Slashdot Mirror

This might come in handy for those of you that would like to do something about those id10ts:

"I have come across a statement on Your website, stating:

"DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk."

Here's the thing:
Development of Internet Explorer has been absolutely stagnant for a decade, to a point where it actually became a synonym for "insecure". But don't take my word for it, let's have a look at Secunia (a great website, tracking bugs in popular software).

Internet Explorer 6:
    unpatched : 16% (22 of 135 advisories);
    highest rated : moderately critical;
    http://secunia.com/advisories/product/11/

Internet Explorer 7:
    unpatched : 26% (9 of 34 advisories);
    highest rated : moderately critical;
    http://secunia.com/advisories/product/12366/

Mozilla Firefox 2.0.x:
    unpatched : 10% (3 of 29 advisories);
    highest rated : less critical;
    http://secunia.com/advisories/product/12434/

Mozilla Firefox 3.x:
    unpatched : 9% (1 of 11 advisories);
    highest rated : less critical;
    http://secunia.com/advisories/product/19089/

So:

1. every single version of Firefox has less unpatched advisories than
      every single version of IE;
2. every single version of Firefox has less overall advisories than every
      single version of IE;
3. every single version of Firefox has less (percent-wise) unpatched
      advisories than every single version of IE;
4. every single version of Firefox has a less critical rating than every
      single version of IE;

Hence - how exactly have you come to the conclusion that Firefox is less secure? It's IE that poses security risks, and its worse than Firefox by leaps and bounds!

I must consider dispersing such information about browsers as you do as utterly irresponsible."

This might come in handy for those of you that would like to do something about those id10ts:

"I have come across a statement on Your website, stating:

"DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk."

Here's the thing:
Development of Internet Explorer has been absolutely stagnant for a decade, to a point where it actually became a synonym for "insecure". But don't take my word for it, let's have a look at Secunia (a great website, tracking bugs in popular software).

Internet Explorer 6:
    unpatched : 16% (22 of 135 advisories);
    highest rated : moderately critical;
    http://secunia.com/advisories/product/11/

Internet Explorer 7:
    unpatched : 26% (9 of 34 advisories);
    highest rated : moderately critical;
    http://secunia.com/advisories/product/12366/

Mozilla Firefox 2.0.x:
    unpatched : 10% (3 of 29 advisories);
    highest rated : less critical;
    http://secunia.com/advisories/product/12434/

Mozilla Firefox 3.x:
    unpatched : 9% (1 of 11 advisories);
    highest rated : less critical;
    http://secunia.com/advisories/product/19089/

So:

1. every single version of Firefox has less unpatched advisories than
      every single version of IE;
2. every single version of Firefox has less overall advisories than every
      single version of IE;
3. every single version of Firefox has less (percent-wise) unpatched
      advisories than every single version of IE;
4. every single version of Firefox has a less critical rating than every
      single version of IE;

Hence - how exactly have you come to the conclusion that Firefox is less secure? It's IE that poses security risks, and its worse than Firefox by leaps and bounds!

I must consider dispersing such information about browsers as you do as utterly irresponsible."

Secunia states that Firefox3 has less critical issues:
http://secunia.com/advisories/product/19089/

While IE6 and IE7 have moderate problems. Making IE less secure:
http://secunia.com/advisories/product/11/
http://secunia.com/advisories/product/12366/

Firefox3 also has only 1 issue unpatched, while IE6 has 22 open issues.

Secunia states that Firefox3 has less critical issues:
http://secunia.com/advisories/product/19089/

While IE6 and IE7 have moderate problems. Making IE less secure:
http://secunia.com/advisories/product/11/
http://secunia.com/advisories/product/12366/

Firefox3 also has only 1 issue unpatched, while IE6 has 22 open issues.

Secunia states that Firefox3 has less critical issues:
http://secunia.com/advisories/product/19089/

While IE6 and IE7 have moderate problems. Making IE less secure:
http://secunia.com/advisories/product/11/
http://secunia.com/advisories/product/12366/

Firefox3 also has only 1 issue unpatched, while IE6 has 22 open issues.

PHP-Nuke is also full of security holes.

I ran the free version some time ago (right before they went to the 'pay for the most recent version, but the old version is still free' nonsense) and it was compromised within a couple of months, even with all of the updates applied.

So, no, I believe I'll pass.

...Because Drupal is bulletproof

"I guess you didn't bother reading Secunia yesterday. - by SmurfButcher Bob (313810) on Wednesday February 25, @03:11PM (#26985967)

That's NOT quite true... read on!

See this quote, regarding the disabling of javascripting in Adobe:

----

http://secunia.com/blog/44/

"While this does prevent many of the currently seen exploits from successfully executing arbitrary code (as they rely on JavaScript), it does not protect against the actual vulnerability."

----

AND, I admit - it's JUST turning off the USE of the .DLL (lib) that has the problem, but, NOT FIXING IT!

(in disabling javascripting in Adobe Acrobat 9.x... you don't call on its functions, & especially with malicious script? NO problems SHOULD result).

(& who says it's NOT javascript inside these malicious .pdf files? AND YES, sure - admittedly, there ARE other ways to take advantage of a buffer overflow, but why, when javascripting is the easiest route, for MOST folks vs. say, firing up debug & compiling data in a memory address space afforded by a buffer overflow, for example (poor one)?)

After all - Javascript?

Hey, it IS the engine .pdf files run from Adobe Acrobat actually USE, in order to execute their macros ("arbitrary code", as 1 possible here, just like in a malicious word .doc file)!

----

AND STRAIGHT FROM ADOBE THEMSELVES:

http://www.adobe.com/support/security/advisories/apsa09-01.html

"Reports have been published that disabling JavaScript in Adobe Reader and Acrobat can protect users from this issue. Disabling JavaScript provides protection against currently known attacks. However, the vulnerability is not in the scripting engine and, therefore, disabling JavaScript does not eliminate all risk"

----

Thus, you can see, they DO admit it helps... even here, just NOT against "all possibles" (such as other means of exploiting buffer overflows I noted above)...

