Slashdot Mirror

GrBear (63712): Nice illusion of security....wonder how many people will fall for it.

- How many corporations continue to run MS IIS to drive their corporate websites?

- How many people continue to run IE?

- How many people continue to run Windows and download the latest spyware infected software because it's trendy, even after they've had their computers infected countless times?

Your right, security is an illusion, and some people prefer to turn a blind eye rather than look at the root cause.

IIS 6 (3 advisories)http://secunia.com/product/1438/
IIS 5 (11 advisories) http://secunia.com/product/39/
IIS 4 (6 advisories) http://secunia.com/product/38/

Apache 2 (24 advisories) http://secunia.com/product/73/
Apache 1.3 (15 advisories) http://secunia.com/product/72/

Apache - 29 Advisories
IIS - 20 Advisories

Did I miss something?

GrBear (63712): Nice illusion of security....wonder how many people will fall for it.

- How many corporations continue to run MS IIS to drive their corporate websites?

- How many people continue to run IE?

- How many people continue to run Windows and download the latest spyware infected software because it's trendy, even after they've had their computers infected countless times?

Your right, security is an illusion, and some people prefer to turn a blind eye rather than look at the root cause.

IIS 6 (3 advisories)http://secunia.com/product/1438/
IIS 5 (11 advisories) http://secunia.com/product/39/
IIS 4 (6 advisories) http://secunia.com/product/38/

Apache 2 (24 advisories) http://secunia.com/product/73/
Apache 1.3 (15 advisories) http://secunia.com/product/72/

Apache - 29 Advisories
IIS - 20 Advisories

Did I miss something?

GrBear (63712): Nice illusion of security....wonder how many people will fall for it.

- How many corporations continue to run MS IIS to drive their corporate websites?

- How many people continue to run IE?

- How many people continue to run Windows and download the latest spyware infected software because it's trendy, even after they've had their computers infected countless times?

Your right, security is an illusion, and some people prefer to turn a blind eye rather than look at the root cause.

IIS 6 (3 advisories)http://secunia.com/product/1438/
IIS 5 (11 advisories) http://secunia.com/product/39/
IIS 4 (6 advisories) http://secunia.com/product/38/

Apache 2 (24 advisories) http://secunia.com/product/73/
Apache 1.3 (15 advisories) http://secunia.com/product/72/

Apache - 29 Advisories
IIS - 20 Advisories

Did I miss something?

GrBear (63712): Nice illusion of security....wonder how many people will fall for it.

- How many corporations continue to run MS IIS to drive their corporate websites?

- How many people continue to run IE?

- How many people continue to run Windows and download the latest spyware infected software because it's trendy, even after they've had their computers infected countless times?

Your right, security is an illusion, and some people prefer to turn a blind eye rather than look at the root cause.

IIS 6 (3 advisories)http://secunia.com/product/1438/
IIS 5 (11 advisories) http://secunia.com/product/39/
IIS 4 (6 advisories) http://secunia.com/product/38/

Apache 2 (24 advisories) http://secunia.com/product/73/
Apache 1.3 (15 advisories) http://secunia.com/product/72/

Apache - 29 Advisories
IIS - 20 Advisories

Did I miss something?

Yet another critical IE vuln in the wild. What the hell are these guys up to? Go and give them hell and maybe they'll release a patch faster.

I stand corrected, you are right, a properly implemeted IIS solution includes a reverse apache proxy server running linux or solaris IN FRONT of the IIS machine..

You seemed so sure of your facts that I assumed you checked some vulnerabilities database before posting to slashdot - you wouldn't want to look silly, now would you? But it looks like you didn't have enough time. Let me help you with our argument: (quotes from Secunia):

Apache 2.0:

Apache 2.0.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical.
This is based on the most severe Secunia advisory, which is marked as "Unpatched" in the Secunia database. Go to Unpatched/Patched list below for details.
Currently, 2 out of 24 Secunia advisories, is marked as "Unpatched" in the Secunia database.


