Slashdot Mirror

Ditto. If that window injection vulnerability didn't scare you, you're a fool (or maybe you were simply not aware of it).

BTW, 1.0.1 did indeed fix it. Just mentioning that because the headline says presumably. Nice research!

Techworld has hilariously biased coverage of this:

"Apple shames itself again over security: Critical hole in Mac OS X patched three months late."

And it's interesting to look at Secunia's site (Secunia being the source of a lot of recent Microsoft apologism and Apple-bashing):

Macintosh OS X issues

Windows XP Professional Issues

(Microsoft is "Vendor 1" in their database, you'll be pleased and amused to learn.)

I'm guessing Secunia likes to drum up publicity for itself by making press releases that run counter to the general wisdom, but their conclusions and announcements don't actually match their data.

E.g. on the Windows XP page, they show a pie graph that states XP Pro as having 0% (out of 67) severe issues, but then list several severe issues immediately below, one of which ("Windows Explorer / Internet Explorer Long Share Name Buffer Overflow") has not been patched (by their reckoning) in nine months. Maybe their Excel graphing skills are lacking...

The only mention of ActiveX states that Microsoft has fixed a problem whereby web pages can install arbitrary ActiveX plugins. As far as I know, it simply requires the user to click the "OK" button, which they're quite likely to do, given that they may well have to click it for legitimate reasons in the course of their daily job.

Techworld has hilariously biased coverage of this:

"Apple shames itself again over security: Critical hole in Mac OS X patched three months late."

And it's interesting to look at Secunia's site (Secunia being the source of a lot of recent Microsoft apologism and Apple-bashing):

Macintosh OS X issues

Windows XP Professional Issues

(Microsoft is "Vendor 1" in their database, you'll be pleased and amused to learn.)

I'm guessing Secunia likes to drum up publicity for itself by making press releases that run counter to the general wisdom, but their conclusions and announcements don't actually match their data.

E.g. on the Windows XP page, they show a pie graph that states XP Pro as having 0% (out of 67) severe issues, but then list several severe issues immediately below, one of which ("Windows Explorer / Internet Explorer Long Share Name Buffer Overflow") has not been patched (by their reckoning) in nine months. Maybe their Excel graphing skills are lacking...

The only mention of ActiveX states that Microsoft has fixed a problem whereby web pages can install arbitrary ActiveX plugins. As far as I know, it simply requires the user to click the "OK" button, which they're quite likely to do, given that they may well have to click it for legitimate reasons in the course of their daily job.

Don't give Microsoft too much credit. Here.It's actually a really good track record, but not flawless.
regards,
Steve

For all those IE users feeling left out in the current phad for phishing, look here.

I guess if you're dumb enough to fall for the phishing lures, IE is probably an ok idea.

I'm replying to you, partly because I disagree with the "IE is probably an OK idea" (even for dumb people ;) , but mainly because I don't want to draw attention to the troll you're replying to.

The Macworld article is refering to the recent IDN exploit that affects many browsers, but not IE. Macworld presumably considered this newsworthy because the exploit (a) affected Safari, and (b) didn't affect IE. However, IE had already suffered similar exploits, covered here on Slashdot and elsewhere. I had a quick peek on Secunia to see if I could find it, but got sidetracked by the pretty colours on the graphs:
IE
Firefox

Bottom line: IE is still horendously insecure, while Firefox has very few issues, and what few issues it does have are patched quickly.

The sad thing is: I use IE. Apart from the security issues (I don't use it enough to be affected - I use Firefox normally, naturally ;) it's not a bad browser. Trolls like the GP don't help its case. The really sad thing is: one day soon there'll be trolls like this evangelizing (or trying to...) Firefox.

I guess if you're dumb enough to fall for the phishing lures, IE is probably an ok idea.

I'm replying to you, partly because I disagree with the "IE is probably an OK idea" (even for dumb people ;) , but mainly because I don't want to draw attention to the troll you're replying to.

The Macworld article is refering to the recent IDN exploit that affects many browsers, but not IE. Macworld presumably considered this newsworthy because the exploit (a) affected Safari, and (b) didn't affect IE. However, IE had already suffered similar exploits, covered here on Slashdot and elsewhere. I had a quick peek on Secunia to see if I could find it, but got sidetracked by the pretty colours on the graphs:
IE
Firefox

Bottom line: IE is still horendously insecure, while Firefox has very few issues, and what few issues it does have are patched quickly.

