Slashdot Mirror

No doubt. Many of the default behaviors, thankfully, are sane under most Unix/unix-like systems including Linux. Because of that, the amount of work to discover holes and plug them across multiple systems is much less when compared to Windows.

After all, we get this type of security for a common Linux distribution and these two examples from Microsoft's flagship desktop OS.

(Note: I am definately NOT saying that security is running the right software and applying patches...it's not that simple. Using specific operating systems, though, do impact how difficult it is to lock down and secure a system, though.)

Personal examples:

XP: It took me 2 weeks to discover the main issues and to implement them for an XP home system (my dad's laptop). Extra work was done to remove bundled software from the system to reduce the potential attack vectors. Because I only had the restore CDs, Microsoft discourages any 'clean installs' without paying once again for the XP retail CDs and then having to get hardware-specific drivers and software seperately.

With Linux I am able to lock the system down much better and quicker and the defaults (selinux, as one example) make quite a bit of sense. I have control of everything that appears on the system and can even compile it from scratch if I want (though I don't!). Perfect? Bah! "Just because you're paranoid, doesn't mean they aren't actually out to get you!"

No doubt. Many of the default behaviors, thankfully, are sane under most Unix/unix-like systems including Linux. Because of that, the amount of work to discover holes and plug them across multiple systems is much less when compared to Windows.

After all, we get this type of security for a common Linux distribution and these two examples from Microsoft's flagship desktop OS.

(Note: I am definately NOT saying that security is running the right software and applying patches...it's not that simple. Using specific operating systems, though, do impact how difficult it is to lock down and secure a system, though.)

Personal examples:

XP: It took me 2 weeks to discover the main issues and to implement them for an XP home system (my dad's laptop). Extra work was done to remove bundled software from the system to reduce the potential attack vectors. Because I only had the restore CDs, Microsoft discourages any 'clean installs' without paying once again for the XP retail CDs and then having to get hardware-specific drivers and software seperately.

With Linux I am able to lock the system down much better and quicker and the defaults (selinux, as one example) make quite a bit of sense. I have control of everything that appears on the system and can even compile it from scratch if I want (though I don't!). Perfect? Bah! "Just because you're paranoid, doesn't mean they aren't actually out to get you!"

I think that any case where a network driver will contain a flaw exploitable by stuff sent over the network will be quite rare.

Are you sure?

What about Konqueror? Doesn't seem to be as targeted as Firefox or IE. Are there any more recent vulnerabilities than this one? http://secunia.com/advisories/13586/

Sorry people, Linux is not "safe."

Depends on which Linux your talking about. Maybe if you were talking about a Linux that is geared towards military use, and that underwent formal methods of software verification (which is a standard practice in that industry), you wouldn't say that. Or, to keep it at a more prosaic level, if only Linux hackers looked thouroughly at their source code and adopted counter-measures to buffer overflows, maybe you would have a resonably safe Os at your home.
However, at the current state of: 1) hacker sloppiness (99% couldn't give a shit about proving and algorithm correct - let alone construct software with formal specification and verification); 2) languages used (C/C++ used everywhere is a disease we must cure ourselves of - we're all in trouble.
And what fucks the software industry is this attitude that there's nothing you can do about. Or, as is the philosophy in the Linux Kernel community: ship fast, fix later, because "there are many eyes looking at the source code and somebody will fix it. Bullshit. May 2005 - Linux already has 9 kernel exploits from this year.

Both your links go to Apache, I think you wanted:

http://secunia.com/product/1438/

I can't remember the last time I heard of an IIS hack.

Here are the latest security reports regarding IIS 6 and Apache 2, since Jan 2003 (which is when IIS 6 was released):

Since Jan 2003: 1 of 3 advisories unpatched for IIS6:
http://secunia.com/product/1438/

Since Jan 2003: 2.5 of 24 unpatched for Apache 2 (2 unpatched and 1 partially patched):
http://secunia.com/product/73/

I can't remember the last time I heard of an IIS hack.

Here are the latest security reports regarding IIS 6 and Apache 2, since Jan 2003 (which is when IIS 6 was released):

Since Jan 2003: 1 of 3 advisories unpatched for IIS6:
http://secunia.com/product/1438/

Since Jan 2003: 2.5 of 24 unpatched for Apache 2 (2 unpatched and 1 partially patched):
http://secunia.com/product/73/

Okay, call me Kooky, but I don't see where you are going with the IIS thinking.

