Slashdot Mirror

It's surprizing that no one wrote about PixV Preempt as an alternative to antivirus software. It tries to fix the causes instead of the symptoms.

Well PreEmpt, http://www.pivx.com/HomeOffice/, by PivX solutions has protected against this exploit since the release of the MetaFile fix on 7 December 2005. And other, partial, solutions include updating your virus defs. The workarounds are incomplete because of the many different ways the MetaFile code can get processed.

If you look at solutions like pivx ( PivX.com ) you will see that such software is already on the Market. I believe Microsoft could provide such a product and with access to their own source, possibly provide it in an integrated and far superior form (A/V, Spyware, Sig and Heuristic based IPS, Stack overflow/BoF protection, etc.) form.

The author of this article, is a Linux system Administrator, I can't blame him for not knowing how to secure Windows/ securely use Windows. Linux most likely won't solve the problem, and it also requires tweaking to make it secure. Besides, we still have to deal with IE only websites. Then upgrading to linux is not going to help. Switching browsers will do a better job, especially if she runs programs that only work on MS Windows. And incase switching browsers is not an option, than various IE wrappers exist: http://www.maxthon.com/ http://www.avantbrowser.com/ And there is: http://www.pivx.com/qwikfix.asp I don't have experience with these products, firefox does it all for me.

http://pivx.com/qwikfix/

Qwik-Fix Pro is not a spyware killer but it is enterprise level and do protect against all of the browser based vulnerabilities (among others) that are being used to forcefully install spyware. It is a perfect combo together with a spyware killer such as The Cleaner from Moosoft (http://www.moosoft.com/) or Lavasoft Ad-Aware (http://www.lavasoftusa.com/).

The protection against IE vulnerabilities was implemented in September 2003 and has since protected against all command execution vulnerabilities discovered since then without a need for updates. These very improvements to IE were subsequently included by Microsoft in Windows XP Service Pack 2, though the implementation Microsoft choose failed to protect against several vulnerabilities discovered since then such as the Drag'n'Drop vulnerability which Qwik-Fix Pro protected against.

Firefox and any browser other then IE can have holes but IE and Explorer are directly tied together which opens a new new class of expliots and holes that the other browsers with less integration just do not have.

Some History:
MS realized that the transparent integration of IE and Explorer that started around IE5.x? is not without security
issues. The currently hidden [1] "My Computer" zone is the security wrapper between the two. There are multitudes of issues that can exploit holes and create cross zone issues [2]. A majority of the patches for security patches for IE in the last 2 years has been fixing these issues as they appear.
Looking forward, the trend with MS operating systems is going to be a more restrictive "My Computer" zone. Third parties have made tools for existing systems [2] to ease the introduction of these restrictions and MS themselves have responded with XP SP2 [3] that is in beta now. These are major changes but it is the industry trend. The claims made by Pixv Solutions are pretty impressive as noted in the white paper [3b] (+1 bonus to the marketting department) for avoiding past exploits and worms by using their version of a lockdown which I believe is more then just reconfiguring My Computer zone. I am in no way shape or form giving a suggestion to use their software or services, just noting that companies DO see a problem with the MS security model and are doing something about it. Any impementation of the concepts they use would do equally as well if researched enough.

[1] How to Enable the My Computer Security Zone in Internet Options

[2]Google Search for IE and Zone exploits

[2a]Security list posting by Pixv Solutions describing the concept of security zones

[3] Pivx Solutions "Quik-Fix"

[3a] White Paper describing "Quik-Fix"

[4] Changes to Functionality in Microsoft Windows XP Service Pack 2

Firefox and any browser other then IE can have holes but IE and Explorer are directly tied together which opens a new new class of expliots and holes that the other browsers with less integration just do not have.

Some History:
MS realized that the transparent integration of IE and Explorer that started around IE5.x? is not without security
issues. The currently hidden [1] "My Computer" zone is the security wrapper between the two. There are multitudes of issues that can exploit holes and create cross zone issues [2]. A majority of the patches for security patches for IE in the last 2 years has been fixing these issues as they appear.
Looking forward, the trend with MS operating systems is going to be a more restrictive "My Computer" zone. Third parties have made tools for existing systems [2] to ease the introduction of these restrictions and MS themselves have responded with XP SP2 [3] that is in beta now. These are major changes but it is the industry trend. The claims made by Pixv Solutions are pretty impressive as noted in the white paper [3b] (+1 bonus to the marketting department) for avoiding past exploits and worms by using their version of a lockdown which I believe is more then just reconfiguring My Computer zone. I am in no way shape or form giving a suggestion to use their software or services, just noting that companies DO see a problem with the MS security model and are doing something about it. Any impementation of the concepts they use would do equally as well if researched enough.