The sad thing is: I use IE. Apart from the security issues (I don't use it enough to be affected - I use Firefox normally, naturally ;) it's not a bad browser. Trolls like the GP don't help its case. The really sad thing is: one day soon there'll be trolls like this evangelizing (or trying to...) Firefox.

Just tried it: network.enableIDN remained set at false. Then went to the test page at secunia.com and it was clearly set to true. Went back to about:config, and it still says false, even though it has to be true.

So, don't be misled by the setting status.

Nope. Did exactly that. about:config, clear cache, restart Firefox, test at secuna - wham. The spoof still works.

The Adblock method of stopping this (mentioned earlier) is a nice workaround. Adblock has become quite a useful tool.

Ahhhh...the point of the scam is a domain name that looks like www.paypal.com in your browser but redirects you to something eeeeevil.

See the pretty demo.

I have set this to false in Firefox 1.0 and the spoof still works.

http://secunia.com/multiple_browsers_idn_spoofing_ test/

http://secunia.com/product/4368/ :D

"maybe has a little less support"

When you have "26,000 desktops", commercial support is not a factor, because you have your own support staff. Also, my experience with Open Office is that the help messages are better and there are fewer serious quirks than Microsoft Word 2000. (I've never tried Office XP because I decided to get off the Microsoft time waste train.)

I'm guessing governments have not adopted Open Office sooner because most government officials did not have enough technical knowledge to feel confident in committing thousands of desktops to something that didn't come from Microsoft. It is "you can't get fired for choosing Microsoft, even if the software doesn't work well".

When someone chooses a software package, they are choosing business partners, because so much staff time is invested in becoming comfortable with software and in using it. Officials are beginning to think about this: Is is sensible to want to be the business partner of a company that has been so adversarial toward its customers, and which produces software of amazingly bad quality?

If you test Open Office, be sure you test the latest version, 1.1.4. Version 2.0 will be available in April or May of this year.

Generally, when you send documents outside your company or organization, it is better to send PDF files. That guards against accidental changes. To make PDF files in Open Office, just click the PDF icon in the toolbar. To do this in Microsoft Word, install additional software.

"... if you sniff the air, you can just make out the first hints of rot."

There's something wrong with the reporter's nose.

I've been smelling the ugly stench of Microsoft mismanagement since the days of the CP/M operating system.

A lot of business writers assume that, if a company makes money, it is a well-managed company. But that's not always true. Microsoft has had a virtual monopoly. The money comes from the monopoly, not from the quality of Microsoft products.

For example, the Internet Explorer browser is buggy. One-hundred-thirty-three security advisories! It appears to me that either Microsoft has some very, very sloppy programmers, or the U.S. government's spy agencies made a deal with Microsoft so that they could hack into any computer connected to the web.

As users become more knowledgeable, they are not so easily fooled. The beginnings of a revolt are starting to appear in the media. People are disgusted with all the viruses and malware.

I recently switched to Firefox and on NTBugTraq last week, 3 exploits were announced with status of patched. I ran check for updates on firefox and reported nothing. I check A noticed a bunch of other vunerabilities that say patched yet firefox.exe says there's no updates. I went to mozilla.org and even the default download is to the original 1.0 build. What gives? I'd expect update to actually work, there's no way i can install firefox on my parents machines because the only way they actually apply patches is when windows update actually downloads and prompts them. I can tell my parents to find the buried update feature and run it everyday, and that doesn't even seem to work.

MS05-001 - HTML Help ActiveX Control - Moderate (3)

MS05-002 - USER32.dll overflow, Kernel DDOS - Critical (1), Important (2)

MS05-003 - Indexing Service - Important (2)

MS05-004 - ASP .NET - Important (2)

MS05-008 - Internet Explorer - Moderate (3)

MS05-009 - libpng (Windows Messenger) - Moderate (3)

MS05-010 - License Logging service - Moderate (3)

MS05-011 - SMB - Critical (1)

MS05-012 - COM, OLE - Important (2), Critical (1)

MS05-013 - DHTML Editing ActiveX Control - Moderate (3)

MS05-014 - Internet Explorer (3 vulns) - Moderate(3), Critical (1), Low (4)

MS05-015 - Hyperlink Object Library - Critical (1)

In addition, Secunia lists 5 unpatched security holes and 1 partial fix:

