Slashdot Mirror

← Back to Domains

Domain: secunia.com

Stories and comments across the archive that link to secunia.com.

Comments · 2,642

  1. Re:Where is the debunking? by GreatBunzinni · · Score: 5, Informative · on Vista Security Claims Debunked

    I read the article pretty carefully. I don't see any actual numbers to back up this "debunking".

    That's because you are gullible enough to believe the hype, aggravated by your lack of will to perform a basic search for the facts. Here is a bit of debunking from a quick google search.

    From Secunia's advisory atatistics:

    Those are real world facts supported on real world evidence which is freely available to the public. It isn't a random blog entry which is based on god knows what data which is only known by the author and possibly doesn't even exist. So where in fact is there a need to "debunk" a moronic, unsubstantiated claim made by some microsoft employee, specially when there is all that evidence right in front of everyone's face?

  2. Re:Where is the debunking? by GreatBunzinni · · Score: 5, Informative · on Vista Security Claims Debunked

    I read the article pretty carefully. I don't see any actual numbers to back up this "debunking".

    That's because you are gullible enough to believe the hype, aggravated by your lack of will to perform a basic search for the facts. Here is a bit of debunking from a quick google search.

    From Secunia's advisory atatistics:

    Those are real world facts supported on real world evidence which is freely available to the public. It isn't a random blog entry which is based on god knows what data which is only known by the author and possibly doesn't even exist. So where in fact is there a need to "debunk" a moronic, unsubstantiated claim made by some microsoft employee, specially when there is all that evidence right in front of everyone's face?

  3. Re:Did I miss something by Chandon+Seldon · · Score: 1 · on 6 Months On, Vista Security Still Besting Linux

    You did miss something. I suggest actually reading the list of advisories: http://secunia.com/product/10611/?task=advisories
    That's all the advisories for Ubuntu 6.06... for all time. How many of those are for programs that you've even heard of, much less would be installed on your machine?

    Check out this highly-critical security vulnerability for the xmms music player:

    Sven Krewitt of Secunia Research discovered that XMMS did not correctly handle BMP images when loading GUI skins. If a user were tricked into loading a specially crafted skin, a remote attacker could execute arbitrary code with user privileges.
  4. Re:Did I miss something by djupedal · · Score: 2, Interesting · on 6 Months On, Vista Security Still Besting Linux
    OS X

    Vendor Apple

    Product Link View Here (Link to external site)

    Affected By 104 Secunia advisories

    Unpatched 5% (5 of 104 Secunia advisories)

    Most Critical Unpatched
    The most severe unpatched Secunia advisory affecting Apple Macintosh OS X, with all vendor patches applied, is rated Less critical
  5. Did I miss something by MECC · · Score: 5, Informative · on 6 Months On, Vista Security Still Besting Linux


    Rather than take his word for it why not just check at Secunia.

    Vista

    Vendor Microsoft

    Product Link View Here (Link to external site)

    Affected By 10 Secunia advisories

    Unpatched 20% (2 of 10 Secunia advisories)

    Most Critical Unpatched
    The most severe unpatched Secunia advisory affecting Microsoft Windows Vista, with all vendor patches applied, is rated Not critical


    Ubuntu 6.06

    Vendor Canonical Ltd.

    Product Link View Here (Link to external site)

    Affected By 147 Secunia advisories

    Unpatched 0% (0 of 147 Secunia advisories)

    Most Critical Unpatched
    There are no unpatched Secunia advisories affecting this product, when all vendor patches are applied.


  6. Did I miss something by MECC · · Score: 5, Informative · on 6 Months On, Vista Security Still Besting Linux


    Rather than take his word for it why not just check at Secunia.

    Vista

    Vendor Microsoft

    Product Link View Here (Link to external site)

    Affected By 10 Secunia advisories

    Unpatched 20% (2 of 10 Secunia advisories)

    Most Critical Unpatched
    The most severe unpatched Secunia advisory affecting Microsoft Windows Vista, with all vendor patches applied, is rated Not critical


    Ubuntu 6.06

    Vendor Canonical Ltd.

    Product Link View Here (Link to external site)

    Affected By 147 Secunia advisories

    Unpatched 0% (0 of 147 Secunia advisories)

    Most Critical Unpatched
    There are no unpatched Secunia advisories affecting this product, when all vendor patches are applied.


  7. Did I miss something by MECC · · Score: 5, Informative · on 6 Months On, Vista Security Still Besting Linux


    Rather than take his word for it why not just check at Secunia.

    Vista

    Vendor Microsoft

    Product Link View Here (Link to external site)

    Affected By 10 Secunia advisories

    Unpatched 20% (2 of 10 Secunia advisories)

    Most Critical Unpatched
    The most severe unpatched Secunia advisory affecting Microsoft Windows Vista, with all vendor patches applied, is rated Not critical


    Ubuntu 6.06

    Vendor Canonical Ltd.

    Product Link View Here (Link to external site)

    Affected By 147 Secunia advisories

    Unpatched 0% (0 of 147 Secunia advisories)

    Most Critical Unpatched
    There are no unpatched Secunia advisories affecting this product, when all vendor patches are applied.


  8. Re:Why would you ever..... by Anonymous Coward · · Score: 1, Insightful · on More Than Half of Known Vista Bugs are Unpatched

    "I can use Linux how ever the hell I want and not worry about stupid OS design"

    Really? That's funny. Make a change to a setting in Gnome and tell me where it's stored. ~/.gnome? ~/.gnome2_private? ~/.gconf? /etc? /usr/local/etc? It's a lottery. Couple that with applications that explode files all over your hard drive (/usr, /usr/lib, /opt, /etc and so forth) and you have an absurdly complicated, clumsily constructed OS built from thousands of components from a massively splintered development group.

