Slashdot Mirror

"The problem with windows security is primarily one of legacy support."

Noncense, backward compatibility should not break security. Windows was sold as suitable for secure use in a networked environment. It was even given C2 security certification. The problem is the WinNT memory management unit running under the x86 processor. Something that was first tackled under Linux with Exec Shield. The Windows version called NX can be bypassed as otherwise JIT bytecode won't work.

"inter-processes communication was flawed lacking any authentication method, kernel / userland seperation was virtually nonexistant,"

Wait a minute WinNT was touted as being more secure because of it's use of operating modes. Ring 0 had full access while user apps were restricted to Ring 3, the highest restriction. At least that was the theory.

"these issues persisted right up till XP when microsoft started to take security seriously with SP2."

Er, They still persist. See here, much of this code is included in Windows Server 2003 and will be included in Longhorn

"Microsoft just like the rest of us is new to the whole OS design thing."

When Microsoft hired on the Digital VAX/VMS team they had an oppurtunity to design a secure OS. Most of the defects in the OS can be traced to managment decisions to favor features over security. Embedding Internet Explorer in the OS was one such decision.

"What needs to be done is .. implement a version of windows that incorporates everything we've learned over the last 20 years or so"

If by "We" you mean Microsoft, "We" haven't learned anything since 1988, 18 years ago. Why wait, why not upgrade to SuSE, all the eye candy of Vista without the security vulnerabilities.

I see a lot of this kind of revisionist history on the Internet and in the media. Is there a whole department that does nothing all day but pollute the athmosphere with self serving distortions such as this. How anyone say this with a straight face is beyond me.

'the security kernel of the Windows NT server software was written before the Internet,
and the Windows Server 2003 software was written
before buffer overflows became a frequent target of recent attacks'

David Aucsmith, Security Architect, Microsoft.

"Notice that it does not say 'has zero exploits'."

Do not put words in my mouth. I never said that IIS6 had no vulnerabilities. I said it had no critical vulnerabilities. The highest rated vulnerability listed on that secunia page is listed as moderately critical - It only poses a DoS threat. By critical, I simply meant none that could lead to the server being compromised. I actually clarified that point waaaaaaay back in this post, but apparently you missed it. You missing things seems to be a common theme.

"Why not trying out others security experts websites? I'll bet you'll find that IIS is affected by other exploits as well. Gee, didn't I say this to begin with?"

Secunia is a pretty well respected resource in the security community. Are you saying there are other known vulnerabilities for IIS6 that secunia doesn't have listed? If so how many do you think they are missing for Apache 1.x and Apache 2.x. I hope not many as both versions of Apache have had quite a few more vulnerabilities (two of them "critical" by my definition) discovered than IIS6 in the last three years.

Yes, you attempted to find other vulnerabilities, but you failed. but all you found was a fake vulnerability, and a few that were not actually IIS6 vulnerabilities. Yes, you found some vulnerabilities that could be exploited via IIS6 (like the Exchange one), but the fact remains that they were not native components of IIS6 - just like php/mysql are not native components of Apache.

"Notice that it does not say 'has zero exploits'."

Do not put words in my mouth. I never said that IIS6 had no vulnerabilities. I said it had no critical vulnerabilities. The highest rated vulnerability listed on that secunia page is listed as moderately critical - It only poses a DoS threat. By critical, I simply meant none that could lead to the server being compromised. I actually clarified that point waaaaaaay back in this post, but apparently you missed it. You missing things seems to be a common theme.

"Why not trying out others security experts websites? I'll bet you'll find that IIS is affected by other exploits as well. Gee, didn't I say this to begin with?"

Secunia is a pretty well respected resource in the security community. Are you saying there are other known vulnerabilities for IIS6 that secunia doesn't have listed? If so how many do you think they are missing for Apache 1.x and Apache 2.x. I hope not many as both versions of Apache have had quite a few more vulnerabilities (two of them "critical" by my definition) discovered than IIS6 in the last three years.

Yes, you attempted to find other vulnerabilities, but you failed. but all you found was a fake vulnerability, and a few that were not actually IIS6 vulnerabilities. Yes, you found some vulnerabilities that could be exploited via IIS6 (like the Exchange one), but the fact remains that they were not native components of IIS6 - just like php/mysql are not native components of Apache.