SA8987 (09/2003) - certain device drivers - Less critical (4)

SA9720 (09/2003) - overflow detection bypass - Less critical (4)

SA9921 (10/2003) - local exploit - Less critical (4)

SA10066 (10/2003) - HTML Help ActiveX Control (local) - Less critical (4)

SA13645 (12/2004) - partial fix (MS05-002) - Highly critical (2)

SA14061 (01/2005) - local Registry vuln - Not critical (5)

So it looks like the WS2003-EE/IIS6 combination has been subject to 12 patches in 2005 caused by 16 vulnerabilities with an average criticality of 2, plus 6 unpatched or partially patched vulnerabilities with an average criticality of 4.

Since I'll be getting rid of KDE and Mozilla vulns with RHEL because they're not really used on back-room servers, I'll toss out the IE and HTML Help ones here. That leaves 8 updates patching 10 security holes and an average severity of 2, plus 5 unpatched holes of low severity (mostly local).

Now on to Red Hat Enterprise Linux 3 Advanced Server, for which redhat.com lists 22 advisories for 2005 (more abbreviated list format):

code # vulns component
RHSA-2005:010 - 1 - VIM (not core OS)
RHSA-2005:018 - 1 - Xpdf (not core OS)
RHSA-2005:013 - 5 - CUPS
RHSA-2005:038 - 1 - Mozilla (not core OS)
RHSA-2005:019 - 2 - libtiff
RHSA-2004:635 - 1 - Ruby
RHSA-2005:043 - 3 - kernel
RHSA-2005:012 - 2 - kerberos
RHSA-2005:068 - 1 - less
RHSA-2005:059 - 1 - Xpdf (not core OS)
RHSA-2005:069 - 1 - Perl-DBI
RHSA-2005:049 - 1 - CUPS
RHSA-2005:039 - 3 - enscript (not core OS)
RHSA-2005:011 - 9 - Ethereal
RHSA-2005:105 - 2 - Perl
RHSA-2005:136 - 1 - mailman
RHSA-2005:135 - 3 - Squirrelmail
RHSA-2005:134 - 1 - xemacs (not core OS)
RHSA-2005:112 - 1 - emacs (not core OS)
RHSA-2005:104 - 1 - mod_python
RHSA-2005:009 - 3 - KDE (not core OS)
RHSA-2005:061 - 9 - Squid

So so far in 2005, RHEL3-AS has been hit with 22 patches, consisting of 53 individual vulnerabilities of unknown criticality (they didn't say). Taking out the ones effecting packages that aren't part of the base system (that don't really have any match on a backroom Windows server), that still leaves 14 updates fixing 41 vulnerabilities. Secunia, however, shows none unpatched.

The Secunia site has some good comparative charts, showing that from 1993-today, WS2003 has been hit with fewer problems, with a fewer percentage remotely exploitable, but with a highe

MS05-001 - HTML Help ActiveX Control - Moderate (3)

MS05-002 - USER32.dll overflow, Kernel DDOS - Critical (1), Important (2)

MS05-003 - Indexing Service - Important (2)

MS05-004 - ASP .NET - Important (2)

MS05-008 - Internet Explorer - Moderate (3)

MS05-009 - libpng (Windows Messenger) - Moderate (3)

MS05-010 - License Logging service - Moderate (3)

MS05-011 - SMB - Critical (1)

MS05-012 - COM, OLE - Important (2), Critical (1)

MS05-013 - DHTML Editing ActiveX Control - Moderate (3)

MS05-014 - Internet Explorer (3 vulns) - Moderate(3), Critical (1), Low (4)

MS05-015 - Hyperlink Object Library - Critical (1)

In addition, Secunia lists 5 unpatched security holes and 1 partial fix:

SA8987 (09/2003) - certain device drivers - Less critical (4)

SA9720 (09/2003) - overflow detection bypass - Less critical (4)

SA9921 (10/2003) - local exploit - Less critical (4)

SA10066 (10/2003) - HTML Help ActiveX Control (local) - Less critical (4)

SA13645 (12/2004) - partial fix (MS05-002) - Highly critical (2)

SA14061 (01/2005) - local Registry vuln - Not critical (5)

So it looks like the WS2003-EE/IIS6 combination has been subject to 12 patches in 2005 caused by 16 vulnerabilities with an average criticality of 2, plus 6 unpatched or partially patched vulnerabilities with an average criticality of 4.