[1] How to Enable the My Computer Security Zone in Internet Options

[2]Google Search for IE and Zone exploits

[2a]Security list posting by Pixv Solutions describing the concept of security zones

[3] Pivx Solutions "Quik-Fix"

[3a] White Paper describing "Quik-Fix"

[4] Changes to Functionality in Microsoft Windows XP Service Pack 2

Anyone serious about securing a home windows box should look in to tiny's personal firewall

It has a high learning curve for initial setup, but it can drasticly reduce the attack vector given to malicious scripts and programs as it's not just a firewall, but also a very elaborate application sandboxing system.

Another solution is to get quickfix which applies blanket fixes to many unpatched IE and Windows vulnerabilities.

Remember, security is YOUR responsibility. If you run Windows, YOU need to take your own steps to ensure the security of your system.

From the report, I gather they want to define security and then they can make sure they meet that definition. Make the rules and play by them, at least in legal terms.

>If mozilla were be the most popular browser then it would have the most exploits.

I disagree. Exploits are not generated by market share but are side-effects of bad design decisions (one word: ActiveX), bad coding practices, insufficent code reviews, clueless management ("I say we ship it, and I'm the boss!") etc.

If Mozilla were the most popular browser, it would certainly get more attention from the black hat scene, and whatever weaknesses are lurking in the code would be exploited. Whether the number of exploits would be bigger than IE's is pure conjecture, since Mozilla's market share is still way lower than Interner Explorer's.

However, the Mozilla team has an excellent track record when it comes to patching known vulnerabilities, while Microsoft used to treat them like dead raccoons. To be fair, they have improved a little in that regard, but there is a reason why this page has been "temporarily suspended", and it's not that there are no unpatched vulnerabilities in IE left for Microsoft to patch...

Some food for thought, more, even more - you get the idea.

Well, this is why some people use Qwik-Fix, from http://www.pivx.com/qwikfix/index.html. Even if your XP isn't updated, it keeps current and perhaps future worms also out. It's made by those who found rpc-bug.

Of course, even if you use Qwik-Fix, you should update your XP, but this gives you at least some protection if you're not on the computer when a new patch is released and don't want to use auto-update.

- Yak

Isn't that like finding someone who's homeless and giving them the title of National Economic Advisor? Isn't it like the NTSB giving Firestone an exemplary safety award?

Windows Server 2003 is a small step in the right direction, except it's 10 years late. [by the way - I LOVE the caption on the Windows 2003 page - I initially misread it as "do less with more".

I like to tell users the reason they are paying me $xxx to repair their computer is because Microsoft was busy working on Clippy instead of fixing the mess they call "Content Zones" in IE/OE. In all fairness, if users would "just keep up to date on their patches" then this wouldn't be (as much of) an issue...

And this is Microsoft's fatal flaw: They look at computers/software completely differently than the typical user.

Microsoft: Install the OS, update drivers occasionally, Check for system security fixes daily, and upgrade when a new OS comes out.

Typical User: OK, this envelope thing with the blue recycle signs around it is what I have to click to get mail, right?

(most) People want to use computers like any other appliance: their vcr, tv, radio -- they don't want to schedule updates and check for vulnerabilities and install firewalls -- they just want it to work.

As long as Microsoft (or ANY admin, for that matter) depends on the end-user to secure their equipment, they will be sorely disappointed.

:(

Before it was taken down becuase they've fallen for more M$ marketing tactics about beefing up security, there were 31 unpatched IE vulns. I'm sure that Microsoft wouldn't count IE vulns in their Windows 2003 patches, since it's not really part of Windows...

It's sad to see the pressures of non disclosure creeping back in after such as nice period of full disclosure.
Wake up people, we need full disclosure and exploit code to get Microsoft to patch anything.