IIS 6.0:

The Secunia database currently contains 0 Secunia advisories marked as "Unpatched", which affects Microsoft Internet Information Services (IIS) 6.
This is based on the most severe Secunia advisory, which is marked as "Unpatched" in the Secunia database. Go to Unpatched/Patched list below for details.
Currently, 0 out of 3 Secunia advisories, is marked as "Unpatched" in the Secunia database.

So, to spell it out for you, until now IIS 6 had a total of 3 advisories, all patched, while Apache 2.0 had 24, of which at the moment of writing 2 are still unpached.

Do you stand corrected now?

I stand corrected, you are right, a properly implemeted IIS solution includes a reverse apache proxy server running linux or solaris IN FRONT of the IIS machine..

You seemed so sure of your facts that I assumed you checked some vulnerabilities database before posting to slashdot - you wouldn't want to look silly, now would you? But it looks like you didn't have enough time. Let me help you with our argument: (quotes from Secunia):

Apache 2.0:

Apache 2.0.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical.
This is based on the most severe Secunia advisory, which is marked as "Unpatched" in the Secunia database. Go to Unpatched/Patched list below for details.
Currently, 2 out of 24 Secunia advisories, is marked as "Unpatched" in the Secunia database.


IIS 6.0:

The Secunia database currently contains 0 Secunia advisories marked as "Unpatched", which affects Microsoft Internet Information Services (IIS) 6.
This is based on the most severe Secunia advisory, which is marked as "Unpatched" in the Secunia database. Go to Unpatched/Patched list below for details.
Currently, 0 out of 3 Secunia advisories, is marked as "Unpatched" in the Secunia database.

So, to spell it out for you, until now IIS 6 had a total of 3 advisories, all patched, while Apache 2.0 had 24, of which at the moment of writing 2 are still unpached.

Do you stand corrected now?

Thanks to QuickTabPrefToggle, I see the actual URL of http://www.google.com.secunia.com/tests/origin_spo of.php
Also, middle-clicking for a new tab (which is how I almost always surf) bypasses the attack altogether.

Opera has released their first update to Opera 8 for Windows and Unix/Linux.

The upgrade, Opera 8.01, contains mainly security and bug fixes. In addition, Opera has also made many improvements to its handling of JavaScript.

Secunia released today 3 security advisories for Opera 8, all of which have security fixes in this new version. Apparently, Secunia delayed these security advisories to give Opera some time to respond.

Opera has also introduced Browser JavaScript, a JavaScript file that automatically fixes incompatible Web pages, out of date scripts, and pages that inadvertently block Opera. The script file is distributed by Opera (the company). Opera checks for updates to Browser JavaScript once every week. The feature is disabled by default, as it's not ready for prime time yet. Some performance issues still need to be worked out before it becomes a standard feature in a future release.

Note to Blogger users, Blogger now works with Opera 8.01.

You obviously didn't try the demo in the Secunia advisory. Javascript dialogs in Safari 2.0 appear as popup windows, not sheets. HTTP authentication dialogs *do* appear as sheets in Safari, but those are a different beast.

And even javascript sheets don't save you, since technically that browser window did open the dialog (through a redirection through a malicious site and a pause, before sending you to the real site), even if the dialog appeared as a sheet, it would be attached to the trusted site's browser window-- which is even worse, IMO, since then they'd look like legit authentication requests.

However, since the "fix" is only to indicate the name of the site launching the pop-up, this may have been a preventative measure included independently to prevent problems similar to the previous vulnerability.

When I run the test, I get this in my JS Log: Unsafe JavaScript attempt to access frame with URL http://www.google.com/ from frame with URL http://www.google.com.secunia.com/tests/origin_spo of.php. Domains must match.