Since I'll be getting rid of KDE and Mozilla vulns with RHEL because they're not really used on back-room servers, I'll toss out the IE and HTML Help ones here. That leaves 8 updates patching 10 security holes and an average severity of 2, plus 5 unpatched holes of low severity (mostly local).

Now on to Red Hat Enterprise Linux 3 Advanced Server, for which redhat.com lists 22 advisories for 2005 (more abbreviated list format):

code # vulns component
RHSA-2005:010 - 1 - VIM (not core OS)
RHSA-2005:018 - 1 - Xpdf (not core OS)
RHSA-2005:013 - 5 - CUPS
RHSA-2005:038 - 1 - Mozilla (not core OS)
RHSA-2005:019 - 2 - libtiff
RHSA-2004:635 - 1 - Ruby
RHSA-2005:043 - 3 - kernel
RHSA-2005:012 - 2 - kerberos
RHSA-2005:068 - 1 - less
RHSA-2005:059 - 1 - Xpdf (not core OS)
RHSA-2005:069 - 1 - Perl-DBI
RHSA-2005:049 - 1 - CUPS
RHSA-2005:039 - 3 - enscript (not core OS)
RHSA-2005:011 - 9 - Ethereal
RHSA-2005:105 - 2 - Perl
RHSA-2005:136 - 1 - mailman
RHSA-2005:135 - 3 - Squirrelmail
RHSA-2005:134 - 1 - xemacs (not core OS)
RHSA-2005:112 - 1 - emacs (not core OS)
RHSA-2005:104 - 1 - mod_python
RHSA-2005:009 - 3 - KDE (not core OS)
RHSA-2005:061 - 9 - Squid

So so far in 2005, RHEL3-AS has been hit with 22 patches, consisting of 53 individual vulnerabilities of unknown criticality (they didn't say). Taking out the ones effecting packages that aren't part of the base system (that don't really have any match on a backroom Windows server), that still leaves 14 updates fixing 41 vulnerabilities. Secunia, however, shows none unpatched.

The Secunia site has some good comparative charts, showing that from 1993-today, WS2003 has been hit with fewer problems, with a fewer percentage remotely exploitable, but with a highe

Against Windows, because Messenger isn't part of the "core" functionality of Windows.

However...

The mailman exploit counts against Redhat Enterprise, because it ships with the distribution.

(just squint really hard, and you'll be able to clearly see what I'm talking about)

View them here

In the last ~2 years there have been no security vulnerabilities reported for IIS6.

The same cannot be said for apache which averages about 2 per month.

I would conclude that IIS6 is a secure product, from Microsoft.

Red Hat AS 3
Windows 2003 Standard

66% of the Redhat vunerabilities are Remote compared to 59% for Windows 2003.

Now lets compare standard services on servers. like web servers.

IIS 6.0
Apache 2.0.x

IIS has only 3 known exploits compared to 26 exploits that apache has.

Red Hat AS 3
Windows 2003 Standard

66% of the Redhat vunerabilities are Remote compared to 59% for Windows 2003.

Now lets compare standard services on servers. like web servers.

IIS 6.0
Apache 2.0.x

IIS has only 3 known exploits compared to 26 exploits that apache has.

Red Hat AS 3
Windows 2003 Standard

66% of the Redhat vunerabilities are Remote compared to 59% for Windows 2003.

Now lets compare standard services on servers. like web servers.

IIS 6.0
Apache 2.0.x

IIS has only 3 known exploits compared to 26 exploits that apache has.

Red Hat AS 3
Windows 2003 Standard

66% of the Redhat vunerabilities are Remote compared to 59% for Windows 2003.

Now lets compare standard services on servers. like web servers.

IIS 6.0
Apache 2.0.x

IIS has only 3 known exploits compared to 26 exploits that apache has.

Currently, 5 out of 44 Secunia advisories, is marked as "Unpatched" in the Secunia database

Um, how reliable is their data? This one's definitely been fixed, for example.

Well there was the SpamAssassin DoS vulnerability, which would give the same results, ie: no more mail server.

as for 'security' tools if you consider Ethereal a 'security' tool then yup it has it's own.

It seems Mac OS X Finder Insecure File Creation Vulnerability isn't fixed.
The vulnerability has been confirmed in Finder version 10.3.2 on Mac OS X version 10.3.7. It's rated as 'less critical'.