    It's pretty stupid OS design. Sure, it's better than Windows in some respects, but go look at OS X, VMS or Syllable for proper OS design.

    "bad programming letting infectious software damage my system"

    How utterly laughable. There have been 123 security advisories for kernel 2.6.x. Ubuntu 6.06, the Long-Term Support release, has had 145 advisories. Core libraries and components have suffered major vulnerabilities. Do those numbers not bother you? Linux is pretty weak security wise. Sure, nobody is crafting exploits for the tiny percentage of desktop Linux users right now, but it's still shockingly bad.

    Your post sums up the massive blind zealotry in the open source world that puts many of us off using Linux. It's a vast, hugely complicated OS with many security problems cropping up regularly. Just because it isn't exploited to the same level as Windows doesn't change that fact.

    But congratulations on the supreme ignorant zealotry in your post. Keep your fingers in your ears and singing "blah blah blah" when any problem is mentioned!

  9. Re:Why would you ever..... by Anonymous Coward · · Score: 1, Insightful · on More Than Half of Known Vista Bugs are Unpatched

    "I can use Linux how ever the hell I want and not worry about stupid OS design"

    Really? That's funny. Make a change to a setting in Gnome and tell me where it's stored. ~/.gnome? ~/.gnome2_private? ~/.gconf? /etc? /usr/local/etc? It's a lottery. Couple that with applications that explode files all over your hard drive (/usr, /usr/lib, /opt, /etc and so forth) and you have an absurdly complicated, clumsily constructed OS built from thousands of components from a massively splintered development group.

    It's pretty stupid OS design. Sure, it's better than Windows in some respects, but go look at OS X, VMS or Syllable for proper OS design.

    "bad programming letting infectious software damage my system"

    How utterly laughable. There have been 123 security advisories for kernel 2.6.x. Ubuntu 6.06, the Long-Term Support release, has had 145 advisories. Core libraries and components have suffered major vulnerabilities. Do those numbers not bother you? Linux is pretty weak security wise. Sure, nobody is crafting exploits for the tiny percentage of desktop Linux users right now, but it's still shockingly bad.

    Your post sums up the massive blind zealotry in the open source world that puts many of us off using Linux. It's a vast, hugely complicated OS with many security problems cropping up regularly. Just because it isn't exploited to the same level as Windows doesn't change that fact.

    But congratulations on the supreme ignorant zealotry in your post. Keep your fingers in your ears and singing "blah blah blah" when any problem is mentioned!

  10. Re:Why would you ever..... by partenon · · Score: 1 · on More Than Half of Known Vista Bugs are Unpatched

    Links please?

    Statistics for 2007, directly from Secunia website:

    - OSX
    Affected By 103 Secunia advisories
    Unpatched 5% (5 of 103 Secunia advisories)

    - XP
    Affected By 186 Secunia advisories
    Unpatched 16% (30 of 186 Secunia advisories)

    - Vista
    Affected By 10 Secunia advisories
    Unpatched 20% (2 of 10 Secunia advisories)

    Source:
    http://secunia.com/product/13223/?task=statistics_ 2007
    http://secunia.com/product/22/?task=statistics_200 7
    http://secunia.com/product/96/?task=statistics_200 7

  11. Re:Why would you ever..... by partenon · · Score: 1 · on More Than Half of Known Vista Bugs are Unpatched

    Links please?

    Statistics for 2007, directly from Secunia website:

    - OSX
    Affected By 103 Secunia advisories
    Unpatched 5% (5 of 103 Secunia advisories)

    - XP
    Affected By 186 Secunia advisories
    Unpatched 16% (30 of 186 Secunia advisories)

    - Vista
    Affected By 10 Secunia advisories
    Unpatched 20% (2 of 10 Secunia advisories)

    Source:
    http://secunia.com/product/13223/?task=statistics_ 2007
    http://secunia.com/product/22/?task=statistics_200 7
    http://secunia.com/product/96/?task=statistics_200 7

  12. Re:Why would you ever..... by partenon · · Score: 1 · on More Than Half of Known Vista Bugs are Unpatched

    Links please?

    Statistics for 2007, directly from Secunia website:

    - OSX
    Affected By 103 Secunia advisories
    Unpatched 5% (5 of 103 Secunia advisories)

    - XP
    Affected By 186 Secunia advisories
    Unpatched 16% (30 of 186 Secunia advisories)

    - Vista
    Affected By 10 Secunia advisories
    Unpatched 20% (2 of 10 Secunia advisories)

    Source:
    http://secunia.com/product/13223/?task=statistics_ 2007
    http://secunia.com/product/22/?task=statistics_200 7
    http://secunia.com/product/96/?task=statistics_200 7

  13. Re:Wrong title by brunascle · · Score: 1 · on More Than Half of Known Vista Bugs are Unpatched

    no, all 9 are patched. 0 unpatched.

  14. Some exploit details from Secunia by einnar2000 · · Score: 1 · on More Than Half of Known Vista Bugs are Unpatched

    http://secunia.com/product/13223/?task=statistics Their numbers don't match the original articles numbers though. I'm sure there are others out there that report exploits, but this is the one I had bookmarked and could quickly share.