Take a look at what Secunia has to say about IIS 6.

Then compare it to what they say about Apache 2.0 over the same time period.

I am not claiming great wisdom in this area, but I do know that more little bars on the charts is a bad thing.

Okay, call me Kooky, but I don't see where you are going with the IIS thinking.

Take a look at what Secunia has to say about IIS 6.

Then compare it to what they say about Apache 2.0 over the same time period.

I am not claiming great wisdom in this area, but I do know that more little bars on the charts is a bad thing.

• you run everything as an admin. If you try not to, things break. So you leave it as is until the day you'll visit a mallicious webpage and/or run a mallicious app. Or what about your privacy? ANY user on a windows system can read/modify any of your private files because they are all admins!
• the messenger service (not MSN messenger) is running and you are subject to spamming delivered directly on your desktop!
• UPnP is on by default and wide open to the rest of the world. I haven't met any windows user who needs UPnP and yet it's on by default.
• DCOM is again on by default and wide open to the rest of the world. Again, I haven't met any windows user who needs UPnP and yet it's on by default.
• there are countless other needless services that although they are useless, if you try to shut them down, things will break! So you end up leaving them running with your machine potentially owned at any moment!
• there are countless windows specific accounts and groups in your machine that pose a security risk, but if you try to remove any, your system will break!
• Internet Explorer is integrated into Windows. So any flaw in IE results in a OS compromise. That smells like bad design doesn't it? Oh wait...they did it to counter the anti-trust lawsuit. That says something about MS priorities. Profits come first, user security - who cares?
• ActiveX. Need I say more?

Benchmarks? Why do you want benchmarks from OpenBSD? Everybody knows it sucks compared in speed to other OSes so there really isn't need for benchmarks. OpenBSD was never about speed but security and all the "benchmark" I need is this: http://secunia.com/product/100/

To answer a few of these things..
Meta tags are optional, you dont need to specify them..
The DOCTYPE is there so the browser can instantly identify what type of document it is, and therefore how to render it. Sure the browser will try to guess what it is based on the content, but because people write bad html code that's often very difficult to do.
If a website deviates from a standard, it's usually due to laziness on the part of the webmaster, it's VERY rare that there's something you can't do by following the standards, and in these rare cases you should propose an extension to the standard, the w3c would include it if it provided a genuine benefit.
As for your talk about how standards would slow progress, look at how much progress on the web has slowed since msie has been the dominant browser, everything has stagnated, ie hasn't recieved any major new features for YEARS.. Because of the dominance of ie, web development has STALLED.
As for bugs being fixed quickly in mainstream products, this is often not the case atall.. Read http://secunia.com/product/11/ - many vulns found in IE have not been fixed atall yet, while other vulns took a long time to be patched.. As for joe's accessible browser, if joe is still maintaining it on his own and using it himself, then he is easier to contact and more likely to fix the problem (he won't want to get infected with anything himself) and if it's opensource then other users are likely to fix it if he doesn't.
As for memorising the tags, what's wrong with that? would you write a C program and leave out some functions? would you write assembly and leave out instructions? HTML/XML are just machine-parsed languages too, and if you want power/flexibility you need complexity. There are plenty of graphical tools for generating HTML too.. browsers should never have been made tollerant of errors, this just encourages bad code... C compilers which tollerate errors cause exactly the same problem, signed/unsigned comparisons for instance can be exploited, and most compilers just warn about them rather than generating an error and halting the compilation.
If browsers and compilers were more pedantic and stopped on errors, the quality of code would be MUCH higher.

I'm not saying Firefox is without holes, just pointing out that MS doesn't really rush those security updates out... And that is a big part of all the stuff that sucks, if you ask me.

At least recent Mozilla/Firefox security updates were due to exploits in drag and drop tab interaction.
For example
Watch out MS - tabbed browsing ain't as simple as you might be thinking...

Note that the big difference between IIS5 and IIS6 is that 6 runs as a kernel module. This is a nice trick to get speed for static content (like khttpd) at the expense of security.