BUT, they do admit, however, that it DOES stall out the ability to execute arbitrary code (of the malware makers' choosing) & guess what? THAT IS THE ACTUAL MALWARE PAYLOAD detonator, in scripting, & in MOST of the attacks online, today...

----

IMPORTANT:

Also note, that later on in my post?

I do point folks to a FIXED .DLL file for this... but, it too, is NOT guaranteed as a permanent cure & it's NOT for any Adobe Acrobat versions earlier than 9.x though...

APK

P.S.=> AND, what I am noting here? Hey - This is NOT a 'cure', it's a protective work-around... as is the secondary method I noted, of a FIXED .DLL available from a 3rd party, also, as an alternative for Adobe Acrobat 9.x users... apk

On the PWN2Own contest...

"We decided that we would try the Mac, just because it was the easiest target. We've sort of looked at all these guys in the past, and every time we look at the Mac, we find something. When we've look at the other systems, we've usually not been so lucky. So we figured we go with what we've found easiest in the past."

Charlie Miller (http://securityevaluators.com/)

http://secunia.com/advisories/product/96/

Apple Macintosh OSX - 861 Vulnerabilities

http://secunia.com/advisories/product/96/?task=advisories

Holy crap.. 800+ vulnerabilities. Vista has like 70-80.

Ten times the vulnerabilities. It "just works" for hackers and crackers too.

Go peddle your FUD somewhere else, boy.

If you can get out on the Interwebs with IE6, Leave your job. Your IT people don't care about security, which probably threatens your own Job Security. http://secunia.com/advisories/product/11/ IE6 should never be used on the interwebs. Ever.

http://secunia.com/advisories/product/96/?task=advisories

OSX - 861 Vulnerabilities

http://secunia.com/advisories/product/22/?task=advisories

XP - 221 Vulnerabilities

http://secunia.com/advisories/product/13223/?task=advisories

Vista - 82.

----
Vista is by far the most secure OS. But you can continue to spread FUD. Its ok.

Just out of curiosity, do you suck jobs cock or take it up the bum hole? Its OK to be a whore.. but don't be a stupid whore.

http://secunia.com/advisories/product/96/?task=advisories

OSX - 861 Vulnerabilities

http://secunia.com/advisories/product/22/?task=advisories

XP - 221 Vulnerabilities

http://secunia.com/advisories/product/13223/?task=advisories

Vista - 82.

----
Vista is by far the most secure OS. But you can continue to spread FUD. Its ok.

Just out of curiosity, do you suck jobs cock or take it up the bum hole? Its OK to be a whore.. but don't be a stupid whore.

http://secunia.com/advisories/product/96/?task=advisories

OSX - 861 Vulnerabilities

http://secunia.com/advisories/product/22/?task=advisories

XP - 221 Vulnerabilities

http://secunia.com/advisories/product/13223/?task=advisories

Vista - 82.

----
Vista is by far the most secure OS. But you can continue to spread FUD. Its ok.

Just out of curiosity, do you suck jobs cock or take it up the bum hole? Its OK to be a whore.. but don't be a stupid whore.

I want software from people whose motivation is better software, that way we get things like Synaptic Package Manager and Update Manager at least in the case of Ubuntu.

Microsoft's in a bad position in this case. Sure, they're monetarily motivated, but I suspect that they'd do a lot better business with something like Synaptic and Update Manager to help you manage all of the software on your computer. The problem? They'd surely be hit with antitrust allegations every time they don't manage to include all types of software which perform a given function.

Anyway, look into Secunia PSI for software management on Windows. It will scan your computer (files and registry) looking for out of date software, and oftentimes it will be able to provide you with a link to the manufacturer's download page, if not to the executable itself, for updates. It isn't a true repository solution since it won't install new software, but it will at least help you keep installed software up-to-date.

Of course, you may quickly notice some problems that occur due to software manufacturers failing to completely uninstall old versions. I've had multiple versions of software detected by PSI when clearly only one was installed. Cleaning out old files seemed to do the trick.

Exchange needs to be so smart so that it can open up the TNEF document and scan it for content which would route it depending on a user rule, an Antivirus scan need, or a content filter the admin may have.

And yes, CommunicateGate PRO has had it's share of serious problems just like almost any software;
http://secunia.com/advisories/search/?search=CommuniGate

One of these allows file access as root.

How about no.
http://secunia.com/advisories/product/11/

22 unpatched vulnerabilities, some of which are critical.

Read a part of the MS EULA to your customers, without telling them which OS it applies to. At the point when MS disclaim every liability and all warranties, ask them if they would buy a car or kitchen appliance if it had a similar warranty? Only when they gasp with horror, reveal it's the MS EULA.

Ask your customers how many people have independently audited Microsoft's code and published the full results?
Ask them whether MS's code hasn't leaked out, so that its insecurities can't have been explored by untrusted parties (answer: no).
Ask them how long critical security vulnerabilities have typically lasted in Windows, especially IE, before being patched. http://secunia.com/advisories/product/11/

Ask your customers if they know how many people across how many companies have worked on the linux kernel and have verified code quality independently. http://www.linuxdevices.com/news/NS6925891609.html
Ask them if they know how long the average security flaw in Firefox has lasted before being fixed?

Refer to reports on vulnerabilities and how fast they are fixed (sometimes statistics is the only language tey undersand).

For example:

http://secunia.com/ shows that Ubuntu 8.10 (latest stable version) has 0% unpatched advisories (0 of 41 Secunia advisories: http://secunia.com/advisories/product/20299/) while at the same time Vista has 10% unpached (5 of 51 Secunia advisories http://secunia.com/advisories/product/13223/).