  15. Re:Where is the 12 out of 27 number coming from? by figleaf · · Score: 1 · on More Than Half of Known Vista Bugs are Unpatched

    Here is the original report http://blogs.csoonline.com/windows_vista_6_month_v ulnerability_report
    and the secunia link for Vista : http://secunia.com/product/13223/?task=statistics

  16. Re:Ok, I took your advice, & here is what I fo by Anonymous Coward · · Score: 0 · on Red Hat Rejects Microsoft Deals

    "Feel free to source more than one security advisor. It may be helpful." - by Technician (215283) on Wednesday June 20, @11:57AM (#19581243)

    Good point & I'll agree (2nd doctor's opinions always are helpful):

    (I didn't have time (got called into work to resolve an issue, but am home again now))...

    "IIS secure? Apache secure? They both have exploits." - by Technician (215283) on Wednesday June 20, @11:57AM (#19581243)

    Yes, that's the very point I was trying to make...

    "The number of exploits is one thing." - by Technician (215283) on Wednesday June 20, @11:57AM (#19581243)

    Yes, & there is apparently MORE reported on Apache Servers, up to 10 times more, per SECUNIA's data @ least.

    "The number of exploited machines is another" - by Technician (215283) on Wednesday June 20, @11:57AM (#19581243)

    That always comes down to WHO is setting the systems up & admin'ing them, can you concede this?

    E.G.-> http://forums.techpowerup.com/showthread.php?s=784 c7caab0a4072b2e2cb96198eeb995&t=16097&page=2

    See that url, humor me, especially THIS one... there is a reason why, because it "backs up" what I said above... with quantified numbers!

    I.E.-> There, on the CIS Tool 1.x test (runs on Solaris, Linux, BSD, Windows etc. et al)?

    I put out a roadmap of how to get an 84.735/100.000, w/ verifying photo of my score... I have challenged Linux folks to beat it here:

    http://linux.sys-con.com/read/382946_f.htm

    No takers... or, no one could!

    Today, on a BSD related post (since most of the Linux folks @ the URL above suggested BSD for security)? I put the SAME CHALLENGE FORTH to BSD users here @ /. (slashdot/root lol!):

    http://bsd.slashdot.org/comments.pl?sid=238993&cid =19578849

    Hopefully, there WILL be some "takers" this time, from the BSD world!

    (That 84.735 score in the techpowerup.com url above? It is as good as I can get it @ least, on Windows... stock though?? Even Windows Server 2003 SP #2 only gets like a 20 iirc, out-of-the-box/oem stock!)

    "To make you feel good, here is a current Linux exploit;" - by Technician (215283) on Wednesday June 20, @11:57AM (#19581243)

    Well, it wasn't about THAT to me, but... since you put it THAT way? This does a better job:

    I.E. - Windows Server (9%) itself has less bugs and LESS CRITICAL ONES, than Linux 2.6 kernel builds (13%) do!

    Windows Server 2003 Enterprise Edition @ SECUNIA

    http://secunia.com/product/1174/?task=advisories_2 007

    vs.

    Linux's @ SECUNIA (2.6 kernel builds/latest):

    http://secunia.com/product/2719/

    "For workstations which visit the web, I avoid Windows. Just seeing the headlines is enough." - by Technician (215283) on Wednesday June 20, @11:57AM (#19581243)

    Heh, I don't... see the URL above from techpowerup.com!

    Again - on how I note how to setup Windows Server 2003 SP #2 (default install IS workstation/pro, you add server tools as needed, on the fly during setup, OR later as needed) to get that CIS Tool 1.x score of 84.735...

    "If you have any data on the number of non Windows bots in the herds, let me know. I'm looking for any data on the breakdown of OS on exploited bots." - by Technician (215283) on Wednesday June 20, @11:57AM (#19581243)

    LOL, cool... you're a "data archivist", as am I (for stats & such for backing during debates)... which IS good!

    (I just thought you were trying to "overwhelm & devastate me" w/ a flood of figures (and I a

  17. Re:Ok, I took your advice, & here is what I fo by Anonymous Coward · · Score: 0 · on Red Hat Rejects Microsoft Deals

    "Feel free to source more than one security advisor. It may be helpful." - by Technician (215283) on Wednesday June 20, @11:57AM (#19581243)

    Good point & I'll agree (2nd doctor's opinions always are helpful):

    (I didn't have time (got called into work to resolve an issue, but am home again now))...

    "IIS secure? Apache secure? They both have exploits." - by Technician (215283) on Wednesday June 20, @11:57AM (#19581243)

    Yes, that's the very point I was trying to make...

    "The number of exploits is one thing." - by Technician (215283) on Wednesday June 20, @11:57AM (#19581243)

    Yes, & there is apparently MORE reported on Apache Servers, up to 10 times more, per SECUNIA's data @ least.

    "The number of exploited machines is another" - by Technician (215283) on Wednesday June 20, @11:57AM (#19581243)

    That always comes down to WHO is setting the systems up & admin'ing them, can you concede this?

    E.G.-> http://forums.techpowerup.com/showthread.php?s=784 c7caab0a4072b2e2cb96198eeb995&t=16097&page=2

    See that url, humor me, especially THIS one... there is a reason why, because it "backs up" what I said above... with quantified numbers!

    I.E.-> There, on the CIS Tool 1.x test (runs on Solaris, Linux, BSD, Windows etc. et al)?

    I put out a roadmap of how to get an 84.735/100.000, w/ verifying photo of my score... I have challenged Linux folks to beat it here:

    http://linux.sys-con.com/read/382946_f.htm

    No takers... or, no one could!