Note that the big difference between IIS5 and IIS6 is that 6 runs as a kernel module. This is a nice trick to get speed for static content (like khttpd) at the expense of security.

Note that the big difference between IIS5 and IIS6 is that 6 runs as a kernel module. This is a nice trick to get speed for static content (like khttpd) at the expense of security.

According to Secunia, Firefox has 17 advisories. But this does not equal 17 security errors, since many of them are 'multiple vulnerabities'. Similarly for IE.

You must also look at the number and criticality of currently exploitable bugs, and the typical speed of the vendor's response.

In Secunia's own words:

Please Note. The statistics below should not be used for a direct comparison of how secure two different products are. This is partly due to the fact that a Secunia advisory often cover multiple vulnerabilities. Also certain operating systems bundle a very large number of software packages and are therefore affected by many vulnerabilities that would be counted as a vulnerability in stand alone products for other operating systems / platforms. Other factors such as vendor response times and ability to properly fix vulnerabilities is also important.

They released a fix a week after widespread hue and cry. This is not too dissimilair from Microsoft breaking its "patch Tuesday" policy for a critical fix.

True. But it is quite an improvement over Microsoft not fixing critical bugs for years at a time:

http://secunia.com/product/11/#advisories

In my opinion, this is a critical difference between commercial (proprietary) and open-source products: open-source coders do what they do for acclaim and the personal satisfaction of having people use their code--likely a fairly constant incentive to fix bugs, at least until the coder dies or loses all interest in such acclaim.

By contrast, companies do what they do for the profit motive. When Microsoft gets its money regardless, there's really no incentive to devote resources towards fixing serious bugs.

Now that Microsoft has begun to experience some real competition (however small it is at this point), I would expect them to get more serious about security and bug fixes.

And that's a good thing all around.

Next time respond: "You know IE has 18 open holes. Some of them back from 2003"

Mandrake with 0% of the 123 advisories still open (and thats for their entire software collection people). They've really improved, nice to see them number 1.

And interesting to see gentoo beat every distribution in 2003 before the ricer campaign ;)

But why no Crux or Arch? -- I love those distributions.

Good thing it hasn't happened then.

Sure it has. Still does, past and present examples.

Joke or not, your comment is indicative of the denial most Mac users seem to live in- "If it's not Windows, it's secure" and "If I don't hear about it, I must be OK" but the fact is that Mac OS X uses BSD, BSD has holes == Mac OS X has holes. Mac OS X is written by people who want users to have the easiest possible experience using their Mac. As a result, some of the things in place to make usability easier open up holes. This is the same for any OS. Anytime you cater to the user first and security second (or later) you will always ALWAYS provide someone else a way in.

I have no problem with using one OS or another, I use whatever the hell I need to get the job done- to me it's a tool, not a lifestyle. As such, I make sure my tools are safe and pay attention when someone says my OS has a hole or exploit or vulnerability, rather than just refusing to believe it's true.

26% of the 66 Windows XP Home exploits are still unpatched, many of which are highly critical. Every single windows XP user can be easily hacked even if they go to windowsupdate.com every 5 minutes.

It's said time and time again, but nobody ever listens: security through obscurity is not security.

Who doesn't listen? The Moz Devs *do* listen. If this issue was as big as this article makes out, then a patch would be available asap.... but this issue *is not* as big as this article makes out!

The Secunia Advisory shows that two bugs could be exploited to allow artibtary code execution, *BUT* the site hosting the malicious code would have to be on the users white-list of sites allowed to install software, which by default are "update.mozilla.org" and "addons.mozilla.org".

These are both serious bugs and should be fixed quickly, but since they aren't (IMHO) critical, they can probably wait for more rigorous testing. The risk with releasing patches too early is that they might themselves contain bugs which would discourage users from upgrading in the future.

You are right to be concerned, but in this instance there is no need to panic. Be assured that the Moz Devs do care about security and do fix things very very quickly when it is necessary, and merely quickly when it isn't!

http://secunia.com/advisories/15292/

it says in the article

"Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org")."

I tryed it, it doesn't work.