I constantly hear about how Firefox is so much better than MS about patching bugs. However, these stats showMS with a better patch percentage than Firefox

I constantly hear about how Firefox is so much better than MS about patching bugs. However, these stats showMS with a better patch percentage than Firefox

If Secunia is reporting it, why not link directly to Secunia?

http://secunia.com/multiple_browsers_dialog_origin _vulnerability_test

I've never understood the reason to link to ZDnet first. Especially when we are all a technical crowd and can deduce the severity on our own.

In my own opinion, the security community has been really scrambling to find exploits and vulnerabilities since the release of Windows XP SP2, which, despite a lot of compatibility issues with common software, has been very effective in slowing down the growth of zombie networks. In short, Microsoft finally got something right, and those that are in IT security for the sole reason of bashing MS to make a buck, are having a hard time doing so.

This is a phising technique that can be used to get a username/password from like a credit card or bank website, but that's about it. You'd be hard pressed to get this to compromise a local machine, although I'm interested in what would happen if someone tried calling a local zone page (like a help file) and then executing the javascript from that page. There was a similar exploit that used this delayed tactic last year that Microsoft didn't fix for probably 3 months. It was a 0-day exploit too, it was found in the wild, spreading via IRC, before anyone reported the vulnerability.

"Isn't this a dupe from half a year ago?"

These things have a way of creeping back up on us.

The frame injection vulnerability seems to have reemerged as well.

Deer Park is vulnerable, as is Firefox & Mozilla. Eeeeeek!

This implies that you are not a security person. If your main argument is "oh it's patched, it'se secure", you have done a day of security in your life.

There are two kinds of insecure. The first, insecure and everyone knows it, is Windows. That's bad. The second is statistically insecure, which is the state of most software today. Very few systems actually go to the level of rigor provided by OpenBSD which allows them to make bold claims about security.

And even then, they mess up.

Some of us want stable, non-changing software for long periods of time. You know, so I don't have to go through updating foo-OS every week because my vendor can't get his shit together.

Well yeah, that'd be great, I'm sure. But you're tragically misinformed if you think this will ever be the case. The state of software engineering, and by extension security techniques, is constantly changing. In software, you update until you're obsolete. If you don't like that, don't use software.

Indeed, patching something does make it secure after the fact, but it doesn't help with it being secure in the first place. Apple needs to sit down, hire some GOOD programmers, and comb through their code.

Bugs have slipped through, and they will continue to slip through. This is a problem endemic to the industry, and Free Software is no exception. Please do not blame Apple. If you must blame someone, blame the Apple Fanboys who preach absolute security, because they're creating unfair expectations. So far, OS X has a good track record as a desktop OS. As a server OS, I wouldn't go that far.

Maybe the quicktime heap overwrite from last year, that Apple refused to give attention to.

You mean the qts file heap overflow?. The one blown totally out of proportion because successful remote code execution was extremely difficult?

How about the MP3Concept spoof thing floating around early last year? The one apple failed to acknowledge?

You mean the one Secunia rated at "Very Low Risk"? because it was trumped up by the mac antivirus community? The one that doesn't work properly if you have "show file extensions" on? The one that Apple publicly acknowledged?

Both of these allow me to get access to the computer from somewhere other than in front of it. Especially with some social engineering.

Yeah, too bad they don't work anymore.

Bullshit. Gentoo, Debian, Linux and Freebsd had no vulnerabilites as abusurd as "at not dropping root privileges" in years, Apple did is in Jan. In 1994, it would have been ok to let that slip by, but not any more. Solaris is a different matter..they can't seem to keep their "passwd" utility safe no matter what they do.

Because things like Gentoo, Debian and Redhat get special poster-child treatment. They cheerfully call people when their integrated apps have holes. But, when someone points out that many standard linux applications have holes in them, they claim it's "not part of the distribution."

I go to osvdb, search Apple, OSX and check "remote". I see 56. I don't know what you're smoking. Hell, I see 18 this year alone, and it's only June!