Refer to reports on vulnerabilities and how fast they are fixed (sometimes statistics is the only language tey undersand).

For example:

http://secunia.com/ shows that Ubuntu 8.10 (latest stable version) has 0% unpatched advisories (0 of 41 Secunia advisories: http://secunia.com/advisories/product/20299/) while at the same time Vista has 10% unpached (5 of 51 Secunia advisories http://secunia.com/advisories/product/13223/).

Refer to reports on vulnerabilities and how fast they are fixed (sometimes statistics is the only language tey undersand).

For example:

http://secunia.com/ shows that Ubuntu 8.10 (latest stable version) has 0% unpatched advisories (0 of 41 Secunia advisories: http://secunia.com/advisories/product/20299/) while at the same time Vista has 10% unpached (5 of 51 Secunia advisories http://secunia.com/advisories/product/13223/).

Secunia keeps track of vulnerabilities in over 20,000 different software applications and operating systems. I would start there when comparing the relative security of an application - which I would not rate simply by whether it is closed or open source but by whether it is maintained, the severity of the vulnerabilities, and how many issues are outstanding.

Not to be too picky, but if you were using a agp2x card (using free bsd) and had that old of a system you were hardly playing games on it anyway, were you?

I liked an occasional game of Tux Racer and some Second Life. Oh, and I forgot a little detail earlier: I got it backwards, and the security vulnerability was in the NVidia driver itself! They didn't backport the fix to the version of the driver that supported my card. With FOSS, at least I could try to port it myself.

And you could probably stick without the graphics acceleration, right?

Sure, but why? Although old, the card itself worked fine. The rest of the system was in great shape, too. There's no reason in the world why I should have had to upgrade everything to replace a working system as long as I'm OK with its performance.

Did some research to try to quantify that "many"...

Based on a search at secunia.com there were a total of 10 Linux privilege escalation bugs reported for 2008.

Of those, 5 were in proprietary software packages for Linux: Acrobat Reader, MaxDB, Avaya, SSH Tectia Client, and Red Hat Enterprise Linux. Not interesting for ordinary desktop users.

Of the other 5, 1 was in KDE, so that wouldn't affect 100% of Linux users, let's be generous (the most popular free distros use Gnome) and say that's 50% of users.

Of the other 4, 1 seems to work on general Linux systems (sys_remap_file_pages() bug).

Of the other 3, 1 requires the USBLCD driver to be used or only gives group privilege escalation, 1 requires Intel G33 series or newer chipset, and 1 requires that the kernel is running as VMI guest on a x86 system. How many boxes does that cover? Not many, except perhaps for the Intel chipsets --- let's say another 50% (because I have no idea what market share Intel has).

So that's something like 2, maybe 2.5 bugs in all of 2008. Is that "many"? Matter of opinion.

Vista:SIX Unpatched which for Microsoft means ONLY the operating system, If ,like Ubuntu, you included Microsoft's Office suite , Browser (IE7 has 6 Unpatched ), Email, servers ( SQL Server 7 has two Unpatched ) and other software vulnerabilities it would be a lot more.

And while The most severe unpatched Secunia advisory affecting Microsoft Windows Vista, with all vendor patches applied, is rated Less critical The most severe unpatched Secunia advisory affecting Microsoft Internet Explorer 7.x, with all vendor patches applied, is rated Moderately critical and The most severe unpatched Secunia advisory affecting Microsoft SQL Server 7, with all vendor patches applied, is rated Highly critical.

Vista:SIX Unpatched which for Microsoft means ONLY the operating system, If ,like Ubuntu, you included Microsoft's Office suite , Browser (IE7 has 6 Unpatched ), Email, servers ( SQL Server 7 has two Unpatched ) and other software vulnerabilities it would be a lot more.

And while The most severe unpatched Secunia advisory affecting Microsoft Windows Vista, with all vendor patches applied, is rated Less critical The most severe unpatched Secunia advisory affecting Microsoft Internet Explorer 7.x, with all vendor patches applied, is rated Moderately critical and The most severe unpatched Secunia advisory affecting Microsoft SQL Server 7, with all vendor patches applied, is rated Highly critical.

In Vista, for example, that include SIX unpatched vulnerabilities that include information disclosure, denial of service and escalation of privilege ( the latter disclosed just under seven months ago 2008-04-18 ).

...all of which were given "less critical" ratings as the highest by the very site you linked, for good reason should you look into the vulnerabilities mention.

Now for pure numbers of vulnerabilities found, Vista does pretty well; according to Secunia, less than Ubuntu in fact. Well under half in fact.

I appreciate this whole subject is a "can of worms" and a grey area, which is why throwing plain stats around claiming "Look at this empirical evidence that $OS_NAME is the most secure ever!" is pretty pointless (from both angles), and frankly, comparing Windows users to terrorist is plain stupid.

In Vista, for example, that include SIX unpatched vulnerabilities that include information disclosure, denial of service and escalation of privilege ( the latter disclosed just under seven months ago 2008-04-18 ).

...all of which were given "less critical" ratings as the highest by the very site you linked, for good reason should you look into the vulnerabilities mention.

Now for pure numbers of vulnerabilities found, Vista does pretty well; according to Secunia, less than Ubuntu in fact. Well under half in fact.

I appreciate this whole subject is a "can of worms" and a grey area, which is why throwing plain stats around claiming "Look at this empirical evidence that $OS_NAME is the most secure ever!" is pretty pointless (from both angles), and frankly, comparing Windows users to terrorist is plain stupid.

In Vista, for example, that include SIX unpatched vulnerabilities that include information disclosure, denial of service and escalation of privilege ( the latter disclosed just under seven months ago 2008-04-18 ).

...all of which were given "less critical" ratings as the highest by the very site you linked, for good reason should you look into the vulnerabilities mention.