Too few articles mention all three and articles mostly fall into one of two categories: Usually the articles praise Mozilla and Opera for features, usability, flexibility, support of standards, stability, security and multi-plaform support. Or they go on about the problems specific to MSIE, while implying that MSIE is the alpha and omega of web browsers, and finish by giving the bad advice to sit still and obediently wait to buy the next upgrade, service pack, bug fix for MSIE. At the same time, users and administrators tied to MSIE are prevented from learning unresolved problems. There are also further costs if company data, such as customer lists, are compromised as a result.

Clearly censorship is not the optimal long term nor even short term solution. IT staff can save time and money now by migrating their users to Mozilla and Opera.

I think the w3c needs to work closely with Microsoft and try to get Microsoft to make Internet Explorer more compatible with all the of the existing standards.

We all should give pivx a huge hand!

First, they applied the pressure to help force microsoft into fixing the software.

Second, they are now giving microsoft some slack (negative reinforcement?) for trying to fix its browser.

Bravo guys!

Plus, these guys are hiring!

We all should give pivx a huge hand!

First, they applied the pressure to help force microsoft into fixing the software.

Second, they are now giving microsoft some slack (negative reinforcement?) for trying to fix its browser.

Bravo guys!

Plus, these guys are hiring!

As you know Microsoft has just released a new patch MS03-040, which renders several IE vulns obsolete. We are presently testing the efficacy of the vulns reported to be fixed and we can report that MS03-040 is doing the job it was intended to. Let's just hope that users are diligent in applying the patch.

Just guessing, but did Microsoft make Pivx take down their web page discussing 31 vulnerabilities in Microsoft Internet Explorer? If so, it is good that Microsoft decided not to buy a billion dollars of bad publicity by asking Google to erase the cache.

The page is gone: Unpatched IE security holes, but lives on in Google's cache.

Google's cache: 11 September 2003: There are currently 31 unpatched vulnerabilities..

Pivx was the company that had a website with a list of 31 vulnerabilities in Internet Explorer. Two days ago they pulled it with what sounds like a nice way of saying they were pressured to do so.

IE is okay if you don't mind a few bugs that allow remote execution *still* (and it's not even a short list): Unpatched IE security holes.

To me, the "competition" seems to say, "We've been given $2,500,000 by Microsoft to find security vulnerabilities in Windows. Give us $25,000 worth of information about how to improve Windows and we will give you $250."

Okay, here is my contribution: Unpatched IE security holes -- 11 September 2003: There are currently 31 unpatched vulnerabilities. Okay, where's my money?

The usual reason someone becomes a destructive hacker is that he or she feels abused by adults. Isn't this more abuse?

The 1st line is "The single biggest security issue facing Linux users at the moment is the misconception perpetuated by highly vocal advocates that Linux is somehow impenetrable to security-based attacks, and in particular, viruses and other malware."

That first line doesn't exactly convince me of the quality of the article. What does he mean by "impenetrable"? In discussing the possibility of a Linux worm, say using the recent ssh vulnerabilities, I might point out that most people run ssh with priviledge separation, so the attacked would just get user "nobody" priviledges (as compared to the recent Windows RPC worms). Does this mean that I'm making some wild claim that Linux is "impenetrable", or am I simply pointing out one reason why Linux is more secure than Windows -- that servers often run as non-root users? What is a "security-based" attack (that's a made-up term, isn't it)? A worm? A trojan? I think Linux advocates admit that both of those are possible on Linux. There are good reasons why viruses would have a hard time spreading on Linux (strict priviledge separation), but other types of attacks are certainly possible and acknowledged as such -- with the caveat that they might be harder to pull off (see ssh worm discussion above).

Looking at the article, I'm starting to understand why so many people believe that marketshare is the only reason why Windows is attacked more. It's as though every random Windows user thinks they understand Linux security. The author states "The reason we have not seen malicious code exploit recent vulnerabilities in other widely-installed open-source applications is pure luck." Bull. See my comment above about an ssh worm. Also note the usual arguments about the heterogeneity of Linux environments. Misunderstandings like that combined with flat out MS apologism ("It wouldn't be sticking one's neck out too far to suggest that Outlook enables the execution of attachments straight from the mail client due to user-demand.") suggest to me the author is one of those people who want to blame anyone other than MS for the problems with Windows. Sure end users are responsible for many security breaches, many of which have little to do with software, e.g. weak passwords. But that still doesn't explain this

when they use internet explorer on these machines.