You are confusing me now. You say that I live in a 'fantasy world'. That would imply that I've said and believe something that is not true. What have I said that is untrue? My main point has been that IIS6 has never had any serious vulnerabilities since it was released. Is secunia living in a fantasy world too?

I accidentally posted this for the wrong article so I'll probably get flammed and modded down for it, but here it is again.

At one time, IIS 5 looked hopeless. It was completely riddled with security holes and was basically the joke of the industry. People who used it did so with either ignorance or extreme caution.

Microsoft realized they needed to fix this but it took Code Red and various other major worms that took advantage of IIS to really kick the company into gear.

What was the result of this? IIS 6. IIS 6 is an excellent web server and is one of the most secure web servers you can use. It's certainly the most secure application server you can use. It's had a total of 2 vulnerabilities since its release about 4 years ago. (See: http://secunia.com/product/1438/ [secunia.com]) Add to that the fact that IIS 6 is extremely performant, easily configurable and maintainable, and is very robust, you have to conclude that Microsoft improved. A great deal in fact.

I see the work on Windows Vista and IE 7 being very similar in nature to the work done on IIS. They've completely revamped their development methodologies to focus on security.

IE 7+ (the one that comes with Vista) has a feature that essentially runs the browser as a very low privs user. Any operations that need high privs (such as writing to the user's desktop or other directories) are done by a broker. This broker has only a few thousand lines of code (and is therefore FAR easier to audit for security issues) and runs with the privs of the current user. This is actually fairly innovative and will undoubtedly make it far more difficult to exploit and holes in IE.

Obviously we'll have to wait and see if Microsoft has done with Vista and IE what they did with IIS, but it's hard to deny that Microsoft has proven they can take a product people view as a hopeless security mess and turn it into one of the most secure products on the market.

At one time, IIS 5 looked hopeless. It was completely riddled with security holes and was basically the joke of the industry. People who used it did so with either ignorance or extreme caution.

Microsoft realized they needed to fix this but it took Code Red and various other major worms that took advantage of IIS to really kick the company into gear.

What was the result of this? IIS 6. IIS 6 is an excellent web server and is one of the most secure web servers you can use. It's certainly the most secure application server you can use. It's had a total of 2 vulnerabilities since its release about 4 years ago. (See: http://secunia.com/product/1438/) Add to that the fact that IIS 6 is extremely performant, easily configurable and maintainable, and is very robust, you have to conclude that Microsoft improved. A great deal in fact.

I see the work on Windows Vista and IE 7 being very similar in nature to the work done on IIS. They've completely revamped their development methodologies to focus on security.

IE 7+ (the one that comes with Vista) has a feature that essentially runs the browser as a very low privs user. Any operations that need high privs (such as writing to the user's desktop or other directories) are done by a broker. This broker has only a few thousand lines of code (and is therefore FAR easier to audit for security issues) and runs with the privs of the current user. This is actually fairly innovative and will undoubtedly make it far more difficult to exploit and holes in IE.

Obviously we'll have to wait and see if Microsoft has done with Vista and IE what they did with IIS, but it's hard to deny that Microsoft has proven they can take a product people view as a hopeless security mess and turn it into one of the most secure products on the market.

Unsanitised input. POST (submitting forms, uploading files via your browser) or GET (normal webpage viewing) requests are ways in which you as the visitor or user of a website send and receive data to and from that website. Sometimes, web applications (programs running on the server side) return this data back to to your browser, for example when validating forms you may see messages such as " is an invalid name".

When this data hasn't been properly filtered of validated somebody can trick you to visit a specific URL which contains malicious embedded HTML or Javascript. When the vulnerable web application returns this injected data back to the user's browser it looks like it's coming from the source. Because the malicious party has introduced their exploit through YOU the secure channel between you and the vulnerable application (in this case Paypal) has never been compromised.

Injected javascript for example to hook into the credit card entry box and some XMLHttpRequests calls to submit that data to a 3rd party where it is logged is one possibility.

In short, don't click links from untrusted websites going to websites like Paypal, or if you do check the URL very carefully. Oh and don't use Internet Explorer, thanks to this little vulnerability it looks like open season on your private information.