I was talking about on the front page. Yes, Apple has has remote exploits. As I said, in general their track record on patching them has been at least as good as any other commercial vendor. A heck of a lot better than some. They are not the paragon of security, and as they move to intel machines (which, architecturally, are easier to exploit and better understood by the crowd who writes exploits) t

News note: Opera has recently announced a security patch to bring Opera to 8.01. This was to fix three holes (A, B, C) announced at the time, as well as one announced later.

The Macintosh version 8.0 has also been recently released, so that they can enjoy modern Opera as well.

News note: Opera has recently announced a security patch to bring Opera to 8.01. This was to fix three holes (A, B, C) announced at the time, as well as one announced later.

The Macintosh version 8.0 has also been recently released, so that they can enjoy modern Opera as well.

News note: Opera has recently announced a security patch to bring Opera to 8.01. This was to fix three holes (A, B, C) announced at the time, as well as one announced later.

The Macintosh version 8.0 has also been recently released, so that they can enjoy modern Opera as well.

News note: Opera has recently announced a security patch to bring Opera to 8.01. This was to fix three holes (A, B, C) announced at the time, as well as one announced later.

The Macintosh version 8.0 has also been recently released, so that they can enjoy modern Opera as well.

News note: Opera has recently announced a security patch to bring Opera to 8.01. This was to fix three holes (A, B, C) announced at the time, as well as one announced later.

The Macintosh version 8.0 has also been recently released, so that they can enjoy modern Opera as well.

News note: Opera has recently announced a security patch to bring Opera to 8.01. This was to fix three holes (A, B, C) announced at the time, as well as one announced later.

The Macintosh version 8.0 has also been recently released, so that they can enjoy modern Opera as well.

The more I think about it, the more I think this is exactly why I _LIKE_ Linux.

As Linus said: "Perfection is the enemy of good"

Well, good for you. Now you head off to Secunia and do a search for "Linux kernel".

Linux Kernel "ptrace()" and "mmap()" Vulnerabilities 2005-06-09
Linux Kernel Hyper-Threading Support Information Disclosure 2005-05-23
Linux Kernel pktcdvd and raw device Block Device Vulnerabilities 2005-05-17
Linux Kernel ELF Core Dump Privilege Escalation Vulnerability 2005-05-12
Linux Kernel Local Denial of Service Vulnerabilities 2005-05-02
Linux Kernel "is_hugepage_only_range()" Denial of Service 2005-04-04
Linux Kernel Multiple Vulnerabilities 2005-03-29
Linux Kernel Two Vulnerabilities 2005-03-18
Linux Kernel PPP Server Denial of Service Vulnerability 2005-03-16
Linux Kernel "sys_epoll_wait()" Function Integer Overflow 2005-03-15
Linux Kernel Multiple Vulnerabilities 2005-02-16
Linux Kernel Memory Disclosure and Privilege Escalation 2005-02-15
Linux Kernel NTFS Unspecified Denial of Service 2005-02-07
Linux Kernel Page Fault Handler Privilege Escalation 2005-01-13
Linux Kernel Multiple Vulnerabilities 2005-01-11

All these, just this year...

Then you go and do a search for OpenBSD, or any BSD. See how well the reality of vulnerabilities stacks up against good programming practices you're being so quick to dismiss as "an example of how to code in CS class."

In fact, better education for some Linux programmers does not seem to be such a bad idea...I've even seen a presentation by an IBM kernel guy saying the philosophy was "code fast, relase early, bugs will get fixed by 'the many eyes'". To me, that's just a lazy engineer. In college, at least, you have to work hard to understanding the algebraic specification of a data structure, or to formally check an algorithm...In the "real world", code monkeys break it, and security guys fix it, but not by a pro-active stance, like OpenBSD. It's called creating a problem and selling a solution.

As for Windows,they're pouring billions in security, and they've hired some of the best brains in the industry.

In Linus lalaland, we have security problems and hype, but that's generally regarded as OK, and everything, just everything Torvalds says is taken to be correct.