In order for Linux to become as popular and intuitive [shiver] as Windows, things like "setting execute permissions" need to be automatic. Installing apps should be relatively simple as well.

An email client is not a program installer. That is what apt/up2date/whatever, and their various GUI front-ends, are for. Those do set execute permissions, among other important functionality (like handling dependencies) that does not belong in an email client.

OSes will have vulnerabilities. They need to be patched. It ALWAYS comes down to the user.

Internet Explorer has 31 unpatched vulnerabilities. How does it "come down to the user" to fix those holes when there are no patches available?

Besides, every time I see an exploit, it's after Microsoft has already issued a patch

Perhaps you just aren't aware of how many exploits there actually are...
31 unpatched IE security holes

And that's only IE!

Don't bother... There are ~30 critical updates for IE that you'll still be missing.

He's probably referring to one of these, some of which can reportedly run arbitrary code.

Complicated reasons for Microsoft's problems are given in the CyberINsecurity report. However, it seems to me that the security vulnerabilities in Microsoft software may be due to Microsoft pressuring programmers to finish and go on to new projects before they have had enough time to clean up their code.

On 11 September 2003, there were 31 unpatched vulnerabilities in Internet Explorer. On December 9, 2002, there were 19 security vulnerabilities. So vulnerabilities are being found faster than they are being fixed.

Certainly this is embarrassing for Microsoft. Presumably Microsoft would fix these problems if it could. However, maybe IE is a mountain of sloppy code, and it is expensive to fix. Maybe Microsoft is no longer able to hire programmers who are skilled enough to find the bugs.

Who uses the vulnerabilities before they are fixed? Do the U.S. government's CIA and NSA and FBI departments use them to spy on foreign governments? Is that why there are allowed to be so many?

Whatever the reason for the vulnerabilities, it is remarkable that there are 31 known and publicly documented security risks in just one computer program, particularly when that program is the most widely used program to connect to the Internet.

The CyberINsecurity report is almost a Microsoft love fest, because it only talks about one kind of shortcoming. I think my paper, Windows XP Shows the Direction Microsoft is Going is a bit better balanced.

P.S. Nice try on the sig. Those are for APPLICATIONS not Linux you dolt. Here is my new sig

31 Unpatched IE security holes
Server attacks stump Microsoft
Credit card theft feared in Windows flaw
Microsoft issues patch for "serious" XP hole
Windows flaw threatens PC services
Microsoft's Source Code Actions Speak Louder Than Words
Why I hate Microsoft
bsod_videowall
bsod_airport
License to plunder
Microsoft Media Player logs users' DVD picks
MS wanted to 'extend, embrace and extinguish' competition
Microsoft Palladium
Control with fine print
Microsoft WinXP Update spies on other PC software
Microsoft Windows: Insecure by Design
Microsoft software "riddled with vulnerabilities", trade body claims
Microsoft Issues Five New Security Warnings
Why Open Source Software / Free Software

You've obviously never seen these


And you can tell me that they don't apply to you, I'll just reply "no, not these particular ones..."

Look around, this isn't the only list!
NOTHING should be compulsory, but no AV on a windows box, have you never heard of a worm?

Loss of Control and Backdoors

Read Microsoft Aims for Protection--From Users

What Microsoft people really mean when they talk about security is security for Microsoft from you. NGSCB's main purpose is to make sure users such as yourself aren't pirating Microsoft's or partners' software or any other copyrighted content--even if that means taking over your system remotely and removing or disabling the offending untrusted software. ...

... It boils down to this: In a traditional security scenario, you as a user have control over your system to protect it from outside attackers who are enemies of your system. With Microsoft's vision of the trusted operating system, some system control is handed over to vendors and copyright holders who see you, the system's owner, as the enemy.

NGSCB + RIAA = NSA + KGB + CIA. ( R -> K )

From the Transcript of Internet Caucus Panel Discussion. Re: Administration's new encryption policy. Rep. Curt Weldon's statement

But the point is that when John Hamre briefed me, and gave me the three key points of this change, there are a lot of unanswered questions. He assured me that in discussions that he had had with people like Bill Gates and Gerstner from IBM that there would be, kind of a, I don't know whether it's a, unstated ability to get access to systems if we needed it. Now, I want to know if that is part of the policy, or is that just something that we are being assured of, that needs to be spoke. Because, if there is some kind of a tacit understanding, I would like to know what it is.