I will admit I have done limited research on secunia.com, but it looks as though the Linux kernel has atleast one vulnerability every month or two. I know these range from being critical to non-critical, but they are vulnerabilities nonetheless. To keep your Linux system patched and up-to-date, should it still require a reboot every so often then?

http://secunia.com/product/2719/ shows 24 for 2006. If you were running a linux machine with no local non-trusted users (ie. only admins actually log into the machine) that didn't use SCTP or NAT then none of them matter - so there would be no need to have rebooted yet.

My that is a lot of security issues. Don't know why any one would use a product with that many advisories.

http://secunia.com/graph/?type=adv&period=all&prod =763

Secunia has eight listed vulnerabilities, including three of Moderately or Highly Critical status in the last three years or so for ZoneLabs products (mostly parts that are included in ZoneAlarm), and I'm fairly certain that they're missing one or two. It is, of course, better than nothing, but it has lost at least my trust.

BTW, if you want to test for the BSOD issue that I mentioned, the easiest way is to install a program when the firewall is in learning mode (particularly one that gets files online, like Yahoo Instant Messenger) and click the Approve button as quickly as it appears (and it will appear a lot if you don't allow it to set rules). The solution is to wait for about a second before clicking (hence my suspicion that it's a race condition), but that delay wasn't always stored in my muscle memory. :)

Uhm yeah it took me all of two minutes to disable it on my box at work, even though it was locked down. The fact that TrendMicro put a backdoor (a default password for when you forget the real one) in it helped quite a bit.

Looks like the backdoor you are referencing is three years old: Secunia Advisory 7881. That said, vulnerabilities like this tend to get fixed quickly. The 2003 advisory linked above mentions that up-to-date versions at the time were already immune to these problems.

Actually, people complain more about things like this (unfixed, reported more than 3 years ago). Or when there are exploits out in the wild, and Microsoft says they won't release a fix until their monthly patchday.

"This is part of the explanation for the number of IIS viruses being greater than the number of Apache viruses, even though Apache has a significantly larger market share."

IIS6 has a significantly better security record than does Apache2.
Apache2's vulnerabilities 2003-2006
IIS6's vulnerabilities 2003-2006

"This is part of the explanation for the number of IIS viruses being greater than the number of Apache viruses, even though Apache has a significantly larger market share."

IIS6 has a significantly better security record than does Apache2.
Apache2's vulnerabilities 2003-2006
IIS6's vulnerabilities 2003-2006

All you need is to get someone to type an administrator password and you can replace or modify vital system files: Software Update does it all the time. Even easier than that, if there's another bug lurking that bypasses sudo authentication or allows privilege escalation.

(Follow that second link and get a chuckle. The vulnerability is in an antivirus program).

So, that removes security as a reason for using Firefox. Speed never was a reason, and it certainly isn't efficient memory usage. That leaves what, exactly, as a reason for using Firefox over Opera, or even IE7? That it's open source? That's a pretty lousy reason.

Sigh. Ever think that it's the unfixed holes that make the difference?

IE:
http://secunia.com/product/11/

Firefox:
http://secunia.com/product/4227/

I personally like how it's cross platform, strives for standards compliance, has tons of extensions, tabs, is ad free, free, and finally open source, but that's beside the point.

So, that removes security as a reason for using Firefox. Speed never was a reason, and it certainly isn't efficient memory usage. That leaves what, exactly, as a reason for using Firefox over Opera, or even IE7? That it's open source? That's a pretty lousy reason.

Sigh. Ever think that it's the unfixed holes that make the difference?

IE:
http://secunia.com/product/11/

Firefox:
http://secunia.com/product/4227/

I personally like how it's cross platform, strives for standards compliance, has tons of extensions, tabs, is ad free, free, and finally open source, but that's beside the point.

Actually we do. For the last few years, Apache has had a worse security record than IIS.
I call shenanigans.

Apache 2.2.x and IIS 6 have no open bugs in Secunia. But those are brand new. However:
IIS 5
Apache 2.0
For those who don't want to click, IIS5 is "Moderately Critical", and Apache 2.0 AND 1.3 are both "Less Critical". Being as these are the most popular versions of these servers... I think you're just a shill. Stop spreading FUD.