Mac OS was designed with security in mind

Whew! I sure am glad I didn't get this from my network admin this morning:

TITLE:
Mac OS X Security Update Fixes Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA15481

VERIFY ADVISORY:
http://secunia.com/advisories/15481/

CRITICAL:
Highly critical

IMPACT:
Unknown, Security Bypass, Exposure of system information, Exposure of
sensitive information, Privilege escalation, DoS, System access

PHP is unique. It has highly advanced rooting and worm features.

Try http://secunia.com/product// and look for MS Internet Explorer. Actually, here is the direct link to IE 6.x exploits. http://secunia.com/product/11//IE Exploits

Try http://secunia.com/product// and look for MS Internet Explorer. Actually, here is the direct link to IE 6.x exploits. http://secunia.com/product/11//IE Exploits

Who the hell titles these articles? Lower rights and Lower permissions mean completely different things...

If MS is adding support for IDN, I'm really going to stick with Mozilla. Does anyone remember the IDN spoofing exploit from Firefox on February 7, 2005? http://secunia.com/multiple_browsers_idn_spoofing_ test/

Let's hope MS caps this hole before it happens. Unfortunately, MS has a reputation for adding bugs along with new features.

"I can think of a few times it would be great if one website could help someone fill out another websites forms"..."If someone really wants to do that, they should attain permission and do it via GET or POST vars, or some serverside communication."

Essentially you can do this already using 3rd party cookies (setting domain=TheOtherSite.com). Of course most savvy Firefox, Opera (and maybe Safari?) users block or whitelist 3rd party cookies due to ads and trackers.

At the moment this 9 month old, and as of yet unpatched, oversight in Firefox/Mozilla let's webmasters pass their own website cookies to any domain (maybe coordinated with advertisers) in the same TLD anyway though.

Has anyone else noticed Firefox 1.x now has 28% to IE's 31% of unpatched vulnerabilities?

Well, that could be because the flaw was fixed in Opera 7.52.

This might be a better indication of how Opera handles security. Other browsers also have a good record.

As opposed to say, this or that old browser.

Well, that could be because the flaw was fixed in Opera 7.52.

This might be a better indication of how Opera handles security. Other browsers also have a good record.

As opposed to say, this or that old browser.

Well, that could be because the flaw was fixed in Opera 7.52.

This might be a better indication of how Opera handles security. Other browsers also have a good record.

As opposed to say, this or that old browser.

Well, that could be because the flaw was fixed in Opera 7.52.

This might be a better indication of how Opera handles security. Other browsers also have a good record.

As opposed to say, this or that old browser.

Seriously, the problem is that this was (supposed to be) killed in a previous version of the Gecko browsers. It should not have revived itself.
The following browsers are not affected:
* Mozilla Firefox 0.9 and later
* Mozilla 1.7
* Opera 7.52
* Netscape 7.2
* Camino 0.8 (build 2004062308)
Source Secunia

At least in Opera, dead bugs stay dead.

Very strange! Maybe only some versions are vulnerable? According to secunia, Firefox 1.x is vulnerable (http://secunia.com/advisories/15601/). Maybe it's OS? I'm running on Windows XP SP 2. Maybe it's a FF setting? I can't recall having modified the default settings.

Here's a screenshot of how it looks for me.

I tried this in Internet Explorer 6 on a fully-patched Windows XP SP2 machine and get the same result. No idea why Secunia would single out Firefox/Mozilla on this one... Try it yourself

Here's how I got it to work. From http://secunia.com/multiple_browsers_frame_injecti on_vulnerability_test/

0. First, close any MSDN windows you might have left open.

1. Right click on the msdn link, choose "Open Link in New Window"

2. Leave the new window open, and click back to the secunia example page.

3. Click the "Inject Secunia.com into Microsoft.com" link.

4. Look at the new window that opened in #1.

Not good. Using FF 1.04.

The problem lies in Mozilla naming frames globally and not one name set per tab.