    Today, on a BSD related post (since most of the Linux folks @ the URL above suggested BSD for security)? I put the SAME CHALLENGE FORTH to BSD users here @ /. (slashdot/root lol!):

    http://bsd.slashdot.org/comments.pl?sid=238993&cid =19578849

    Hopefully, there WILL be some "takers" this time, from the BSD world!

    (That 84.735 score in the techpowerup.com url above? It is as good as I can get it @ least, on Windows... stock though?? Even Windows Server 2003 SP #2 only gets like a 20 iirc, out-of-the-box/oem stock!)

    "To make you feel good, here is a current Linux exploit;" - by Technician (215283) on Wednesday June 20, @11:57AM (#19581243)

    Well, it wasn't about THAT to me, but... since you put it THAT way? This does a better job:

    I.E. - Windows Server (9%) itself has less bugs and LESS CRITICAL ONES, than Linux 2.6 kernel builds (13%) do!

    Windows Server 2003 Enterprise Edition @ SECUNIA

    http://secunia.com/product/1174/?task=advisories_2 007

    vs.

    Linux's @ SECUNIA (2.6 kernel builds/latest):

    http://secunia.com/product/2719/

    "For workstations which visit the web, I avoid Windows. Just seeing the headlines is enough." - by Technician (215283) on Wednesday June 20, @11:57AM (#19581243)

    Heh, I don't... see the URL above from techpowerup.com!

    Again - on how I note how to setup Windows Server 2003 SP #2 (default install IS workstation/pro, you add server tools as needed, on the fly during setup, OR later as needed) to get that CIS Tool 1.x score of 84.735...

    "If you have any data on the number of non Windows bots in the herds, let me know. I'm looking for any data on the breakdown of OS on exploited bots." - by Technician (215283) on Wednesday June 20, @11:57AM (#19581243)

    LOL, cool... you're a "data archivist", as am I (for stats & such for backing during debates)... which IS good!

    (I just thought you were trying to "overwhelm & devastate me" w/ a flood of figures (and I a

  18. Ok, I took your advice, & here is what I found by Anonymous Coward · · Score: 0 · on Red Hat Rejects Microsoft Deals

    Alright, sure: I'll take that challenge - why not (so, here is what I turned up, from a quick scan of SECUNIA.COM):

    "Check the percentage of pwned IIS servers and the uptime of Apache on Linux" - by Technician (215283) on Wednesday June 20, @01:12AM (#19574975)

    I tell you what, I will use the # of vulnerabilities found in BOTH webservers, because I could find it easily enough!

    IIS (first URL) shows less bugs/vulnerabilities than Apache (2nd URL) does (and less critical ones) & in fact, 10 TIMES LESS!

    IIS -> http://secunia.com/product/1438

    vs.

    Apache -> http://secunia.com/product/73

    (Uptime? That's relative & largely dependent on who sets the servers up & how they did so, as well as maintaining them - that rides on the programmers (who build say, ISAPI dll's (not as good as ->) or ASP.NET server-side garbage cleanup capable apps), administrators, &/or techs running it imo, more than the code itself in them & % of "owned" IIS servers is going to be possibly higher, because everyone targets MS stuff (because it is largely used (the OS itself & peripheral wares), though you may see more Apache webservers (because it's free, the price is unbeatable)))!

    "Check the SQL exploits of both MS and My." - by Technician (215283) on Wednesday June 20, @01:12AM (#19574975)

    SQLServer 2005, from SECUNIA.COM:

    SQLServer 2005 runs from birth to current, with 0 security advisories (and, keeps NASDAQ running 24/7 x 365 days a year (the fabled "5 9's" of 99.999% reliability too) on Windows Server 2003 fully patched.

    http://secunia.com/product/6782/?task=statistics

    (I hope MySQL has zero bugs, because once I saw this on SQLServer 2005? I did not bother check on MySQL!)

    Anything else you would like verified?

    APK

    P.S.=> Not trying to really "bust on" anyone in the *NIX world, but that is just what I found... & I am sure people here are going to try to "soft-soap" what I found (as I did in my theories on why you find more Microsoft stuff targetted, with their OS & office suites alone, that's just fact - most used OS & Office-ware on the planet))

    However, the secunia data above? Those are not "MY FINDINGS"!

    They are just data from SECUNIA.COM (i.e. - A pretty respected security-oriented website) apk

  19. Ok, I took your advice, & here is what I found by Anonymous Coward · · Score: 0 · on Red Hat Rejects Microsoft Deals

    Alright, sure: I'll take that challenge - why not (so, here is what I turned up, from a quick scan of SECUNIA.COM):

    "Check the percentage of pwned IIS servers and the uptime of Apache on Linux" - by Technician (215283) on Wednesday June 20, @01:12AM (#19574975)

    I tell you what, I will use the # of vulnerabilities found in BOTH webservers, because I could find it easily enough!

    IIS (first URL) shows less bugs/vulnerabilities than Apache (2nd URL) does (and less critical ones) & in fact, 10 TIMES LESS!

    IIS -> http://secunia.com/product/1438

    vs.

    Apache -> http://secunia.com/product/73

    (Uptime? That's relative & largely dependent on who sets the servers up & how they did so, as well as maintaining them - that rides on the programmers (who build say, ISAPI dll's (not as good as ->) or ASP.NET server-side garbage cleanup capable apps), administrators, &/or techs running it imo, more than the code itself in them & % of "owned" IIS servers is going to be possibly higher, because everyone targets MS stuff (because it is largely used (the OS itself & peripheral wares), though you may see more Apache webservers (because it's free, the price is unbeatable)))!