Read all of Curt Weldon's statement.Consider that as of 26 August 2003:, There are currently 22 unpatched vulnerabilities in Microsoft's Internet Explorer - many of the serous vulnerabilities Microsoft has not provide a fix to patch the hole in years!

Attestation Monopoly

Microsoft's NGSCB model for DRM content management grants Microsoft effective root digital certificate control over both software and content. It would be a monopoly even stronger than Microsoft's existing desktop dominance. Just as with Microsoft's proprietary file formats and protocols, the network effect would result in any non-dominate player or vendor facing too great a barrier to provide effective monopoly negating free-market competition.

Loss of Fair Use Rights and doctrine of First Sale

Microsoft's NGSCB DRM model also grants content providers far too much restrictive power. For example, in the USA and in most of the world, you are legally allowed to tape broadcast content for later replay ( timeshifting ), gathering evidence for making a complaint, or legitmate research. The DRM model can be used by content providers to circumvent these legal rights. Also if Microsoft or the Codec developer drops support for a format or even a particular digital key, all that content "protected" by that methord or key becomes unreadable.

The DRM model circumvents the Doctrine of First Sale, by side shifting content from being "goods" into a so-called service. When I purchase a DVD, I own that particular physical instance of that DVD and the right to view the content on it. I expect to be able to play that DVD in any DVD player I choose to, including the DVD drive in my Linux system. Also when I have finished viewing that DVD, I expect to be able to pass or even resell that DVD to any party I choose. I might even give that DVD to my local library, and I am legally entitled to do so. As DMCA protected CSS DVDs already limits what you can do with a DVD, Microsoft's plans f

> When auto-update stops trying to patch apps I don't use or want installed maybe I'll consider enabling it.

I know what you mean. I started avoiding Microsoft updates years ago, when an update grabbed control of my .mp3 and .html extensions away from Winamp and Netscape, and gave them back to Windows Media Player and IE.

Since I ran Netscape instead of IE and Outlook, and I didn't download Word documents from the Net, the only security updates I had to worry about were those that affected Windows itself. The other updates were just a waste of my time, and an _increased_ security risk that I didn't have to take.

And let's not forget the updates that come with new and "improved" EULAs that give Microsoft expanded rights over your system.

But it's no longer a problem for me, because I now run Debian Gnu/Linux, which respects my configuration choices when software updates are applied.

But that's not the end of the story. Just yesterday, my friend brought over his new Windows laptop so we could try playing a DVD in it. When he first got the laptop, a week earlier, we immediately installed Mozilla, and deactivated a number of Windows features (such as Instant Messaging). But when we put in the DVD, it wouldn't play -- not until we first completed the installation of Internet Explorer!

So, as part of Microsoft's ongoing war against Netscape, their DVD player requires IE (with its 22 unpatched security holes). That's just one more reason why I don't use Windows.

> Species of Windows Programmer: Human
> Species of Linux Programmer : Human
> Chances of human error making it into the code: Equal

Ratio of Windows versus Linux Internet platforms: About 5:4

Ratio of IIS versus Apache Internet servers: About 2:5

Ratio of Windows/IIS versus Linux/Apache major real-life exploits: Over 10:1

Number of current unpatched IE security holes: 21

Possibility for the user to patch IE himself: 0

Conclusion: The biggest problem-causing factor is Microsoft.

... and since Microsoft Internet Explorer is also part of the operating system it must be secure too, right? Unfortunately some rogue "experts" are tying to prove otherwise but don't trust them! Those infidel bastards!

MSIE and programs embedding its MSHTML engine are totally secure and trustworthy, mkay!?

> I sure hope you don't work for my company. We'll be talking soon if you do. There's no reason to unreasonably subject a company to liability or additional liability regarding a clear risk.

From that, I am assuming that your company has banned the use of Microsoft software, especially on the server.

If you run IIS, then you are opening yourself up to a lawsuit when your customers' credit card numbers get stolen from your website.

If you run IE, then you open yourself up to a lawsuit when you partner's confidential information is stolen from your employee's desktop. There are currently 19 unpatched security holes in IE.

In fact, given the two huge security holes that came to light in the last week, if you are running Windows at all, then you are opening yourself up to a lawsuit due to loss of confidential information.