If a site in one window has a frameset with "banner" "sidebar" and "main", another window can access that frameset.
A link in that other window with attribute target="main" will replace the content of a frame in another window.
That has nothing to do with being able to create a frameset with contents from heterogeneous locations.

Look at secunia test !

Interesting (somewhat edited) parts are :

from secunia :
<a href="(msdn)" target="_blank"> (opens a new window with msdn frameset in it)

from msdn frameset :
[...]
<FRAME name="fraRightFrame" src="(enter_your_credit_card_number)">
[...]

from secunia :
<a href="(thanks_for_your_card_number)" target="fraRightFrame">

If you had bothered to read the linked demo page you would know that the bug is present in IE and Opera as well.

I just tried it in IE6 (Win2K) and it works just the same as Firefox.

The only problem is that this feature (affecting the frames of one window from another) is actually used a lot, for example when pop-ups are involved. I know of at least one banking application which will break if they flat out disallow changing one frame from within another.

A better solution would be to only allow it for frames sharing the same domain, I suppose.

IE has the same flaw also, so parent should not be moderated as funny, but as informative.

http://secunia.com/advisories/11966/

The bug in IE was reported almost a year ago, and it is still unpatched.

The bug was reported in all major browsers (Mozilla and Firefox, Opera, Safari, Konqueror, IE), and was patched in all of them except IE. It has now reappeared in Mozilla.

really good about now. Opera is the only browser I am aware of that has all *known* vulnerabilities fixed. Per http://secunia.com/product/4932/

YMMV, but methinks even though I use Ubuntu, I may make the switch to Opera for added security.

would be sealing it in a cement box and chaining the lid shut. I cannot believe that after all the
vulnerabilities, bad experiences, and poignant advice, people still continue to use it.
The alternatives aint perfect but they are a hell of a lot better.

"Microsoft Internet Explorer 6.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical" ...

"Currently, 20 out of 81 Secunia advisories, is marked as "Unpatched" in the Secunia database."

http://secunia.com/product/11/

It is not an oxymoron. The feature would be turned off by default. You are confusing the point you are trying to make, which is that this remote admin feature would be a good target for exploits. It is a valid comment.

But common sense would dictate that the web admin tool would not be turned on to connections from the general internet. Instead, it would be limited to the intranet. If it is turned on to the general internet, then they better be sure there aren't any exploits around. But the same is true of any outward facing service, isn't it? IIS v5 was a travesty in security, but IIS6 has had very little problems where vulnerabilities are concerned (check out http://secunia.com/product/1438/). One would hope IIS7 would be even better, given the draconian protocol we have to follow now within Microsoft when it comes to security in code.

Remote GUI administration is already available, by the way. Run IIS manager, choose 'connect' and point it to a remote IIS server with the service turned on, and you'll be able to admin it just as you do your local IIS server.

I would think this is a good thing for OSS enthusiasts. It means that if a corporation absolutely insists on running IIS, then all the other support servers could be Linux/OSX and you could admin the machine through the web interface. Now you still need MS machines running for support, so you can either Remote Desktop to the IIS box, or use IIS Manager.

By using Netfilter to intercept packets within the kernel, anyone scanning for a service protected by this method cannot even talk directly to the IP stack without being authorized; that makes even 0-day exploits largely toothless."

Yes, because we all know netfilter is invulnerable to 0days? No.

It depends on what the term RAD means to you. If it means using safe language with verifiable intermediate code, garbage collection and a large, managed library of well designed components available to it, then .NET (and Java) is a RAD tool. It cuts down significantly on boilerplate code which no one can deny is a good thing.

If it means Borland Delphi, then no, I wouldn't advise to use THAT for this system either.

Quite frankly, I'd rather see this system implemented in a managed language, be it Java or one of .NET languages, for the reasons of security. A language that by design doesn't have buffer overflows, pointer errors or memory leaks (I know you can still have them, but you have to make a conscious effort).