    "Check the SQL exploits of both MS and My." - by Technician (215283) on Wednesday June 20, @01:12AM (#19574975)

    SQLServer 2005, from SECUNIA.COM:

    SQLServer 2005 runs from birth to current, with 0 security advisories (and, keeps NASDAQ running 24/7 x 365 days a year (the fabled "5 9's" of 99.999% reliability too) on Windows Server 2003 fully patched.

    http://secunia.com/product/6782/?task=statistics

    (I hope MySQL has zero bugs, because once I saw this on SQLServer 2005? I did not bother check on MySQL!)

    Anything else you would like verified?

    APK

    P.S.=> Not trying to really "bust on" anyone in the *NIX world, but that is just what I found... & I am sure people here are going to try to "soft-soap" what I found (as I did in my theories on why you find more Microsoft stuff targetted, with their OS & office suites alone, that's just fact - most used OS & Office-ware on the planet))

    However, the secunia data above? Those are not "MY FINDINGS"!

    They are just data from SECUNIA.COM (i.e. - A pretty respected security-oriented website) apk

  20. Ok, I took your advice, & here is what I found by Anonymous Coward · · Score: 0 · on Red Hat Rejects Microsoft Deals

    Alright, sure: I'll take that challenge - why not (so, here is what I turned up, from a quick scan of SECUNIA.COM):

    "Check the percentage of pwned IIS servers and the uptime of Apache on Linux" - by Technician (215283) on Wednesday June 20, @01:12AM (#19574975)

    I tell you what, I will use the # of vulnerabilities found in BOTH webservers, because I could find it easily enough!

    IIS (first URL) shows less bugs/vulnerabilities than Apache (2nd URL) does (and less critical ones) & in fact, 10 TIMES LESS!

    IIS -> http://secunia.com/product/1438

    vs.

    Apache -> http://secunia.com/product/73

    (Uptime? That's relative & largely dependent on who sets the servers up & how they did so, as well as maintaining them - that rides on the programmers (who build say, ISAPI dll's (not as good as ->) or ASP.NET server-side garbage cleanup capable apps), administrators, &/or techs running it imo, more than the code itself in them & % of "owned" IIS servers is going to be possibly higher, because everyone targets MS stuff (because it is largely used (the OS itself & peripheral wares), though you may see more Apache webservers (because it's free, the price is unbeatable)))!

    "Check the SQL exploits of both MS and My." - by Technician (215283) on Wednesday June 20, @01:12AM (#19574975)

    SQLServer 2005, from SECUNIA.COM:

    SQLServer 2005 runs from birth to current, with 0 security advisories (and, keeps NASDAQ running 24/7 x 365 days a year (the fabled "5 9's" of 99.999% reliability too) on Windows Server 2003 fully patched.

    http://secunia.com/product/6782/?task=statistics

    (I hope MySQL has zero bugs, because once I saw this on SQLServer 2005? I did not bother check on MySQL!)

    Anything else you would like verified?

    APK

    P.S.=> Not trying to really "bust on" anyone in the *NIX world, but that is just what I found... & I am sure people here are going to try to "soft-soap" what I found (as I did in my theories on why you find more Microsoft stuff targetted, with their OS & office suites alone, that's just fact - most used OS & Office-ware on the planet))

    However, the secunia data above? Those are not "MY FINDINGS"!

    They are just data from SECUNIA.COM (i.e. - A pretty respected security-oriented website) apk

  21. And...? by sid0 · · Score: 1 · on Safari 3 Beta Updated, Security Problems Fixed

    Agreed. In fact, bugs ARE due to sloppy code, in the OS, drivers or programs. BTW, what's the difference between a bug and an error? I've always called an error a bug. Vulnerabilities are a subset of bugs.

    What I am saying is that bugs are an inescapable reality.

    Apple delivers updates once monthly. So does Microsoft. What's the difference?

    PS: I don't need an advertising agency to tell me what is correct.

  22. And...? by sid0 · · Score: 1 · on Safari 3 Beta Updated, Security Problems Fixed

    Agreed. In fact, bugs ARE due to sloppy code, in the OS, drivers or programs. BTW, what's the difference between a bug and an error? I've always called an error a bug. Vulnerabilities are a subset of bugs.

    What I am saying is that bugs are an inescapable reality.

    Apple delivers updates once monthly. So does Microsoft. What's the difference?

    PS: I don't need an advertising agency to tell me what is correct.

  23. And...? by sid0 · · Score: 1 · on Safari 3 Beta Updated, Security Problems Fixed

    Agreed. In fact, bugs ARE due to sloppy code, in the OS, drivers or programs. BTW, what's the difference between a bug and an error? I've always called an error a bug. Vulnerabilities are a subset of bugs.

    What I am saying is that bugs are an inescapable reality.

    Apple delivers updates once monthly. So does Microsoft. What's the difference?

    PS: I don't need an advertising agency to tell me what is correct.

  24. And...? by sid0 · · Score: 1 · on Safari 3 Beta Updated, Security Problems Fixed

    Agreed. In fact, bugs ARE due to sloppy code, in the OS, drivers or programs. BTW, what's the difference between a bug and an error? I've always called an error a bug. Vulnerabilities are a subset of bugs.

    What I am saying is that bugs are an inescapable reality.

    Apple delivers updates once monthly. So does Microsoft. What's the difference?

    PS: I don't need an advertising agency to tell me what is correct.