Of course, security holes aren't the only risk.

If you developed a system for your customer using J++, then you can be sued, because that customer is now dependent on an illegal, unsupported product. The same goes for WISE, which Microsoft abandoned as part of their Unix lock-in scheme.

So since you want to avoid lawsuits, and are therefore not using any Microsoft software, I am curious to know what you do use. Unix? OS/2?

"Microsoft has officially moved Linux up to the Number 2 Risk to the company..."

This is not correct. The number 1 and 2 risks to Microsoft are the terrible ways the company treats its customers and the poor quality of its product, for example, billions of dollars in damage because of viruses exploiting the poor security of Windows.

Anyone who needs more evidence should see: Unpatched IE security holes. There have been at least 15 unpatched but well known security vulnerabilities in Internet Explorer for the last 2 years. Apparently Microsoft just doesn't care. Or, possibly the U.S. government's secret agencies are using the vulnerabilities to spy on users. The fact is, the quality is poor.

You have no clue what you are talking about. Linux security is superior to that of any MS OS. When people talk about Linux vulnerabilities, they usually also include vulnerabilities to other open source apps. Sorry, but that is not Linux. Also, look at the expliots that have happened under Linux compared to MS OSes. Most of the ones you would find on Linux applications are very minor and fixed much faster then the MS "security through obsurity" method. Where as the ones under MS OSes are usually far more critical like network services, Server attacks, Credit card theft, logging users DVD picks, Unpatched IE security holes, etc. I wonder why the National Security Agency picked Linux for a secure OS? These are just some of the holes we hear about. It is easy to hide all the small holes when you use a closed source approach. Sorry, but the MS Fisher Price(TM) OS is not in the same league as that of Unix and Unix like OSes such as Linux, *BSD and now MacOS X. Whether you like it our not, Unix and Unix like OSes are the dominant server platform and run most of the web for a reason.

00.25% - MSIE 4.0
11.85% - MSIE 5.0
06.88% - MSIE 5.5
73.89% - MSIE 6.0
04.33% - Gecko
03.18% - Opera
00.51% - Konqueror
00.51% - Other

Careful there, you're beginning to sound a little too confident. There are currently 19 unpatched vulnerabilities in IE, some of which can be used to get a trojan into your system if you so much as look at a web page with IE, or read an email. Yes, the email one even affects non-MS clients such as Eudora, although IE is still to blame.

My employer uses Mozilla. We're about 300 employees strong, and operate in a number of industries - shipping services, food products, clothing, and recreational products.

Mozilla actually works quite well (a fact which initially surprised me, to some extent). Of all the sites our employees visit, there are only about 10 that need IE. Considering IE access to the other sites is blocked at the proxy server, and the firewalls prohibit direct access to the net, this fact is undeniable.

Support-wise, Mozilla has been a dream. Our IE installs take more babysitting than Mozilla does. Though I do like the IEAK that we push IE out with, Novell's ZENWorks works great to push out Mozilla.

Of-course, whenever someone wines about not being able to use IE, when Mozilla is working just fine, I direct them to http://www.pivx.com/larholm/unpatched/, this is pretty damning evidence of IE's issues.

The reasons we cite for not permitting unrestricted use of IE, are both the issues listed on the above site, and the long, well documented history of security and stability issues inherent in IE.

Is that a hidden way that the U.S. government is using to pay Microsoft for the unpatched security holes in Internet Explorer?

You said, "Any organization that rolled-out Mozilla widescale obviously did it out of zeal and not from reading the release notes..."

This would be a more acceptable view in a more perfect world. However, in my opinion, organizations don't have any better choice than an imperfect Mozilla. Internet Explorer has limited features (no tabbing, for example), and many unpatched security holes. Opera is spendy, and doesn't offer HTML email formatting.

Internet page display technology is very, very imperfect. CSS doesn't have all the text formatting features, for example, so that users are required to provide their own system for some features.

Netscape is not an option for governments and large organizations that must be completely open. Netscape just lost a court case over a sneaky element of the browser, in which a user's activity was tracked by AOL. See Wired News: Netscape Settles Software Issue. Would you trust them again?

Moz isn't perfect. It crashes with too much activity. When it crashes, all instances crash. But Moz is the best of a VERY imperfect lot.