Actually we do. For the last few years, Apache has had a worse security record than IIS.
I call shenanigans.

Apache 2.2.x and IIS 6 have no open bugs in Secunia. But those are brand new. However:
IIS 5
Apache 2.0
For those who don't want to click, IIS5 is "Moderately Critical", and Apache 2.0 AND 1.3 are both "Less Critical". Being as these are the most popular versions of these servers... I think you're just a shill. Stop spreading FUD.

Apple's iconic status, growing market share and adoption of same microprocessors used in machines running Windows are making Macs a bigger target, some experts warn.

"They didn't know how to deal with security, and I think Apple is in the same situation now," said Ferris, himself a Mac user.

The Mac's vulnerability could also increase as Apple transitions to a product line that uses microprocessors made by Intel Corp., security experts said. With new Macs running the same processor that powers Windows-based machines, far more people will know how to exploit weaknesses in Apple machines than in the past, when they ran on the PowerPC chips made by IBM Corp. and Motorola Corp. spinoff Freescale Semiconductor Inc.

Who are these security experts, and do they work weddings and bar-mitzvahs too? Since when did familiarity with a microprocessor lead to intimacy with an operating system. There's so much I still don't know about BeOS and I've written assembly on PowerPC and x86. The vulnerabilities described in the article may be found here. For the most part, it looks like flaws in the way Safari and Preview handle GIFs, TIFFs, BMPs, and bad ZIPs can cause an application crash, and *possibly* allow code execution (even via certain malformed HTML tags). I've had corrupt graphics files and zip archives crash Preview and Safari in the past, but never any virus-like behavior. Still, it's a good thing to note, but the reporting could have been much better.

Apple plans to patch the holes reported by Ferris in the next automatic update of Mac OS X, and there have been no reports of them being exploited, spokeswoman Natalie Kerris said. She disagreed that the vulnerabilities make it possible for a criminal to run code on a targeted machine.

"By your reasoning, hackers would concentrate on Apache instead of IIS because it runs more servers. Wrong, they still attack IIS more. Likewise, hackers will focus on IE because it has more known unpatched vulnerabilities than other browsers."

Your argument might hold water if IIS were less secure than Apache, but IIS is more secure than Apache, and it's not even close, as these secunia reports show:
Secunia - Vulnerability Report - Apache 2.0.x
Secunia - Vulnerability Report - Microsoft Internet Information Services (IIS) 6

And your incorrect argument is brought up at least every week on slashdot (Apache is used more, but IIS is attacked more because it has more holes!), it's corrected almost every week by one of the respondents, yet it's *always* moderated as "Insightful". Mods, just because a piece of thought is part of the slashdot groupthink doesn't mean that it's insightful. Like many pieces of docrtring, it just might be totally wrong!

"By your reasoning, hackers would concentrate on Apache instead of IIS because it runs more servers. Wrong, they still attack IIS more. Likewise, hackers will focus on IE because it has more known unpatched vulnerabilities than other browsers."

Your argument might hold water if IIS were less secure than Apache, but IIS is more secure than Apache, and it's not even close, as these secunia reports show:
Secunia - Vulnerability Report - Apache 2.0.x
Secunia - Vulnerability Report - Microsoft Internet Information Services (IIS) 6

And your incorrect argument is brought up at least every week on slashdot (Apache is used more, but IIS is attacked more because it has more holes!), it's corrected almost every week by one of the respondents, yet it's *always* moderated as "Insightful". Mods, just because a piece of thought is part of the slashdot groupthink doesn't mean that it's insightful. Like many pieces of docrtring, it just might be totally wrong!

Because MS writes sloppy code and then says that they are secure.

That might have been the case in the past, but it is not true whatsoever with IIS 6.

yep you only have to look at the vulnerability count to see which is more secure.... oooh you mean apache is more secure even though IIS6 has a better security record than apache? please enlighten me!

apache http://secunia.com/product/73/
IIS http://secunia/

hell even the mod_ssl package for apache has had more vulnerabilities than IIS6 without including the apache ones.

With IIS's myriad of security issues

Frankly, this kind of crap needs to stop.

Over the past three years, IIS 6 has had a grand total of 2 vulnerabilities - neither one being particularly severe. If you can point out more, I'd like to hear it.

