secunia.com · Domains · Slashdot Mirror

Re:Eh - SP2 anyone? by gregarican · 2004-08-25 04:36 · Score: 1 · on Internet Meltdown Predicted for Tomorrow

Good point. That and the fact that there is a newly discovered 'Drag and Drop' exploit in XP SP2 where using an Internet Explorer's scroll bar is enough to drop a binary executable in your Windows Startup folder. Perhaps there's more underground exploits that meets the eye. I just gathered details about the 'Drag and Drop' deal from Secunia.

Re:Security through obscurity? by ghettoboy22 · 2004-08-18 05:48 · Score: 1 · on Microsoft Funded Study Cinches 10yr Deal

Yeah MS is really on top of the ball.

Fifty-five percent was just replaced. by Futurepower(R) · 2004-08-10 03:06 · Score: 2, Informative · on Microsoft Developing Linux Policy, Plan of Attack

"In my opinion, Windows XP is a DISORGANIZED MESS!"

The i386 folder on the Windows XP SP1 Corporate version CD is 504,563,416 bytes. Windows XP SP2 is 278,927,592 bytes. Fifty-five percent of the disorganized mess just got replaced.

What amazes me is that there is plenty of evidence of just plain sloppy programming in Windows XP. There have been 102 vulnerabilities and 1,777 viruses affecting Internet Explorer.

Re:Give IE some credit... by Phragmen-Lindelof · 2004-07-14 10:49 · Score: 1 · on 4 New "Extremely Critical" IE Vulnerabilities

I am not sure I understand your point, which sounds like "If I have to choose between functionality and security, I will choose functionality". Is this a correct description of your point of view?

For the sake of discussion, I will assume the answer to my question is "yes." (Of course, it might be "no.") Choosing "functionality" over "security" is a long standing problem for Microsoft and for users of its products. Until this changes, MS products should not be considered to be even slightly secure. Look at the recent security warnings/info:
Atak
IE
IE
MS patchs

The end of the last link above is funny.
"Thomas Kristensen, CTO at security firm Secunia, told El Reg: "There are a variety of vulnerabilities with Internet Explorer that have been around for a while and are been actively exploited. Several are unpatched. We recommend our customers to use another browser for general web surfing and to limit their use of IE to trusted websites where its functionality is required, such as banking websites." ®"
Only use IE at web sites like banking sites, where confidential information and your financial resources are at risk. (Now which web sites did the Russians target? Oh yeah, banking sites.) ?????

Re:so is this what MSFT does? by maximilln · 2004-07-14 04:52 · Score: 5, Insightful · on 'Stealth' Worm Hinders Sandbox Analysis

The parent is horribly bipolar.

I have heard the "BMP thing" being spouted by a Microsoft / closed-source apologist

Actually an apologist wouldn't be spouting about the BMP exploit. Rather an apologist would be trying to dismiss it as you do in here:

Is there any documented evidence that this has been used in *any* virus/worm/hacks?

There. Now you're being the closed source apologist by saying,"We're sorry about the BMP thing but does it really make a difference?" Since it's been pointed out that the BMP thing was only present in older editions of MSIE (5.5?) it's pretty plausible that the forensic trail of tracking any exploits is long covered, formatted, and reinstalled.

And has there actually been more than one bug found

The security industry has its hands full simply processing data on exploits which are submitted. The people who have time to go over that released source code routine by routine, structure by structure, loop by loop, aren't going to tell you about it first. If they're nefarious they're not telling anyone.

Additionally, did you read this yesterday? Did you try contacting the authors who published those vulnerabilities? It's quite possible that they came onto those vulns by looking at the source code.

So sit down and...

If the exploit was evident by looking at the code, the code writer would probably fix it

That's a bit shallow minded. Not every programmer who works for MS was a 4.0 overachiever who visualized code loops and logic flow in real time. Very few middle managers were 4.0 overachievers--many got to their position because they were better at social networking than coding networks. By the time the code gets to the upper management it's not being audited line by line. Even 4.0 students aren't always guaranteed overachievers with amazing perceptual abilities. Many 4.0 students know how to stand in line and keep their mouths shut. That's the most assured way to a 4.0.

Every single exploit is discovered by accident

I would agree that the majority of exploits are discovered by someone noticing erratic behavior in a program and taking the initiative to dig in deeper. However I know a number of people who take great delight in poring over changelogs and then going back to audit source code when "Bug in <sourcefile.c> fixed." The changelog may have been a roadsign but when sourcefile.c is 1000+ lines it's still a testament to skill to find the bug which was fixed.

How could one program have so many serious flaws? by Futurepower(R) · 2004-07-13 06:49 · Score: 1 · on 4 New "Extremely Critical" IE Vulnerabilities

Could someone explain how one piece of software can have so many severe vulnerabilities? Are Microsoft programmers unbelievably bad at programming? Are Microsoft programmers just people who moved up from the lawn maintenance crew?

Is is possible that Microsoft does not allow its programmers enough time to finish what they write?

Did the U.S. government's NSA spy agency go in after IE was written and add a lot of bugs?