Its other benefits pertinent to this task are:
1. Unicode, l10n and i18n awareness "baked in".
2. Future-proof, will run on 64bit hardware once 64 bit URT comes out
3. As efficient as unmanaged code written without "shortcuts". Gets compiled into machine code when executed.
4. Easy to deploy and maintain. IIS6 on Windows 2003 is the most secure among the commonly used web servers according to Secunia.

Check this out:
IIS6: http://secunia.com/product/1438/
Apache 2: http://secunia.com/product/73/
Apache 1.3.x: http://secunia.com/product/72/

Hard to believe, eh?

It depends on what the term RAD means to you. If it means using safe language with verifiable intermediate code, garbage collection and a large, managed library of well designed components available to it, then .NET (and Java) is a RAD tool. It cuts down significantly on boilerplate code which no one can deny is a good thing.

If it means Borland Delphi, then no, I wouldn't advise to use THAT for this system either.

Quite frankly, I'd rather see this system implemented in a managed language, be it Java or one of .NET languages, for the reasons of security. A language that by design doesn't have buffer overflows, pointer errors or memory leaks (I know you can still have them, but you have to make a conscious effort).

Its other benefits pertinent to this task are:
1. Unicode, l10n and i18n awareness "baked in".
2. Future-proof, will run on 64bit hardware once 64 bit URT comes out
3. As efficient as unmanaged code written without "shortcuts". Gets compiled into machine code when executed.
4. Easy to deploy and maintain. IIS6 on Windows 2003 is the most secure among the commonly used web servers according to Secunia.

Check this out:
IIS6: http://secunia.com/product/1438/
Apache 2: http://secunia.com/product/73/
Apache 1.3.x: http://secunia.com/product/72/

Hard to believe, eh?

It depends on what the term RAD means to you. If it means using safe language with verifiable intermediate code, garbage collection and a large, managed library of well designed components available to it, then .NET (and Java) is a RAD tool. It cuts down significantly on boilerplate code which no one can deny is a good thing.

If it means Borland Delphi, then no, I wouldn't advise to use THAT for this system either.

Quite frankly, I'd rather see this system implemented in a managed language, be it Java or one of .NET languages, for the reasons of security. A language that by design doesn't have buffer overflows, pointer errors or memory leaks (I know you can still have them, but you have to make a conscious effort).

Its other benefits pertinent to this task are:
1. Unicode, l10n and i18n awareness "baked in".
2. Future-proof, will run on 64bit hardware once 64 bit URT comes out
3. As efficient as unmanaged code written without "shortcuts". Gets compiled into machine code when executed.
4. Easy to deploy and maintain. IIS6 on Windows 2003 is the most secure among the commonly used web servers according to Secunia.

Check this out:
IIS6: http://secunia.com/product/1438/
Apache 2: http://secunia.com/product/73/
Apache 1.3.x: http://secunia.com/product/72/

Hard to believe, eh?

No doubt. Many of the default behaviors, thankfully, are sane under most Unix/unix-like systems including Linux. Because of that, the amount of work to discover holes and plug them across multiple systems is much less when compared to Windows.

After all, we get this type of security for a common Linux distribution and these two examples from Microsoft's flagship desktop OS.

(Note: I am definately NOT saying that security is running the right software and applying patches...it's not that simple. Using specific operating systems, though, do impact how difficult it is to lock down and secure a system, though.)

Personal examples:

XP: It took me 2 weeks to discover the main issues and to implement them for an XP home system (my dad's laptop). Extra work was done to remove bundled software from the system to reduce the potential attack vectors. Because I only had the restore CDs, Microsoft discourages any 'clean installs' without paying once again for the XP retail CDs and then having to get hardware-specific drivers and software seperately.

With Linux I am able to lock the system down much better and quicker and the defaults (selinux, as one example) make quite a bit of sense. I have control of everything that appears on the system and can even compile it from scratch if I want (though I don't!). Perfect? Bah! "Just because you're paranoid, doesn't mean they aren't actually out to get you!"