Now for pure numbers of vulnerabilities found, Vista does pretty well; according to Secunia, less than Ubuntu in fact. Well under half in fact.

I appreciate this whole subject is a "can of worms" and a grey area, which is why throwing plain stats around claiming "Look at this empirical evidence that $OS_NAME is the most secure ever!" is pretty pointless (from both angles), and frankly, comparing Windows users to terrorist is plain stupid.

In Vista, for example, that include SIX unpatched vulnerabilities that include information disclosure, denial of service and escalation of privilege ( the latter disclosed just under seven months ago 2008-04-18 ).

Even Microsoft's flagship product Vista has Six unpatched vulnerabilities.

These are all unpatched widely known vulnerabilities, and are only the ones in Microsoft's own product. Consider all the third party vulnerabilities, in downloadable codecs for example, that the design of Microsoft's platforms makes it so easy for crackers to exploit.

In comparison, all of the major Linux based distros have an excellent record of closing known vulnerabilities within days if not hours, before the holes get a chance to be exploited. Also SELinux is becoming more widely deployed to secure applications against such threats..At least with Linux there are existing concrete mechanisms in place ( Vulnerability and threat mitigation features in Red Hat Enterprise Linux and Fedora ), and currently deployable ( Writing policy for confined SELinux users ) to provide a locked down secured environment for Linux desktop users inside an organization.

Also from a more abstract point of view, read Increased security through open source.

If your using the Microsoft platform, then your abetting the people deploying botnets.

Even Microsoft's flagship product Vista has Six unpatched vulnerabilities.

These are all unpatched widely known vulnerabilities, and are only the ones in Microsoft's own product. Consider all the third party vulnerabilities, in downloadable codecs for example, that the design of Microsoft's platforms makes it so easy for crackers to exploit.

In comparison, all of the major Linux based distros have an excellent record of closing known vulnerabilities within days if not hours, before the holes get a chance to be exploited. Also SELinux is becoming more widely deployed to secure applications against such threats..At least with Linux there are existing concrete mechanisms in place ( Vulnerability and threat mitigation features in Red Hat Enterprise Linux and Fedora ), and currently deployable ( Writing policy for confined SELinux users ) to provide a locked down secured environment for Linux desktop users inside an organization.

Also from a more abstract point of view, read Increased security through open source.

If your using the Microsoft platform, then your abetting the people deploying botnets.

Even Microsoft's flagship product Vista has Six unpatched vulnerabilities.

These are all unpatched widely known vulnerabilities, and are only the ones in Microsoft's own product. Consider all the third party vulnerabilities, in downloadable codecs for example, that the design of Microsoft's platforms makes it so easy for crackers to exploit.

In comparison, all of the major Linux based distros have an excellent record of closing known vulnerabilities within days if not hours, before the holes get a chance to be exploited. Also SELinux is becoming more widely deployed to secure applications against such threats..At least with Linux there are existing concrete mechanisms in place ( Vulnerability and threat mitigation features in Red Hat Enterprise Linux and Fedora ), and currently deployable ( Writing policy for confined SELinux users ) to provide a locked down secured environment for Linux desktop users inside an organization.

Also from a more abstract point of view, read Increased security through open source.

If your using the Microsoft platform, then your abetting the people deploying botnets.

Even Microsoft's flagship product Vista has Six unpatched vulnerabilities.

These are all unpatched widely known vulnerabilities, and are only the ones in Microsoft's own product. Consider all the third party vulnerabilities, in downloadable codecs for example, that the design of Microsoft's platforms makes it so easy for crackers to exploit.

In comparison, all of the major Linux based distros have an excellent record of closing known vulnerabilities within days if not hours, before the holes get a chance to be exploited. Also SELinux is becoming more widely deployed to secure applications against such threats..At least with Linux there are existing concrete mechanisms in place ( Vulnerability and threat mitigation features in Red Hat Enterprise Linux and Fedora ), and currently deployable ( Writing policy for confined SELinux users ) to provide a locked down secured environment for Linux desktop users inside an organization.

Also from a more abstract point of view, read Increased security through open source.

If your using the Microsoft platform, then your abetting the people deploying botnets.

Even Microsoft's flagship product Vista has Six unpatched vulnerabilities.

These are all unpatched widely known vulnerabilities, and are only the ones in Microsoft's own product. Consider all the third party vulnerabilities, in downloadable codecs for example, that the design of Microsoft's platforms makes it so easy for crackers to exploit.

In comparison, all of the major Linux based distros have an excellent record of closing known vulnerabilities within days if not hours, before the holes get a chance to be exploited. Also SELinux is becoming more widely deployed to secure applications against such threats..At least with Linux there are existing concrete mechanisms in place ( Vulnerability and threat mitigation features in Red Hat Enterprise Linux and Fedora ), and currently deployable ( Writing policy for confined SELinux users ) to provide a locked down secured environment for Linux desktop users inside an organization.

Also from a more abstract point of view, read Increased security through open source.

If your using the Microsoft platform, then your abetting the people deploying botnets.

Paradoxically, this vulnerability was found in Foxit first :) http://secunia.com/advisories/29941/

Adding onto my last reply (w/ evidences of security suites failing vs. today's threats from reputable security sites who analyzed it)...

"Considering that most people I know don't do much more with their computers then surf the Web, check their email and use some office software, you don't need much more than what I outlined above." - by apathy maybe (922212) on Saturday October 25, @05:47PM (#25512183) Homepage

&

"Firewall blocking all incoming connections / Alternative web browser (not based on MSIE) and email client / Don't download and run random programs (especially not from websites linked to from ads)" - by apathy maybe (922212) on Saturday October 25, @05:47PM (#25512183) Homepage

Those aren't enough... but, your last suggestion is/would be, & here is why + how:

----

"Learn about computer security" - by apathy maybe (922212) on Saturday October 25, @05:47PM (#25512183) Homepage

Absolutely on this point of yours: & more importantly, HOW TO IMPLEMENT LAYERED SECURITY!

HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, + make it "fun-to-do", via CIS Tool Guidance (& beyond):

http://www.tcmagazine.com/forums/index.php?s=7f3029e844e2c17eefa57768b1bf1fc0&showtopic=2662

----

Evidence as to WHY the techniques I listed in the URL above (in my last reply) are more effective than just using a firewall, antivirus, &/or antispyware program + patching your OS + programs:

Take a look @ this CURRENT information on SECURITY SUITES failing left & right on tests run, vs. the threats out there, TODAY (not yesteryear tech in them):

----

Top security suites fail exploit tests (COMPUTERWORLD):

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117042&intsrc=news_ts_head [computerworld.com]

&/or

Top security suites fail exploit tests (SECUNIA):

http://secunia.com/blog/29/ [secunia.com]

----

The "old-school methods" (what security suites use generally - like anti-virus programs using virus detections signatures, which only work vs. KNOWN threats, when they ought to be concentrating on white or blacklisting sites &/or HEURISTICS levels of detection ("smells like a duck, tastes like a duck: IT MUST BE A DUCK!" type logic))

Signatures-based detections aren't working that well nowadays guys, vs. std. viruses... & MOST of what folks get today? They're bad javascript driven (in combination with iframes &/or bad or vulnerable plugins) usage, anyhow. AntiSpyware programs do better here, imo @ least, than antivirus programs do. By far...

After all, you know it, & I know it:

People - out online, today/nowadays?

The REAL, TRUE threat's out there today are coming thru your email, webbrowser, instant messenger programs!

(& even Adobe .pdf files with javascript active in the program, & plugins like Adobe Flash (which I guessed correctly on here weeks before it was revealed -> http://it.slashdot.org/comments.pl?sid=976325&threshold=-1&commentsort=0&mode=thread&cid=25158611 [slashdot.org] no less, as to the "mystery program" that was involved that J. Grossman & crew (discoverers of the clickjack issue) kept under covers, due to "responsible disclosure"))

The guide's steps in the URL above shows you how to lessen/mitigate that also, with some common-sense rules & tools, & if you can adhere to them?

You can take you

"In other words: any idiot on your network can gain admin access to any attached Windows-based system with file-sharing enabled" - by IceCreamGuy (904648) on Thursday October 23, @01:39PM (#25484483) Homepage

Well, for a system that is an endpoint node (say, a workstation) on a LAN/WAN (for example, a departmental one, or even larger @ work for instance)?

Sure - This might be a severe risk!

(Although I have had my colleagues TRY to even find my system on our LAN/WAN @ work, & they can't (one of them's a *NIX head & he likes wireshark for this type of thing amongst other tools) - yet, I have FULL ACCESS to all of our internet, email, + other network features - this is doable, this "effect", with a few simple registry hacks, many of which are covered in the URL link below no less)...

HOWEVER - if you're a "standalone user" (meaning single machine online on the internet, say, from your home)?

This is EASILY secured!

That's easily done, as you more-or-less noted via YOUR method (stopping/disabling File & Print sharing)

OR

By even going a step further -> Stopping the SERVER service (disable it via services.msc)...

There is also a method using a batch file to stop ALL shares (yes, even administrative $ type ones, ala:

C:
NET SHARE C$ /DELETE
NET SHARE ADMIN$ /DELETE
NET SHARE IPC$ /DELETE
NET SHARE DFS$ /DELETE
NET SHARE COMCFG$ /DELETE
NET SHARE FAX$ /DELETE
NET SHARE NETLOGON /DELETE
NET SHARE PRINT$ /DELETE
NET USE * /DELETE

& technically?

Each/ALL/ANY of those measures SHOULD work, just fine, in mitigating this prior to applying this patch (especially if you're a standalone machine on the internet @ home, with no home LAN present)...

(Feel free to correct me if I am off/wrong here fellas... thanks!)

APK

P.S.=> I cover that & MUCH more, here:

HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA, + make it "fun-to-do", via CIS Tool Guidance (& beyond):

http://www.tcmagazine.com/forums/index.php?s=49125ef36605621c1a4c34eb160411a9&showtopic=2662

&, yes, it works... vs. today's threats, especially - I say this, mainly because today's "security-suites" are NOT doing such a good job, vs. them, as evidenced here:

----

Top security suites fail exploit tests (COMPUTERWORLD):

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117042&intsrc=news_ts_head [computerworld.com]

&/or

Top security suites fail exploit tests (SECUNIA):

http://secunia.com/blog/29/

----

&, the fact is? They're not that useful vs. threats coming from the REAL source of today's exploits (mostly), & that's javascript (+ iframes & bad or vulnerable plugins for webbrowsers, email programs, & even lately Adobe .pdf reader w/ javascript enabled (easily turned off) & their FLASH plugin system)... &, they're NOT doing well vs. std. viruses either, since many are "polymorphic" in nature today, or, use rootkit type technology... HEURISTICS & white/black lists of sites + apps are the way imo, vs. "signatures" based detection (which is good vs. KNOWN threats only really)... & most of them, depend on the latter (sigs work).

PLUS - Hey, anyone can go to SECUNIA.COM &/or SECURITYFOCUS.COM for example & see my statement here just plain 'bears out as truth', just by seeing how much (a good 95%) of today's threats come from those sources... that guide above, however? IS... & again, it just works! apk

"That depends, do you walk around all day with a rubber on your weiner? No? Newsflash, niether does your computer" - by noundi (1044080) on Thursday October 23, @10:15AM (#25481543)

Mine does, lol, essentially!

AND?