Here's a better view of the same Secunia advisory: Microsoft Internet Explorer Multiple Vulnerabilities, Secunia Advisory: SA12048 This view shows the 4 new vulnerabilities and shows 54 additional older vulnerabilities at the bottom of the page.

pot calling by minus_273 · 2004-07-13 04:17 · Score: 1, Interesting · on 4 New "Extremely Critical" IE Vulnerabilities

mr kettle black. well funny no one mentions this hole also out today. It effects all browsers. I dont like IE at all but the submitter might as well have mentioned it since it is in the same news blurb on the side..

Re:not so fast of a fix by fuzzix · 2004-07-13 02:38 · Score: 1 · on Mozilla Developers Respond to Malware

Meanwhile IE has been picked apart just a little more.

Re:I run Moz/FF exclusivly but... by 16K+Ram+Pack · 2004-07-12 07:29 · Score: 1 · on PC Magazine Reviews Firefox, Opera

Not that dissimilar to:-

this which affects IE.

Except the Mozilla one is Fixed, and the IE one has been public since 8th June.

They're using Oakland School Administration math. by Ungrounded+Lightning · 2004-07-05 08:57 · Score: 2, Interesting · on Security Statistics and Operating System Conventional Wisdom

From Secunia Virus Statistics web page:

Indicates the percentage of scans that resulted in a found infection (e.g. 1% means that in 10.000 virus scans, 1.000 of these scans resulted in found infections).

They did this twice, too. So does 1% equal one percent of machines infected, or ten percent?

(I refer to this as "Oakland School Administration math" because a high administrator of the Oakland California schools, while testifying before the state legislature, cited the percentages of black teachers in Oakland schools vs. black people in the US population, with the percentage far lower for the teachers. But in the same testimony she gave the actual numbers of black teachers and total teachers, and in fact the percentage of black teachers in their schools was far HIGHER than blacks in the general population. She'd blown the percentage computation. Doubly funny, since she was testifying about how the new teacher certification tests were unfair because they required far too much arithmetic.)

Vulnerabilities vs Advisories by AYeomans · 2004-07-05 07:53 · Score: 5, Informative · on Security Statistics and Operating System Conventional Wisdom

Note very carefully, they count advisories only once, even though they may include multiple vulnerabilities.

The Windows XP Pro list includes:

Microsoft Windows 14 Vulnerabilities
Microsoft Windows RPC/DCOM Multiple Vulnerabilities
Microsoft Windows ASN.1 Library Integer Overflow Vulnerabilities
Microsoft Windows RPCSS Service DCOM Interface Vulnerabilities

contain 14 + 4 + 2 + 3 = 23 vulnerabilities but Secunia only count 4 advisories. So the count is now 65 acknowledged vulnerabilities for XP Pro. Not including those silently fixed, nor the 38 vulnerabilities in Internet Explorer 6 alone.

Actually, Secunia tend to publish alerts based the vendor bulletins. There are better sources for collated vulnerability information, such as Sintelli (free) or TruSecure (fee) which have far higher totals.

Interesting results... by octogen · 2004-07-05 07:32 · Score: 1 · on Security Statistics and Operating System Conventional Wisdom

Look at these:

IBM z/OS V1.x
one vulnerabilty (in Sendmail, which was ported to z/OS)
By the way, most (if not all) parts of z/OS were written in PL/1.

IBM OS/400 - V4.x, V5.x
zero vulnerabilities
(Note, that OS/400's kernel ("SLIC"), written in C++, is absolutely closed code (afaik you can't even access its machine code on the iSeries 400's DASD), so nobody outside IBM knows, what kind of bugs might be in that kernel; anyway, because of its single-level storage architecture, this system has hardware pointer-in-memory protection, which, as a side-effect, prevents many of the most dangerous kinds of exploits, for example overwriting of return-addresses, overwriting of function pointers and such; so it's impossible to "smash the stack" on this machine)

Conclusion:
===========

To err is human; as long as people use Assembler, C or similar programming languages, they will probably cause buffer overflows and similar bugs; for this reason, we should take advantage of more intelligent hardware architecture, including features like tagged pointers and special CPU instructions for modifying addresses (so you still can change a function pointer, but only if you use the correct instruction; overwriting it using instructions for copying data areas (MOV on intel) would cause the pointer protection hardware to invalidate the pointer). Better hardware is a good foundation for better software. "Protected mode" (memory protection, preemptive multitasking, ...) brought us stable operating systems; some new hardware could get us stable and secure operating systems. By secure I DON'T mean hardware-addons like TCPA. TCPA is inadequate for a free-programmable computer architecture.

Use a suitable programming language to implement applications; you don't need to mess around with direct memory access, pointers and such, if you're programming software for accounting or a spread sheet application. Many commercial applications for z/OS and OS/400 are written in COBOL, PL/1, etc. rather than in C, and they do not seem to have nearly as many critical bugs as most C programs; OpenVMS people will tell you the same story, I don't know what programming language they used to write most of their applications, but I know it wasn't C.
If you can't get an open source Ada, Cobol, PL/1,... compiler, at least use C++ (use std::string).
Don't forget Java; java programs might not be as fast as compiled code, but especially non-GUI applications are still pretty fast, and Java is a well-designed language.