  25. Re:Unfair standard? by fritsd · · Score: 1 · on Microsoft May Be Investigated By Attorneys General
    References?

    Otherwise, let me point you to secunia: Compare side-by-side Microsoft Windows XP (from october 2001) with Debian GNU/Linux 3.1 (sarge) (from june 2005).

    This version of Debian had many more bugs than MS Windows, but it runs on 11 architectures, and it includes not just the core system but also more than 15000 packages (whose bugs are included in the count), totalling 229 million SLOC. And that was the previous stable version, not the current one from april 2007.

  26. Re:Unfair standard? by fritsd · · Score: 1 · on Microsoft May Be Investigated By Attorneys General
    References?

    Otherwise, let me point you to secunia: Compare side-by-side Microsoft Windows XP (from october 2001) with Debian GNU/Linux 3.1 (sarge) (from june 2005).

    This version of Debian had many more bugs than MS Windows, but it runs on 11 architectures, and it includes not just the core system but also more than 15000 packages (whose bugs are included in the count), totalling 229 million SLOC. And that was the previous stable version, not the current one from april 2007.

  27. Re:Open Letter by juhaz · · Score: 1 · on Safari on Windows, Leopard Debut at WWDC

    Pray tell, what exactly are you trying to tell? That you're an idiot? Yes, thanks, we got that already.

    Now could you please crawl back to your cave, or under the bridge, or wherever bad trolls that are so stupid that they're even shunned by the other trolls live.

  28. Re:Open Letter by juhaz · · Score: 1 · on Safari on Windows, Leopard Debut at WWDC

    Pray tell, what exactly are you trying to tell? That you're an idiot? Yes, thanks, we got that already.

    Now could you please crawl back to your cave, or under the bridge, or wherever bad trolls that are so stupid that they're even shunned by the other trolls live.

  29. Re:Open Letter by juhaz · · Score: 1 · on Safari on Windows, Leopard Debut at WWDC

    Pray tell, what exactly are you trying to tell? That you're an idiot? Yes, thanks, we got that already.

    Now could you please crawl back to your cave, or under the bridge, or wherever bad trolls that are so stupid that they're even shunned by the other trolls live.

  30. Re:Open Letter by juhaz · · Score: 1 · on Safari on Windows, Leopard Debut at WWDC

    Pray tell, what exactly are you trying to tell? That you're an idiot? Yes, thanks, we got that already.

    Now could you please crawl back to your cave, or under the bridge, or wherever bad trolls that are so stupid that they're even shunned by the other trolls live.

  31. Re:Open Letter by juhaz · · Score: 1 · on Safari on Windows, Leopard Debut at WWDC

    Pray tell, what exactly are you trying to tell? That you're an idiot? Yes, thanks, we got that already.

    Now could you please crawl back to your cave, or under the bridge, or wherever bad trolls that are so stupid that they're even shunned by the other trolls live.

  32. Re:Open Letter by juhaz · · Score: 1 · on Safari on Windows, Leopard Debut at WWDC

    Pray tell, what exactly are you trying to tell? That you're an idiot? Yes, thanks, we got that already.

    Now could you please crawl back to your cave, or under the bridge, or wherever bad trolls that are so stupid that they're even shunned by the other trolls live.

  33. Re:Open Letter by catmistake · · Score: 1 · on Safari on Windows, Leopard Debut at WWDC

    It plays music and does absolutely nothing else.
    sure it does!
  34. Re:Help me out by kernelpanicked · · Score: 2, Informative · on Microsoft's IIS is Twice as Likely to Host Malware?

    No actually if you had read the link the other poster gave you, it affects 5 and 6. Now that I'm on Secunia I've got another link for ya. Total security advisories for IIS6 (3) http://secunia.com/product/1438. Impressive, but not nearly as perfect as you would like to think.

  35. Re:Big Surprise by daeg · · Score: 2, Insightful · on Microsoft's IIS is Twice as Likely to Host Malware?

    When you compare IIS 6 to the comparable Apache version (2.2), they both have the same number of advisories. Note that Apache 2.2 has an unpatched very low risk vulnerability when run on Windows. Interestingly, Apache supports more platforms yet has less bugs considering one of the three bugs only targets one operating system.

    I don't question their results, although I'd suspect there are also a high number of Cpanel hosts slammed full of malware, too.

  36. Re:Help me out by eli+pabst · · Score: 2, Informative · on Microsoft's IIS is Twice as Likely to Host Malware?

    Has IIS had any remotely exploitable holes since version 5?

    At least one in version 6:

    http://secunia.com/advisories/21006/

    Which is actually fairly impressive, but then again you'd really only need one remote vulnerability if you are trying to compromise completely unpatched systems.

  37. Big Surprise by ThinkFr33ly · · Score: 4, Interesting · on Microsoft's IIS is Twice as Likely to Host Malware?

    First, there is not nearly enough information provided by Google to come to any real conclusions.

    It could be that IIS is more likely to become infected than Apache and then be used to distribute malware, or it could be that malware purveyors are more likely to host their malware on IIS. Or it could be a combination of both.

    They also fail to mention what versions of IIS we're talking about, as that makes a huge difference. IIS 5.x had more holes than a cubic mile of swiss cheese. IIS 6, on the other hand, appears to be rock solid and actually has fewer vulnerabilities than Apache.

    Second, the fact that Google is a direct competitor to Microsoft is an obvious reason to find their conclusions dubious, at best. They have plenty of reasons to bash Microsoft at every possible opportunity.