So can yours, or anyone else's, via following some simple steps (many common sense, others more complex), via this guide (which has you use a noted test of your system's security, which is multiplatform (not just restricted to Windows, but also to many *NIX variants as well), called CIS Tool):

----

HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, plus, make it "fun-to-do", via CIS Tool Guidance (&, beyond it's "industry best practices" for security):

http://www.tcmagazine.com/forums/index.php?s=49125ef36605621c1a4c34eb160411a9&showtopic=2662

----

The CIS Tool test is much like PC performance benchmark, but this one's for security!

(&, it reviewed well in COMPUTERWORLD no less for doing so)

----

"so stop putting it's dick everywhere." - by noundi (1044080) on Thursday October 23, @10:15AM (#25481543)

I can, & DO, because I use a simple concept, that works (no virus/worms/trojans/spyware/malware-in-general here, for more than a decade++ now in fact, because of this) -> I practice a thing called "Layered security", nowadays, & yes, it works!

( &, that's what that post from Tech Connect Magazine gives you, & shows YOU, the end user, how to do layered security of your system today, online... &, as a bonus? You'll even end up surfing F A S T E R as well... )

See - The problem with today's antivirus programs is that they're largely MOSTLY "signatures based" & with polymorphic viruses that can "mutate" into ones that look totally different to an antivirus program (defeating signatures based detections) from one minute to the next?

HEURISTICS ("looks like a duck, sounds like a duck, smells like a duck - IT MUST BE A DUCK!" type logic) is the way to go for them, alongside whitelisting &/or blacklisting of applications allowed to run!

I mean, take a look @ this CURRENT information on SECURITY SUITES failing left & right on tests run, vs. the threats out there, TODAY (not yesteryear tech in them):

----

Top security suites fail exploit tests (COMPUTERWORLD):

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117042&intsrc=news_ts_head

&/or

Top security suites fail exploit tests (SECUNIA):

http://secunia.com/blog/29/

----

The "old-school methods" (what security suites use generally - like anti-virus programs using virus detections signatures, which only work vs. KNOWN threats, when they ought to be concentrating on white or blacklisting sites &/or HEURISTICS levels of detection ("smells like a duck, tastes like a duck: IT MUST BE A DUCK!" type logic))

Signatures-based detections aren't working that well nowadays guys, vs. std. viruses... & MOST of what folks get today? They're bad javascript driven (in combination with iframes &/or bad or vulnerable plugins) usage, anyhow. AntiSpyware programs do better here, imo @ least, than antivirus programs do. By far...

After all, you know it, & I know it:

People - out online, today/nowadays?

The REAL, TRUE threat's out there today are coming thru your email, webbrowser, instant messenger programs!

(& even Adobe .pdf files with javascript active in the program, & plugins like Adobe Flash (which I guessed correctly on here weeks before it was revealed ->

"Ok. Then what can we trust?" - by 404 Clue Not Found (763556) * on Thursday October 23, @09:49AM (#25481201)

HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, plus, make it "fun-to-do", via CIS Tool Guidance (&, beyond it's "industry best practices" for security):

http://www.tcmagazine.com/forums/index.php?s=49125ef36605621c1a4c34eb160411a9&showtopic=2662

----

You can trust that material in the URL link above! Mainly because it's YOU doing the work, yourself, albeit, with a tool that makes it some fun, & explains why you are weak in a particular area in securing your own system, yourself, with a fun to use tool to do so.

The CIS Tool test is much like PC performance benchmark, but this one's for security!

(&, it reviewed well in COMPUTERWORLD no less for doing so)

So, it's a test (which is what you asked for in fact) to quantify your improvements, after you do the work securing yourself based on its advisements (& points that go beyond just that test only are also in that guide above)

E.G. -> In not quite 1 yrs.' time online, it's passed over 200,000 views on the 27 forums its on, & people are doing well using it... but, take a peek @ it yourself, & YOU judge, as to whether it can help YOU, help yourself, vs. the threats present online, today.

----

"Without some sort of test, however imperfect, how is the average home user supposed to choose?" - by 404 Clue Not Found (763556) * on Thursday October 23, @09:49AM (#25481201)

Layered security!

( &, that's what that post from Tech Connect Magazine gives you, & shows YOU, the end user, how to do for security of your system today, online... &, as a bonus? You'll even end up surfing F A S T E R as well... )

The problem with today's antivirus programs is that they're largely MOSTLY "signatures based" & with polymorphic viruses that can "mutate" into ones that look totally different to an antivirus program (defeating signatures based detections) from one minute to the next?

HEURISTICS ("looks like a duck, sounds like a duck, smells like a duck - IT MUST BE A DUCK!" type logic) is the way to go for them, alongside whitelisting &/or blacklisting of applications allowed to run!

I mean, take a look @ this CURRENT information on SECURITY SUITES failing left & right on tests run, vs. the threats out there, TODAY (not yesteryear tech in them):

----

Top security suites fail exploit tests (COMPUTERWORLD):

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117042&intsrc=news_ts_head

&/or

Top security suites fail exploit tests (SECUNIA):

http://secunia.com/blog/29/

----

The "old-school methods" (what security suites use generally - like anti-virus programs using virus detections signatures, which only work vs. KNOWN threats, when they ought to be concentrating on white or blacklisting sites &/or HEURISTICS levels of detection ("smells like a duck, tastes like a duck: IT MUST BE A DUCK!" type logic))

Signatures-based detections aren't working that well nowadays guys, vs. std. viruses... & MOST of what folks get today? They're bad javascript driven (in combination with iframes &/or bad or vulnerable plugins) usage, anyhow. AntiSpyware programs do better here, imo @ least, than antivirus programs do. By far...