"Nothing to see here... go back to your homes and resume using firefox"

In Firefox, to stop this vulnerability:

Web Features->Allow web sites to install software

I'll switch to MS IE as it has no known serious vulns

Internet Explorer Long Share Name Buffer Overflow Highly Critical

Yeah... whatever. I don't mind if you would rather use a browser with a known serious security problem, but saying that IE has no known serious issues is misinformed.

Reading the Secunia explanation:

Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").

So, unless you've whitelisted the exploit site (which generally would mean it's a site you trusted enough to install an XPI from), or the Mozilla website has been compromised, the exploit won't work.

Secunia have already released an advisory explaining how the exploit works:

http://secunia.com/advisories/15292/

This is the first Firefox exploit that has received the rating 'Extremely Critical'.

--- Extract from Secunia's site ---

Description:
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.

1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.

Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").

A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.

NOTE: Exploit code is publicly available.

The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.

Solution:
Disable JavaScript.

Prehaps you should look at the correct report http://secunia.com/product/1438/ which shows 33% of Vulnerabilities are UNPATCHED and another 33% that you have to properly configure a workaround to fix... so ya I'd rather use the one that has all those patches that fix 86% of the issues.

Perhaps *you* should read the rest of the article. Yes, 33% of the current critical flaws are unpatched but this is (listening now?) *one* patch for an admin console that can be (and should be) disabled on a production server.

So, I reckon that's *zero* actually explotable critical flaws outstanding in IIS6. Perhaps you should RTA that you are posting before quoting it...especially when the parent already pointed this out for you ;-)

Anyway, if you don't want to, here's the "solution" from the secunia site:

Solution:

Administration of sensitive web based systems should always be done from a system which you do not use to read email or browse untrusted sites. This limits the attack vectors. If you do not need the Remote Administration Tool it should be disabled.

http://secunia.com/advisories/9334/

Prehaps you should look at the correct report http://secunia.com/product/1438/ which shows 33% of Vulnerabilities are UNPATCHED and another 33% that you have to properly configure a workaround to fix... so ya I'd rather use the one that has all those patches that fix 86% of the issues.

Perhaps *you* should read the rest of the article. Yes, 33% of the current critical flaws are unpatched but this is (listening now?) *one* patch for an admin console that can be (and should be) disabled on a production server.

So, I reckon that's *zero* actually explotable critical flaws outstanding in IIS6. Perhaps you should RTA that you are posting before quoting it...especially when the parent already pointed this out for you ;-)

Anyway, if you don't want to, here's the "solution" from the secunia site:

Solution:

Administration of sensitive web based systems should always be done from a system which you do not use to read email or browse untrusted sites. This limits the attack vectors. If you do not need the Remote Administration Tool it should be disabled.

http://secunia.com/advisories/9334/

Prehaps you should look at the correct report http://secunia.com/product/1438/ which shows 33% of Vulnerabilities are UNPATCHED and another 33% that you have to properly configure a workaround to fix... so ya I'd rather use the one that has all those patches that fix 86% of the issues.

See so theres more to securing your box than turning off one tool, you have to know how to look up the issues which you can do easly on Apache's site right here: http://httpd.apache.org/bug_report.html and its linked right off the front pages of the web servers site.

Then theres Microsoft's site for iis who's security link, links to this wonderful page http://www.microsoft.com/security/guidance/prodtec h/IIS.mspx. But whats that all you see is this message: "We're sorry, but there is no Microsoft.com Web page that matches your entry."

Yup that gives you a warm and fuzzy feeling all over!

But if you read the alerts (http://secunia.com/product/1173/)--which are really for Windows 2003 NOT IIS6--you will notice that the vulnerabilities generally require one to be doing something like surfing the internet. If you are surfing the net, nevermind visiting untrusted sites, on a production webserver then you deserve to get rooted on general principle.

Apple doesn't wait months to fix vulnerabilities

5 months - 3 months

(ok, semantics ... but notice that the changelog specifies 'local hackers' in many of the bug descriptions)

Including full access to your filesystem via Bluetooth (service on by default). I actually care more about my files than the root account (you couldn't root Windows 9x, didn't make it secure)

Apple doesn't wait months to fix vulnerabilities

5 months - 3 months

(ok, semantics ... but notice that the changelog specifies 'local hackers' in many of the bug descriptions)

Including full access to your filesystem via Bluetooth (service on by default). I actually care more about my files than the root account (you couldn't root Windows 9x, didn't make it secure)

the time from discovery to fix was relativly short.