"How Linux admins can easily administrate more machines per person-hour, due to the nature of Unix/Linux's remote administration (and don't even get me started on VNC or Terminal Services; they aren't scriptable, they aren't as bandwidth-effective, etc. etc. etc...), than Windows admins?"

They can't. If you'd ever used group policy, MMC, or the other numerous Windows administration tools, you would know that Windows administration doesn't mean "log in with VNC".

"The "hidden" costs of lost time due to (A) protecting against adware/spyware/malware/viruses/pop-ups, or (B) actually disinfecting machines that got infected anyhow."

I'll give you this one. I'd like to see a real study on this. Remember, though, that Linux-based companies must take many of the same measures to protect their businesses. At my company, we have a hardware-based firewall and antivirus solution (Sonicwall) that's pretty effective.

"The "hidden" costs of downtime due to buggy MS software. Sure, F/OSS stuff has bugs too, but when it does, at least the admin can try to fix them."

That's not at all realistic. Unless you're an admin at a *really* large organization, you probably don't have time to hunt down bugs in OSS apps. Not to mention that you have to track the changes unless you can get your fix accepted as a patch - and that requires even more work.

"When MS software is buggy, the admin is 100% at MS's mercy to fix the bug (since, being closed source, MS software is often 100% unfixable to anyone outside MS...)"

And, when OSS software is buggy, most people in the real world aren't going to run their own fork of RedHat to solve the problem. It's a logistical nightmare to develop and deploy patches without the help of your distro vendor. Unless you want to run a completely non-standard environment (try getting support from RedHat once you tell them that you changed some packages), you're SOL.

"The "hidden" costs of dealing with "hacked" IIS servers (vs. Apache)."

IIS 6 (http://secunia.com/product/1438/) has had far fewer security issues than Apache 2.0 (http://secunia.com/product/73/). It also has fewer unpatched issues. No reported issues for IIS 6.0 have allowed code execution. The only outstanding issue is one which could allow cross-site scripting with the web-based administration tool (e.g. a website could use Javascript to hijack the admin tool). This attack does not work if the administration is done on a system with the IE enhanced security configuration (on by default in Windows Server 2003).

You can complain all you want about IIS, but, as of version 6.0, it's a very capable, secure web server.

"How Linux admins can easily administrate more machines per person-hour, due to the nature of Unix/Linux's remote administration (and don't even get me started on VNC or Terminal Services; they aren't scriptable, they aren't as bandwidth-effective, etc. etc. etc...), than Windows admins?"

They can't. If you'd ever used group policy, MMC, or the other numerous Windows administration tools, you would know that Windows administration doesn't mean "log in with VNC".

"The "hidden" costs of lost time due to (A) protecting against adware/spyware/malware/viruses/pop-ups, or (B) actually disinfecting machines that got infected anyhow."

I'll give you this one. I'd like to see a real study on this. Remember, though, that Linux-based companies must take many of the same measures to protect their businesses. At my company, we have a hardware-based firewall and antivirus solution (Sonicwall) that's pretty effective.

"The "hidden" costs of downtime due to buggy MS software. Sure, F/OSS stuff has bugs too, but when it does, at least the admin can try to fix them."

That's not at all realistic. Unless you're an admin at a *really* large organization, you probably don't have time to hunt down bugs in OSS apps. Not to mention that you have to track the changes unless you can get your fix accepted as a patch - and that requires even more work.

"When MS software is buggy, the admin is 100% at MS's mercy to fix the bug (since, being closed source, MS software is often 100% unfixable to anyone outside MS...)"

And, when OSS software is buggy, most people in the real world aren't going to run their own fork of RedHat to solve the problem. It's a logistical nightmare to develop and deploy patches without the help of your distro vendor. Unless you want to run a completely non-standard environment (try getting support from RedHat once you tell them that you changed some packages), you're SOL.

"The "hidden" costs of dealing with "hacked" IIS servers (vs. Apache)."

IIS 6 (http://secunia.com/product/1438/) has had far fewer security issues than Apache 2.0 (http://secunia.com/product/73/). It also has fewer unpatched issues. No reported issues for IIS 6.0 have allowed code execution. The only outstanding issue is one which could allow cross-site scripting with the web-based administration tool (e.g. a website could use Javascript to hijack the admin tool). This attack does not work if the administration is done on a system with the IE enhanced security configuration (on by default in Windows Server 2003).