Microsoft has a lot of problems with security, but IIS 6 isn't one of them. IIS 6 has proven to be a very secure webserver.

IIS 6 2 exploits all patched
Apache 2.028 exploits 3 unpatched

I bet i get modded down for posting these two links.

IIS 6 2 exploits all patched
Apache 2.028 exploits 3 unpatched

I bet i get modded down for posting these two links.

IIS: http://secunia.com/product/1438/

Apache: http://secunia.com/product/72/

What were you saying again?

IIS: http://secunia.com/product/1438/

Apache: http://secunia.com/product/72/

What were you saying again?

"I'm very happy having the application feature of "less security bugs than the competition!"."

Where are you getting 21?

Here.

Removed window.open(url, 'window')
From http://secunia.com/Internet_Explorer_Address_Bar_S poofing_Vulnerability_Test/
Because Script-based Popup

in the atguard event log.

"The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (March edition). Other versions may also be affected."

http://secunia.com/advisories/19521/

At the Win2K tech info tour, M$ handed out an IE5 CD that they told us was the Win2K team's internal version, rewhacked to suit themselves. The exact version number is 5.00.2314.1003c. It seems to lack a lot of the problems and vulnerabilities seen in other versions.

At any rate, I just tested it, and it did display the correct address, tho it couldn't see any of the web page itself other than a whopping big "SECUNIA" banner.

I also tested Netscape 3.04 and Mozilla 1.5, and neither was vulnerable. NS3 did briefly show google.com in the address bar, but corrected itself before displaying the actual page. Then both showed the explanation:
==============
Your browser is vulnerable if the Address Bar displays "http://www.google.com/".

Please note. This could easily have been a page looking like the genuine "Google" web site (or any other web site) asking for your login credentials, credit card details, etc.

This is only limited by the imagination of the attacker (phisher).
==================
which is the part that IE5 couldn't see.

http://secunia.com/Internet_Explorer_Address_Bar_S poofing_Vulnerability_Test/ crashed Netscape 4.5 outright (that's typically caused by bad javascript), so I couldn't test it.

The simple face is, Apache vs IIS does prove the simple argument that the ratio of users to exploits is higher relative to other competitors doesn't work.

No, it doesn't! This crap argument is made on Slashdot all the time, but it is wrong for one very simple reason: IIS 6 has fewer security vulnerabilities than Apache2!

IIS 6.0 Vulnerabilities
Apache 2.x Vulnerabilities

Apache has 28 advisories since 2003, including 2 that have no current resolution.
IIS 6.0 has 2 advisories since 2003, none of which have not been fixed.

Your argument works because Slashdot users assume that Apache is more secure than IIS. This is not necessarily the case - IIS 6 is a very secure web server by default, as is Apache.

The simple face is, Apache vs IIS does prove the simple argument that the ratio of users to exploits is higher relative to other competitors doesn't work.

No, it doesn't! This crap argument is made on Slashdot all the time, but it is wrong for one very simple reason: IIS 6 has fewer security vulnerabilities than Apache2!

IIS 6.0 Vulnerabilities
Apache 2.x Vulnerabilities

Apache has 28 advisories since 2003, including 2 that have no current resolution.
IIS 6.0 has 2 advisories since 2003, none of which have not been fixed.

Your argument works because Slashdot users assume that Apache is more secure than IIS. This is not necessarily the case - IIS 6 is a very secure web server by default, as is Apache.

Gosh. I'm glad you told me this. Now I'll know better and ignore all those warnings about extremely critical vulnerabilities in Internet Explorer from Secunia I keep seeing.

Not a good week for MS IE, eh?

"people value [...] the compatibility our stuff has with itself"
Okay, but it's not compatible with anything else. And that's a problem.

What does "da-deet" mean? Pick a real language and use that, Steve!

I'm glad that MicroSoft acts responsibly, stands behind its products, and patches its products in a timely fashion.
Not like some free software, eh? Look at that - sendmail has an unpatched bug where it does not log some mail!

"You mention intellectual", but I do not think it means what you think it means.

On a lot of these interviews, I think they could really use a better spokesperson than Ballmer. This guy might do better. Rant over for the moment.

"people value [...] the compatibility our stuff has with itself"
Okay, but it's not compatible with anything else. And that's a problem.