Oh (three months) really (5 months)?

the time from discovery to fix was relativly short.

Oh (three months) really (5 months)?

All the things you mention are good points, that IIS can be dangerous in the wrong hands... but dont make the system "impossible" to secure....and IIS6 specifically only has 3 known vulernabilities according to Secunia, which is pretty damn good.

...or they could stop writing code the Microsoft way, skip the "pretty" things and actually fix the gaping security holes found here.

I'll be happy when this chart goes away.

...or they could stop writing code the Microsoft way, skip the "pretty" things and actually fix the gaping security holes found here.

I'll be happy when this chart goes away.

We have one key data point which is that its' web server technology gets hacked more than say, Apache. It's important since Apache is as big as MS in that, neutralizing partly the size issue (al beit Apache is less homgenous than MS server so it's not perfect)

We have one key data point which is that its' web server technology gets hacked more than say, Apache. It's important since Apache is as big as MS in that, neutralizing partly the size issue (al beit Apache is less homgenous than MS server so it's not perfect)

From a security perspective, it is not the patches which crash your computer or destroy data that are a problem. They are just annoying. Reinstall, restore your data from a back up, and you are ready to go again.

The problem comes from bugs with exploits in the wild, but no patches yet.

Unpatched IE vulnerabilities
Unpatched Windows XP Vulnerabilities

From a security perspective, it is not the patches which crash your computer or destroy data that are a problem. They are just annoying. Reinstall, restore your data from a back up, and you are ready to go again.

The problem comes from bugs with exploits in the wild, but no patches yet.

Unpatched IE vulnerabilities
Unpatched Windows XP Vulnerabilities

My god that IIS 6 is insecure! One unpatched non-critical vulnerability, and 3 total in 2 and a half years is completely unacceptable. Good thing we have safe and secure Apache. One wait, Apache has more.

And the non-mainstream comment? I'm not sure what you are implying, but saying IIS is unfit to be used as only 20% of the market uses it, is akin to claiming Linux and Mac OS X as unfit for desktop use as combined they still have less than 20% of the market share. Your logic seems a bit fuzzy.

My god that IIS 6 is insecure! One unpatched non-critical vulnerability, and 3 total in 2 and a half years is completely unacceptable. Good thing we have safe and secure Apache. One wait, Apache has more.

And the non-mainstream comment? I'm not sure what you are implying, but saying IIS is unfit to be used as only 20% of the market uses it, is akin to claiming Linux and Mac OS X as unfit for desktop use as combined they still have less than 20% of the market share. Your logic seems a bit fuzzy.

My god that IIS 6 is insecure! One unpatched non-critical vulnerability, and 3 total in 2 and a half years is completely unacceptable. Good thing we have safe and secure Apache. One wait, Apache has more.

And the non-mainstream comment? I'm not sure what you are implying, but saying IIS is unfit to be used as only 20% of the market uses it, is akin to claiming Linux and Mac OS X as unfit for desktop use as combined they still have less than 20% of the market share. Your logic seems a bit fuzzy.

Duh, 20% of market share does not make a product mainstream. And if you think 2 security advisories is a lot compared to Apache's 24.

If you were joking or being sarcastic well you went right over my head....

...you gotta do something to pump up your buggy, non-mainstream, insecure webserver.

I made the mistake of installing Sarge thinking that it was only a couple months away from release--that was last year...and I have to pin Testing with Unstable branch just to get all the security updates in a timely fashion--it defeats the purpose using Debian as a server...

Man, what's your problem? You are preferring over unsupported distro of another. Debian Sarge is reliable and secure for most purposes and has been for a while. I have not seen a show stopping bug in ages. It has been (almost I have to admit) feature frozen for quite some time now and everything that's coming in are either security or bug fixes. Compare that to Centos (or Whitebox or Tao or whatever the RHEL clone of the day is), which is basically a rebuild of RHEL sources. Fixes are lagging behind the official distro.

Pinning Sarge and Unstable on a server to get security updates, now where did you get this idea from?

Besides, you might be interested in comparing this with this.

No wonder you are posting AC ;-)