After all, you know it, & I know it:

People - The REAL, TRUE threat's out there today are coming thru your email, webbrowser, instant messenger programs (& even Adobe .pdf files with javascript active in the program,

"Does anyone know of a project to bring some of the fast Javascript implementations like V8 to the server?" - by cornicefire (610241) on Monday October 13, @06:40PM (#25362433)

More importantly than speed, imo @ least, would be to create a less 'faulty' (insecure) implementation of the Document Object Model (DOM) behind javascript... & of javascript itself!

(After all, anybody can take a peek over @ SECUNIA.COM &/or SECURITYFOCUS.COM (just to name a couple reputable sites in regards to security) & see that the majority of attacks ARE javascript driven the past 3-4 years now (sometimes in combination with plugins & iframes) that have even extended to not only bad site's code, but also adbanners as well).

Speed's nice, but judging by the state of things, such as the recent "ClickJack" shenanigans going on out there (which YES, stalling javascript does help stop, despite the init. headline here in regards to this on Sept. 25th 2008 ->

----

Alarm Raised For "Clickjacking" Browser Exploit:

http://it.slashdot.org/comments.pl?sid=976325&threshold=-1&commentsort=0&mode=thread&no_d2=1&cid=25158835

----

Which the /. article's poster had stated otherwise (verbatim: "The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you", which is blatantly untrue, if you read on you will see why & from whom (makers of NoScript iirc)), at the close of its initial posting?

Well, guess again:

----

SALIENT QUOTE:

http://www.securityfocus.com/news/11534/2

"JavaScript increases the effectiveness of this attacks hugely, because it ensures that user will click our target no matter where he points -- that is, we can move the target around to stay always under the mouse pointer"

----

Thus, as you can see? Well, contrary to the "clickjack" article initially posted here @ /. on Sept. 25th & its headline here from its initial poster??

It actually HELPS to stop javascript vs. Clickjacks, too (see the reference to SECURITYFOCUS.COM there in that URL above)... once more, see the URL above in regards to that & despite others also stating that 'stopping javascript would stall framebusting code, as well!

Speed's nice guys, but it only means you will get infected/infested, THAT MUCH FASTER is all, nowadays (& for the past 3-4 yrs. now)... heck, & the security suite folks are failing vs. these things too, with this latest COMPUTERWORLD excerpt:

----

Top security suites fail exploit tests (COMPUTERWORLD):

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117042&intsrc=news_ts_head

&/or

Top security suites fail exploit tests (SECUNIA):

http://secunia.com/blog/29/

----

The "old-school methods" (what security suites use, like virus signatures, which only work vs. KNOWN threats, when they ought to be concentrating on white or blacklisting sites &/or HEURISTICS levels of detection ("smells like a duck, tastes like a duck: IT MUST BE A DUCK!" type logic)) aren't working that well nowadays guys!

After all, you know it, & I know it - The REAL, TRUE threat's coming thru your email, webbrowser, instant messenger programs (& even Adobe .pdf files with javascript active in the program, & plugins like Adobe Flash (which I guessed correctly on above no less, as to the "mystery program" that was involved that J. Grossman & crew (discoverers of the clickjack issue) kept

Yeah, everyone remembers Windows as the OS that could be completely pwned if the user installed and ran Quake or Quake II. Shit, that hack works on Linux too, sorry. Let me try again.

We all remember how Windows boxes were used to admin huge botnets of Windows computers. Ah, dammit, they were cracked Linux boxes doing the admin work. One more try.

You can bet your money on there never having been a rootkit for Linux!

Damn, I was so close.

I'll let you work out the moral of this story, but I can steer you onto the right track - next time you're going to prattle about the security of something, try picking something that has had more than only 6 vulnerabilities found in 2 years of release, none of which allow privilege escalation and all of which have been patched.

Looks like I was correct in my "guess" here, in the post I did here two weeks ago (where I indicated stopping plugins, specifically ADOBE FLASH PLAYER), which was the reply I just replied to in THIS followup posting:

http://secunia.com/advisories/32163/

SALIENT QUOTE:

"A vulnerability has been reported in Adobe Flash Player, which can be exploited by malicious people to bypass certain security restrictions and disclose potentially sensitive information. The vulnerability is caused due to a design error and can be exploited to e.g. gain access to the system's camera and microphone by tricking the user into clicking Flash Player access control dialogs disguised as normal graphical elements. The vulnerability is reported in version 9.0.124.0. Other versions may also be affected. Solution: The vendor recommends disabling Flash Player camera and microphone interactions"

----

It also appears that I was also correct in my "guess" here, in the post I did here two weeks ago, about stopping JavaScript also (despite the init. newspost here saying "javascript is not part of it" etc. et al):

http://www.securityfocus.com/news/11534/2

SALIENT QUOTE:

"JavaScript increases the effectiveness of this attacks hugely, because it ensures that user will click our target no matter where he points -- that is, we can move the target around to stay always under the mouse pointer"

(A note to the news submitters here & the editors: Learn about this stuff, before stating things that are outright incorrect (such as the init. newspost stating turning off javascript would not help vs. this new threat... without understanding this stuff thoroughly, first? You'll end up eating your words...)

APK

P.S.=> I've been telling folks to 'crank those off' (plugins &/or IFrames, as well as javascript (if you do NOT absolutely NEED IT, for proper page functionality (such as on online banking &/or shopping sites))), here, for more than a year now:

HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, plus, make it "fun-to-do", via CIS Tool Guidance (& beyond):

http://www.tcmagazine.com/forums/index.php?s=67b2240128d853305689dd2c383066e8&showtopic=2662&st=0&start=0#

AND, as you can see? IT JUST WORKS (even vs. the "latest/greatest" security threats/hacks/vulnerabilities? Common-sense usually does work)... apk

Looks like I was correct in my "guess" here, in the post I did here two weeks ago (where I indicated stopping plugins, specifically ADOBE FLASH PLAYER), which was the reply I just replied to in THIS followup posting:

http://secunia.com/advisories/32163/

SALIENT QUOTE:

