overview. In windows you can get bitten by a bug in a program you didn’t even know was there, for instances se the list about ms-sql.
And by the way. Reasoning like “redhat has the numbers therefore RH == linux is like someone in the 30s arguing that cars should be called “Fords” because they had the numbers in those days. I don’t buy that.