You can complain all you want about IIS, but, as of version 6.0, it's a very capable, secure web server.

here is the test
http://secunia.com/multiple_browsers_idn_spoofing_ test/
It isn't patched yet.

Now, go over to Secunia and check out the list of exploits for Internet Explorer and Firefox. Firefox is listed as having 75% of it's vulnerabilities *UNPATCHED*, while IE is listed as only 32%.

According to their site, Firfox has had eight advisories. Internet Explorer, on the other hand, has 61 advisories . So yes, IE "is listed as only 32%", but it still has over three times as many vunerabilites as Firefox.

Dumbass.

Now, go over to Secunia and check out the list of exploits for Internet Explorer and Firefox. Firefox is listed as having 75% of it's vulnerabilities *UNPATCHED*, while IE is listed as only 32%.

According to their site, Firfox has had eight advisories. Internet Explorer, on the other hand, has 61 advisories . So yes, IE "is listed as only 32%", but it still has over three times as many vunerabilites as Firefox.

Dumbass.

Any else out there wondering why /. is so quiet on this very scary vuln. reported on Secunia?

It does seem a bit odd given how much publicity is given to vulnerabilities in IE. I wonder how many people have submitted stories only to have the rejected by the ruler mafia.....

Or am I just paranoid?

IIS is server side disaster.

Sounds like FUD to me. SecurityFocus disagrees with you. And for a lagniappe compare the vulnerabilities listed against IIS 6 and the ones listed against Apache.

So do you have any facts to back your post?

IIS is server side disaster.

Sounds like FUD to me. SecurityFocus disagrees with you. And for a lagniappe compare the vulnerabilities listed against IIS 6 and the ones listed against Apache.

So do you have any facts to back your post?

I.E has got a similar security flaw (ability to display any URL in the address bar, but have the content load from a different website) the I.E "bug" has been known about since december but not yet been fixed, its documented here: http://secunia.com/internet_explorer_cross-site_sc ripting_vulnerability_test/

According to secunia the web browser I'm using has 5 non-patched critical security holes. Guess what, I'm not using IE.

According to secunia the web browser I'm using has 5 non-patched critical security holes. Guess what, I'm not using IE.

Go to Secunia and check for yourself
Windows XP Professional 21 out of 81 unpatched
Mac OS X 2 out of 44 unpatched
Debian GNU/Linux 3.0 3 out of 476 unpatched
Red Hat Linux 7.1 2 out of 97 unpatched.
Gentoo Linux 1.x 0 out of 504 unpatched.
See a trend?

Go to Secunia and check for yourself
Windows XP Professional 21 out of 81 unpatched
Mac OS X 2 out of 44 unpatched
Debian GNU/Linux 3.0 3 out of 476 unpatched
Red Hat Linux 7.1 2 out of 97 unpatched.
Gentoo Linux 1.x 0 out of 504 unpatched.
See a trend?

Go to Secunia and check for yourself
Windows XP Professional 21 out of 81 unpatched
Mac OS X 2 out of 44 unpatched
Debian GNU/Linux 3.0 3 out of 476 unpatched
Red Hat Linux 7.1 2 out of 97 unpatched.
Gentoo Linux 1.x 0 out of 504 unpatched.
See a trend?

Go to Secunia and check for yourself
Windows XP Professional 21 out of 81 unpatched
Mac OS X 2 out of 44 unpatched
Debian GNU/Linux 3.0 3 out of 476 unpatched
Red Hat Linux 7.1 2 out of 97 unpatched.
Gentoo Linux 1.x 0 out of 504 unpatched.
See a trend?

Go to Secunia and check for yourself
Windows XP Professional 21 out of 81 unpatched
Mac OS X 2 out of 44 unpatched
Debian GNU/Linux 3.0 3 out of 476 unpatched
Red Hat Linux 7.1 2 out of 97 unpatched.
Gentoo Linux 1.x 0 out of 504 unpatched.
See a trend?

Slashdot would be swamped with stories if they posted every security notification from every OS vendor. But to be fair, most *nix distributions do contain an exponentially greater amount of software than Windows. At any rate, this really isn't the best site to follow for security news. I recommend Secunia for that.

Of course, the editor doesnt actually mean it, its just a taunt. This stupid "my patches vs your patches" game is ridiculous and further cements slashdot as a "teen hangout" than anything resembling a tech site.