I interpret the story to mean: "We won't fix any of the IE security vulnerabilities."

1. Rdist will work, but I guarantee you it'll take longer to do.

Great! You have no idea about his current setup, yet you are willing to guarantee your solution is better than his. Anybody taking you seriously yet? Nope!

And you're more expensive than any Microsoft admin, so it costs the business more.

Well any is remarkably easy to disprove - all it takes is one person with a higher salary than him that admins Microsoft software, and you are flat out wrong.

Even if you couldn't find any Microsoft admin, your statement can easily be proven wrong by finding an example where the admin cost increase is more than compensated by related savings (e.g. lack of licensing costs, etc).

If you reduce your statement to the average Microsoft admin, you are still wrong. The average Microsoft admin doesn't have a clue - the definitive example being the sheer number of them that don't bother patching. This kind of incompetence costs money.

2. Accountability goes beyond recovery from damages. It mitigates my organization's suport responsibilities to issues specific to our environment. Anything else we are not liable for. Regardless of whether Microsoft recovers our losses, the fact remains that we are not accountable, which also drives our cost lower to the business. We have our catalog of services, and troubleshooting core-OS problems isn't one of them.

So let me get this straight: you are happier knowing that when you have a problem, it's not really your problem, because you can bank on Microsoft to fix the problem? And it doesn't matter if Microsoft doesn't compensate you for your losses because people can't sue you? What's wrong with this picture?

3. Add it all up and it's still cheaper to support a Windows environment. Even with the cost of licensing, it's still cheaper for me to hire 2 Windows guys than it is one Linux guy.

The first statement is not proven by the second part. Are "2 Windows guys" as valuable as "one Linux guy"? Plenty of evidence suggests that you need more admins to support less machines in the Windows world. Plenty of evidence suggests that, on average, the Linux guy is going to be more proficient than the Windows guys.

Linus for enterprise apps makes sense. I'm talking about desktops specifically

What, you don't think that enterprises use desktop machines? The majority of machines in most enterprises are clients, ignoring special cases like Google. That is where the highest savings are to be made.

• June 18, 2002: 18 vulnerabilities
• August 8, 2002: 22 vulnerabilities
• September 9, 2002: 19 vulnerabilities
• November 19, 2002: 32 vulnerabilities
• December 9, 2002: 19 vulnerabilities. (Microsoft fixed 15 on Nov. 20, but two new ones were found.)
• May 8, 2003: 14 vulnerabilities

Not true at all. You can run IE under Wine or VMWare. IE, on the other hand, cannot render PNGs properly. It also can't handle many standard features of HTML proeprly, such as the object element. It also cannot handle HTTP properly - doing what is explicitly forbidden by the specification and guessing at mime-types. What else? Oh yes, it has hideous CSS bugs, and has 13 upatched security holes.

Fact: IE on Windows is a piece of shit.

Microsoft Baseline Security Analyzer (MBSA) and Microsoft's version of HFNetChk both failed to detect the presence of the well-known vulnerability in SQL Server exploited by Sapphire, which is one of the reasons so many admins (both inside and outside MS) had failed to install the necessary hotfix. MBSA and HFNetChk are Microsoft's official patch status verification tools meant to be used by all owners of Windows server boxes ...

...In addition to designing MBSA to avoid scanning for SQL Server vulnerabilities, failing to update mssecure.xml reliably and in a timely manner, deprecating HFNetChk by pushing the MBSA GUI as its preferred replacement, and hiding the details of the technical limitation

Microsoft Baseline Security Analyzer (MBSA) and Microsoft's version of HFNetChk both failed to detect the presence of the well-known vulnerability in SQL Server exploited by Sapphire, which is one of the reasons so many admins (both inside and outside MS) had failed to install the necessary hotfix. MBSA and HFNetChk are Microsoft's official patch status verification tools meant to be used by all owners of Windows server boxes ...

......In addition to designing MBSA to avoid scanning for SQL Server vulnerabilities, failing to update mssecure.xml reliably and in a timely manner, deprecating HFNetChk by pushing the MBSA GUI as its preferred replacement, and hiding the details of the technical limitations

I'm not complaining.. so many fonts are offered for free out there.. add a couple more to the list and put a smile on your face. =) *Make your AMD run cooler! Remove what you don't need! Ph33r my f4n!