  38. Comments from Experience by bunratty · · Score: 1 · on First Peek at Netscape Navigator 9

    Maybe this is a browser that may be the recommended browser for your aunts and uncles when they get a new system? Who knows.
    If Netscape repeats what it's done in the past, Netscape release versions will be several security release versions behind Firefox, and perhaps include a few extra security vulnerabilities as an added bonus. Right now, Netscape 8 seems to be the only browser that Secunia reports as having highly critical vulnerabilities. Let's all sit and wait to see if it's safe to use before we decide to give Netscape 9 a try.
  39. Re:It's not only about the vulnerabilities... by Lars+T. · · Score: 1 · on Apple Mac OS X Update For 17 Vulnerabilities

    Read up the MOAB. The MOAB project was started by security researchers who decided to release their findings publicly (and not contact Apple beforehand giving them time to fix the vulnerability before it becomes publicly known) because they got mad when Apple outright denied some existing vulnerabilities they found. Security researchers? Do security researchers apply an exploit that crashes the visitors browser to their website just to prove the exploit exists (commenting in the HTML source "Never use the macbook at bed again when browsing the MoAB or you will fry your balls, looper"? Maybe. Do they serve animal porn pictures to those who try to access the URLs of future reports? Hardly. Do they claim that somebody tried to hack them when that somebody reports on their actions and readers do visit their site? Errm, no. Do they try to prove that by posting logs that prove they are wrong? Hell no.

    You are incorrect. Apple has a terrible track record when it comes to handling vulnerabilities when compared to the other guy. Sure. Care to back that up? Not by quoting "security researchers", please. Why don't you start her: Secuny Vulnerability Report: Apple Macintosh OS X vs. Vulnerability Report: Microsoft Windows XP Home Edition (too bad they split up all the Windows versions).
  40. Re:It's not only about the vulnerabilities... by Lars+T. · · Score: 1 · on Apple Mac OS X Update For 17 Vulnerabilities

    Read up the MOAB. The MOAB project was started by security researchers who decided to release their findings publicly (and not contact Apple beforehand giving them time to fix the vulnerability before it becomes publicly known) because they got mad when Apple outright denied some existing vulnerabilities they found. Security researchers? Do security researchers apply an exploit that crashes the visitors browser to their website just to prove the exploit exists (commenting in the HTML source "Never use the macbook at bed again when browsing the MoAB or you will fry your balls, looper"? Maybe. Do they serve animal porn pictures to those who try to access the URLs of future reports? Hardly. Do they claim that somebody tried to hack them when that somebody reports on their actions and readers do visit their site? Errm, no. Do they try to prove that by posting logs that prove they are wrong? Hell no.

    You are incorrect. Apple has a terrible track record when it comes to handling vulnerabilities when compared to the other guy. Sure. Care to back that up? Not by quoting "security researchers", please. Why don't you start her: Secuny Vulnerability Report: Apple Macintosh OS X vs. Vulnerability Report: Microsoft Windows XP Home Edition (too bad they split up all the Windows versions).
  41. Re:So what by sid0 · · Score: 1 · on Apple Mac OS X Update For 17 Vulnerabilities

    How do you define the number of exploits? The absolute number over the years doesn't matter TODAY. If it is the number of serious unpatched exploits, Windows Vista currently has ZERO, just like OS X and Linux.

    Just as you said, patches != exploits. I'll go a step further and say that patched exploits != exploits.

    That you know of...

    Conspiracy theories FTW!

  42. Re:So what by sid0 · · Score: 1 · on Apple Mac OS X Update For 17 Vulnerabilities

    How do you define the number of exploits? The absolute number over the years doesn't matter TODAY. If it is the number of serious unpatched exploits, Windows Vista currently has ZERO, just like OS X and Linux.

    Just as you said, patches != exploits. I'll go a step further and say that patched exploits != exploits.

    That you know of...

    Conspiracy theories FTW!

  43. Re:So what by sid0 · · Score: 1 · on Apple Mac OS X Update For 17 Vulnerabilities

    How do you define the number of exploits? The absolute number over the years doesn't matter TODAY. If it is the number of serious unpatched exploits, Windows Vista currently has ZERO, just like OS X and Linux.

    Just as you said, patches != exploits. I'll go a step further and say that patched exploits != exploits.

    That you know of...

    Conspiracy theories FTW!

  44. Re:Why would you think that? by Macthorpe · · Score: 1 · on Why Are CC Numbers Still So Easy To Find?

    all with default config. Unless you count actually putting content on your site as changing it's config. Can you point out where it says those are default config? Because, you know, it doesn't. Anywhere. Even the Apache ones don't mention whether you have to have the specific module enabled or not to cause the vulnerability, so they could *all* very well be default config too.

    Even given this, when you limit to Apache 2.2.x (IIS /6/ remember) you get 3 vulnerabilities. http://secunia.com/product/9633 Which has been out how long? A year? IIS 6 has been available since 2003, so instead of comparing products with two different lifespans I compared them over timescales. In four years of IIS6 there have been 3 vulnerabilities. In four years of Apache there have been 31.

    The rest of your post is mainly composed of logical fallacies that lead the argument nowhere except down what-ifs and possibilities, so let's stick to the facts, shall we? There were 10 times as many public vulnerabilities found in Apache webservers as there were in IIS 6 in the last 4 years. A system that is vulnerable is vulnerable, and you've yet to provide hard evidence that any of the Apache vulnerabilities are as 'silly' as you've said.
  45. Re:Why would you think that? by Zombywuf · · Score: 1 · on Why Are CC Numbers Still So Easy To Find?

    http://secunia.com/advisories/21006/ http://secunia.com/advisories/12801/ http://secunia.com/advisories/11563/ all with default config. Unless you count actually putting content on your site as changing it's config.