Not to mention running an update on most linux distros demands a serious amount of patching.

If slashdot would stop taunting for two minutes, they would realize that MS has a policy of patching on the first tuesday of each month and once auto-updates are enabled this becomes a non-issue.

Its getting old, really. If MS patches or doesnt patch, its going to be a slashdot item with the typical trolls coming out from under their bridges.

According to secunia the web browser I'm using has 5 non-patched critical security holes. Guess what, I'm not using IE. Has this been a slashdot item yet? If not why? Where are mozilla's tuesday patches? Oh right, we have a double standard for them and just wait for release 1.1 without saying a word.

Those holes that are in your windows box when you plug it into the net already have patches written for them.

It doesn't take a long look at Secunia's listings for Microsoft software to see that gaping ("highly critical") holes from literally years back have not been patched yet. In the case of MSIE, for example, there is a "highly critical" and unpatched flaw from August 2003 that allows arbitrary code execution on the victims machine just be visiting a web site. This is possible because Microsoft allows any web site to install anything signed by Microsoft without user intervention or even notification, even if it contains unpatched flaws that the perpetrator then takes advantage of. So in the case of this attack, the malicious site installs a flawed Visual Studio ActiveX plugin without the users knowledge that it then exploits to run arbitrary code on the victims machine. And how is this the fault of the box makers again? This is just one example, not only of an old and major unpatched security flaw, but of a mind bogglingly stupid policy that makes Microsoft Windows insanely insecure.

Steve

Those holes that are in your windows box when you plug it into the net already have patches written for them.

It doesn't take a long look at Secunia's listings for Microsoft software to see that gaping ("highly critical") holes from literally years back have not been patched yet. In the case of MSIE, for example, there is a "highly critical" and unpatched flaw from August 2003 that allows arbitrary code execution on the victims machine just be visiting a web site. This is possible because Microsoft allows any web site to install anything signed by Microsoft without user intervention or even notification, even if it contains unpatched flaws that the perpetrator then takes advantage of. So in the case of this attack, the malicious site installs a flawed Visual Studio ActiveX plugin without the users knowledge that it then exploits to run arbitrary code on the victims machine. And how is this the fault of the box makers again? This is just one example, not only of an old and major unpatched security flaw, but of a mind bogglingly stupid policy that makes Microsoft Windows insanely insecure.

Steve

Your argument doesn't make sense. No one has ever claimed that the number of exploits in the wild scales linierly with the installbase. There's plenty of vulnerabilities in OS X and enough of them are remotely exploitable that a virus could certainly be written for OS X, if anyone cared enough. If OS X had 50 times the market share, more people would care, and there would be exploits of these vulnerabilities in the wild. Douchbag spammers building botnets just aren't going to waste time on viruses and trojans that will only run on 5% of the systems out there.

The only official release of Firefox is 1.0. There are a number of outstanding security flaws in Firefox 1.0 as reported by Secunia and none have been addressed yet. I don't know if there is a nightly release that fixes these flaws, but even if there is, those are not the releases that Mom and Pop download, and it is that type of user that tends to be affected most by security flaws. Doesn't the Firefox/Mozilla team need to release a version 1.0.1 that fixes these flaws sooner rather than later? Unfortunately there is no 1.0.1 on the road map, and version 1.1 is not scheduled to be released until June, if it is on time. By then the oldest unpatched flaw, from August 2004, will be 10 months old! While the severity of current flaws is nowhere near MSIE territory, the age of unpatched flaws will be getting into MSIE territory (well, somewhat, anyway.)

How many insecurities has Internet Explorer had since it was launched with XP? I lost count.

So, you don't actually know, then? How can you criticise them meaningfully if you don't know?

According to Secunia, MSIE 5.5 has had 55 so far with 10 remaining unpatched.
MSIE 6 has had 76 so far with 20 remaining unpatched, 98% are remote exploits.

SP2 was supposed to fix many things, but it was as as difficult as a major OS upgrade, just ended up breaking many things, not fixing much and not really fixing what it claimed to fix. Granted, it's slightly more than purely a PR move, but not by much. However, it burned up valuable staff time that could have otherwise been used to evaluate competing products. The delay doesn't help MS' claim of prioritizing security much either.

It's common knowledge that MS products just aren't designed with security in mind, but if you want details, then look it up.