What does "da-deet" mean? Pick a real language and use that, Steve!

I'm glad that MicroSoft acts responsibly, stands behind its products, and patches its products in a timely fashion.
Not like some free software, eh? Look at that - sendmail has an unpatched bug where it does not log some mail!

"You mention intellectual", but I do not think it means what you think it means.

On a lot of these interviews, I think they could really use a better spokesperson than Ballmer. This guy might do better. Rant over for the moment.

"people value [...] the compatibility our stuff has with itself"
Okay, but it's not compatible with anything else. And that's a problem.

What does "da-deet" mean? Pick a real language and use that, Steve!

I'm glad that MicroSoft acts responsibly, stands behind its products, and patches its products in a timely fashion.
Not like some free software, eh? Look at that - sendmail has an unpatched bug where it does not log some mail!

"You mention intellectual", but I do not think it means what you think it means.

On a lot of these interviews, I think they could really use a better spokesperson than Ballmer. This guy might do better. Rant over for the moment.

"people value [...] the compatibility our stuff has with itself"
Okay, but it's not compatible with anything else. And that's a problem.

What does "da-deet" mean? Pick a real language and use that, Steve!

I'm glad that MicroSoft acts responsibly, stands behind its products, and patches its products in a timely fashion.
Not like some free software, eh? Look at that - sendmail has an unpatched bug where it does not log some mail!

"You mention intellectual", but I do not think it means what you think it means.

On a lot of these interviews, I think they could really use a better spokesperson than Ballmer. This guy might do better. Rant over for the moment.

"people value [...] the compatibility our stuff has with itself"
Okay, but it's not compatible with anything else. And that's a problem.

What does "da-deet" mean? Pick a real language and use that, Steve!

I'm glad that MicroSoft acts responsibly, stands behind its products, and patches its products in a timely fashion.
Not like some free software, eh? Look at that - sendmail has an unpatched bug where it does not log some mail!

"You mention intellectual", but I do not think it means what you think it means.

On a lot of these interviews, I think they could really use a better spokesperson than Ballmer. This guy might do better. Rant over for the moment.

IE 6: only 1 month in the last 3 years when it hasn't had an unpatched vulnerability; 15% of holes "extremely" critical; 30% give system access; currently 4 unpatched holes.

Mozilla 1.0: no unpatched vulnerabilities about half the time; 4% of holes "extremely" critical; 20% give system access; currently 0 unpatched holes.

I know which I'd rather use.

IE 6: only 1 month in the last 3 years when it hasn't had an unpatched vulnerability; 15% of holes "extremely" critical; 30% give system access; currently 4 unpatched holes.

Mozilla 1.0: no unpatched vulnerabilities about half the time; 4% of holes "extremely" critical; 20% give system access; currently 0 unpatched holes.

I know which I'd rather use.

Oddly, this is the first security fix I can remember for Sendmail in about two years. Just to check my memory, I looked at Secunia's report and they only list 5 vulnerabilities since January 2003.

2 in March 2003
1 in August 2003
1 in September 2003
1 in March 2006

2.5 years between vulnerabilities? Not too shabby, IMHO.

There is, however, one unpatched vulnerability, though the worst it can do is hide details from the log.

http://www.jcb-sc.com/qmail/guninski.html
http://secunia.com/advisories/10649/
http://secunia.com/advisories/15533/
http://www.frsirt.com/english/advisories/2005/0490
http://www.frsirt.com/english/product/3207
http://www.saintcorporation.com/cgi-bin/demo_full_ tut.pl?tutorial_name=Qmail_vulnerabilities.html&fa ct_color=doc&tag=

http://www.jcb-sc.com/qmail/guninski.html
http://secunia.com/advisories/10649/
http://secunia.com/advisories/15533/
http://www.frsirt.com/english/advisories/2005/0490
http://www.frsirt.com/english/product/3207
http://www.saintcorporation.com/cgi-bin/demo_full_ tut.pl?tutorial_name=Qmail_vulnerabilities.html&fa ct_color=doc&tag=

Microsoft Windows 2000 Server with all vendor patches installed and all vendor workarounds applied, is currently affected by 21 Secunia advisories some of which are rated Highly critical.