    The only useful metric of security is exploitations per installation time (i.e. how many installations * average time up). Unfortunately we're never going to get that data. A security advisory is a public disclosure of a vulnerability, this is going to happen more often for open source projects than closed ones for two reasons: 1) You can see the source. 2) Open source projects like Apache are community efforts, which will increase the ratio of good guys to bad guys looking at the code. A public vuln usually indicates a fixed vuln. When the vulnerabilities posted are really silly, like the one I mentioned, advisory count is an even sillier metric. How many of Apache's priv. escalations escalate you to nobody?

    Even given this, when you limit to Apache 2.2.x (IIS /6/ remember) you get 3 vulnerabilities. http://secunia.com/product/9633/

  46. Re:Why would you think that? by Zombywuf · · Score: 1 · on Why Are CC Numbers Still So Easy To Find?

    http://secunia.com/advisories/21006/ http://secunia.com/advisories/12801/ http://secunia.com/advisories/11563/ all with default config. Unless you count actually putting content on your site as changing it's config.

    The only useful metric of security is exploitations per installation time (i.e. how many installations * average time up). Unfortunately we're never going to get that data. A security advisory is a public disclosure of a vulnerability, this is going to happen more often for open source projects than closed ones for two reasons: 1) You can see the source. 2) Open source projects like Apache are community efforts, which will increase the ratio of good guys to bad guys looking at the code. A public vuln usually indicates a fixed vuln. When the vulnerabilities posted are really silly, like the one I mentioned, advisory count is an even sillier metric. How many of Apache's priv. escalations escalate you to nobody?

    Even given this, when you limit to Apache 2.2.x (IIS /6/ remember) you get 3 vulnerabilities. http://secunia.com/product/9633/

  47. Re:Why would you think that? by Zombywuf · · Score: 1 · on Why Are CC Numbers Still So Easy To Find?

    http://secunia.com/advisories/21006/ http://secunia.com/advisories/12801/ http://secunia.com/advisories/11563/ all with default config. Unless you count actually putting content on your site as changing it's config.

    The only useful metric of security is exploitations per installation time (i.e. how many installations * average time up). Unfortunately we're never going to get that data. A security advisory is a public disclosure of a vulnerability, this is going to happen more often for open source projects than closed ones for two reasons: 1) You can see the source. 2) Open source projects like Apache are community efforts, which will increase the ratio of good guys to bad guys looking at the code. A public vuln usually indicates a fixed vuln. When the vulnerabilities posted are really silly, like the one I mentioned, advisory count is an even sillier metric. How many of Apache's priv. escalations escalate you to nobody?

    Even given this, when you limit to Apache 2.2.x (IIS /6/ remember) you get 3 vulnerabilities. http://secunia.com/product/9633/

  48. Re:Why would you think that? by Zombywuf · · Score: 1 · on Why Are CC Numbers Still So Easy To Find?

    http://secunia.com/advisories/21006/ http://secunia.com/advisories/12801/ http://secunia.com/advisories/11563/ all with default config. Unless you count actually putting content on your site as changing it's config.

    The only useful metric of security is exploitations per installation time (i.e. how many installations * average time up). Unfortunately we're never going to get that data. A security advisory is a public disclosure of a vulnerability, this is going to happen more often for open source projects than closed ones for two reasons: 1) You can see the source. 2) Open source projects like Apache are community efforts, which will increase the ratio of good guys to bad guys looking at the code. A public vuln usually indicates a fixed vuln. When the vulnerabilities posted are really silly, like the one I mentioned, advisory count is an even sillier metric. How many of Apache's priv. escalations escalate you to nobody?

    Even given this, when you limit to Apache 2.2.x (IIS /6/ remember) you get 3 vulnerabilities. http://secunia.com/product/9633/

  49. Re:Why would you think that? by Macthorpe · · Score: 1 · on Why Are CC Numbers Still So Easy To Find?
    Insightful? Puh-lease.

    Well the MS ones are along the lines of: the default config is vulnerable (with one arbitrary code execution), and the Apache ones are more like: if the config is really weird and the moon is just right you might be able to DOS it. Only one of those MS vulnerabilities results in arbitrary code execution. 4 Apache vulnerabilities do.
    Only one of those MS vulnerabilities can result in a DoS attack. 17 Apache vulnerabilities do.

    Also, you're getting information that I don't have, because none of those listed vulnerabilities are specifically noted by Secunia to be in the default configuration. Have you got a link that I can read where that information is noted?

    Also of course, fewer advisories doesn't mean less secure Can I have your more useful metric, then? Because as far as I'm concerned, a big-ass list of all the vulnerabilities in a piece of software is a pretty good indication of how secure it is.

    Hell, one of the Apache vulnerabilities is that a local admin user can get information about the request headers sent to the server. That argument is particularly non-cogent - there's another 30 vulnerabilities to pick out here. One starts a DoS and is pretty trivial to set off.
  50. Re:Why would you think that? by Macthorpe · · Score: 2, Informative · on Why Are CC Numbers Still So Easy To Find?

    IIS 6 has had only 3 vulnerabilities found since it's release in 2003: Look here.

    Apache 2.0.x has had 31 vulnerabilities in the same time period: Here.

    What were you saying again?