"A vulnerability has been reported in Adobe Flash Player, which can be exploited by malicious people to bypass certain security restrictions and disclose potentially sensitive information. The vulnerability is caused due to a design error and can be exploited to e.g. gain access to the system's camera and microphone by tricking the user into clicking Flash Player access control dialogs disguised as normal graphical elements. The vulnerability is reported in version 9.0.124.0. Other versions may also be affected. Solution: The vendor recommends disabling Flash Player camera and microphone interactions"

----

It also appears that I was also correct in my "guess" here, in the post I did here two weeks ago, about stopping JavaScript also (despite the init. newspost here saying "javascript is not part of it" etc. et al):

http://www.securityfocus.com/news/11534/2

SALIENT QUOTE:

"JavaScript increases the effectiveness of this attacks hugely, because it ensures that user will click our target no matter where he points -- that is, we can move the target around to stay always under the mouse pointer,"

APK

P.S.=> I've been telling folks to 'crank those off' (plugins &/or IFrames, as well as javascript (if you do NOT absolutely NEED IT, for proper page functionality (such as on online banking &/or shopping sites))), here, for more than a year now:

HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, plus, make it "fun-to-do", via CIS Tool Guidance (& beyond):

http://www.tcmagazine.com/forums/index.php?s=67b2240128d853305689dd2c383066e8&showtopic=2662&st=0&start=0#

AND, as you can see? IT JUST WORKS (even vs. the "latest/greatest" security threats/hacks/vulnerabilities: Common-sense usually does work)... apk

Looks like I was correct in my "guess" here, in the post I did here two weeks ago (where I indicated stopping plugins, specifically ADOBE FLASH PLAYER):

http://secunia.com/advisories/32163/

SALIENT QUOTE:

"A vulnerability has been reported in Adobe Flash Player, which can be exploited by malicious people to bypass certain security restrictions and disclose potentially sensitive information. The vulnerability is caused due to a design error and can be exploited to e.g. gain access to the system's camera and microphone by tricking the user into clicking Flash Player access control dialogs disguised as normal graphical elements. The vulnerability is reported in version 9.0.124.0. Other versions may also be affected. [b]Solution: The vendor recommends disabling Flash Player camera and microphone interactions[/b]"

----

It also appears that I was also correct in my "guess" here, in the post I did here two weeks ago, about stopping JavaScript also (despite the init. newspost here saying "javascript is not part of it" etc. et al):

http://www.securityfocus.com/news/11534/2

SALIENT QUOTE:

"JavaScript increases the effectiveness of this attacks hugely, because it ensures that user will click our target no matter where he points -- that is, we can move the target around to stay always under the mouse pointer,"

APK

Except the numbers seem to mostly back me up here.
Windows 2000 Professional: 182 Secunia advisories, 165 vulnerabilities. http://secunia.com/advisories/product/1/
Windows XP Professional: 219 Secunia advisories, 202 vulnerabilities. http://secunia.com/advisories/product/22/
Windows ME: 35 Secunia advisories, 21 vulnerabilities. http://secunia.com/advisories/product/14/
Windows XP Home: 199 Secunia advisories, 184 vulnerabilities. http://secunia.com/advisories/product/16/
I'd say it's too early to tell whether Vista has more holes than XP, but it certainly could. Currently, there are 40 Secunia advisories and 63 vulnerabilities.

Except the numbers seem to mostly back me up here.
Windows 2000 Professional: 182 Secunia advisories, 165 vulnerabilities. http://secunia.com/advisories/product/1/
Windows XP Professional: 219 Secunia advisories, 202 vulnerabilities. http://secunia.com/advisories/product/22/
Windows ME: 35 Secunia advisories, 21 vulnerabilities. http://secunia.com/advisories/product/14/
Windows XP Home: 199 Secunia advisories, 184 vulnerabilities. http://secunia.com/advisories/product/16/
I'd say it's too early to tell whether Vista has more holes than XP, but it certainly could. Currently, there are 40 Secunia advisories and 63 vulnerabilities.

Except the numbers seem to mostly back me up here.
Windows 2000 Professional: 182 Secunia advisories, 165 vulnerabilities. http://secunia.com/advisories/product/1/
Windows XP Professional: 219 Secunia advisories, 202 vulnerabilities. http://secunia.com/advisories/product/22/
Windows ME: 35 Secunia advisories, 21 vulnerabilities. http://secunia.com/advisories/product/14/
Windows XP Home: 199 Secunia advisories, 184 vulnerabilities. http://secunia.com/advisories/product/16/
I'd say it's too early to tell whether Vista has more holes than XP, but it certainly could. Currently, there are 40 Secunia advisories and 63 vulnerabilities.

Except the numbers seem to mostly back me up here.
Windows 2000 Professional: 182 Secunia advisories, 165 vulnerabilities. http://secunia.com/advisories/product/1/
Windows XP Professional: 219 Secunia advisories, 202 vulnerabilities. http://secunia.com/advisories/product/22/
Windows ME: 35 Secunia advisories, 21 vulnerabilities. http://secunia.com/advisories/product/14/
Windows XP Home: 199 Secunia advisories, 184 vulnerabilities. http://secunia.com/advisories/product/16/
I'd say it's too early to tell whether Vista has more holes than XP, but it certainly could. Currently, there are 40 Secunia advisories and 63 vulnerabilities.

"Anyway, I doubt the alternative PDF readers suffer from the security issues present in Acrobat Reader -GayGirlie" - by Anonymous Coward on Tuesday September 23, @11:53AM (#25121643)

Well, I went & checked on EVINCE for you, & it too has KNOWN security vulnerabilities as of the date of this posting (same w/ FoxIT PDF reader):

Vulnerability Report: Evince 0.x:

1 Secunia advisories
1 Vulnerabilities

http://secunia.com/advisories/product/12767/

APK