Unfortunately, there are no results for trusted operating systems such as Trusted Solaris; it would be interesting, whether the same bugs that are critical on standard operating systems could cause system access or any similarly critical escalation of privileges on trusted operating systems (my guess is, commonly not; these systems have extremely strong security implemented in kernel code). By the way, Solaris 10 will include many key security features that were only available in Trusted Solaris before (including privilege sets and compartment-like process separation).

Book hint: "The Inside Story of the IBM iSeries" by Frank Soltis, the system architect of the iSeries 400 (aka AS/400) and OS/400; especially interesting because of the fact, that this system's design is very different from common hard- and software architecture;

Interesting results... by octogen · 2004-07-05 07:32 · Score: 1 · on Security Statistics and Operating System Conventional Wisdom

Look at these:

IBM z/OS V1.x
one vulnerabilty (in Sendmail, which was ported to z/OS)
By the way, most (if not all) parts of z/OS were written in PL/1.

IBM OS/400 - V4.x, V5.x
zero vulnerabilities
(Note, that OS/400's kernel ("SLIC"), written in C++, is absolutely closed code (afaik you can't even access its machine code on the iSeries 400's DASD), so nobody outside IBM knows, what kind of bugs might be in that kernel; anyway, because of its single-level storage architecture, this system has hardware pointer-in-memory protection, which, as a side-effect, prevents many of the most dangerous kinds of exploits, for example overwriting of return-addresses, overwriting of function pointers and such; so it's impossible to "smash the stack" on this machine)

Conclusion:
===========

To err is human; as long as people use Assembler, C or similar programming languages, they will probably cause buffer overflows and similar bugs; for this reason, we should take advantage of more intelligent hardware architecture, including features like tagged pointers and special CPU instructions for modifying addresses (so you still can change a function pointer, but only if you use the correct instruction; overwriting it using instructions for copying data areas (MOV on intel) would cause the pointer protection hardware to invalidate the pointer). Better hardware is a good foundation for better software. "Protected mode" (memory protection, preemptive multitasking, ...) brought us stable operating systems; some new hardware could get us stable and secure operating systems. By secure I DON'T mean hardware-addons like TCPA. TCPA is inadequate for a free-programmable computer architecture.

Use a suitable programming language to implement applications; you don't need to mess around with direct memory access, pointers and such, if you're programming software for accounting or a spread sheet application. Many commercial applications for z/OS and OS/400 are written in COBOL, PL/1, etc. rather than in C, and they do not seem to have nearly as many critical bugs as most C programs; OpenVMS people will tell you the same story, I don't know what programming language they used to write most of their applications, but I know it wasn't C.
If you can't get an open source Ada, Cobol, PL/1,... compiler, at least use C++ (use std::string).
Don't forget Java; java programs might not be as fast as compiled code, but especially non-GUI applications are still pretty fast, and Java is a well-designed language.

Unfortunately, there are no results for trusted operating systems such as Trusted Solaris; it would be interesting, whether the same bugs that are critical on standard operating systems could cause system access or any similarly critical escalation of privileges on trusted operating systems (my guess is, commonly not; these systems have extremely strong security implemented in kernel code). By the way, Solaris 10 will include many key security features that were only available in Trusted Solaris before (including privilege sets and compartment-like process separation).

Book hint: "The Inside Story of the IBM iSeries" by Frank Soltis, the system architect of the iSeries 400 (aka AS/400) and OS/400; especially interesting because of the fact, that this system's design is very different from common hard- and software architecture;

Interesting results... by octogen · 2004-07-05 07:32 · Score: 1 · on Security Statistics and Operating System Conventional Wisdom

Look at these:

IBM z/OS V1.x
one vulnerabilty (in Sendmail, which was ported to z/OS)
By the way, most (if not all) parts of z/OS were written in PL/1.

IBM OS/400 - V4.x, V5.x
zero vulnerabilities
(Note, that OS/400's kernel ("SLIC"), written in C++, is absolutely closed code (afaik you can't even access its machine code on the iSeries 400's DASD), so nobody outside IBM knows, what kind of bugs might be in that kernel; anyway, because of its single-level storage architecture, this system has hardware pointer-in-memory protection, which, as a side-effect, prevents many of the most dangerous kinds of exploits, for example overwriting of return-addresses, overwriting of function pointers and such; so it's impossible to "smash the stack" on this machine)

Conclusion:
===========

To err is human; as long as people use Assembler, C or similar programming languages, they will probably cause buffer overflows and similar bugs; for this reason, we should take advantage of more intelligent hardware architecture, including features like tagged pointers and special CPU instructions for modifying addresses (so you still can change a function pointer, but only if you use the correct instruction; overwriting it using instructions for copying data areas (MOV on intel) would cause the pointer protection hardware to invalidate the pointer). Better hardware is a good foundation for better software. "Protected mode" (memory protection, preemptive multitasking, ...) brought us stable operating systems; some new hardware could get us stable and secure operating systems. By secure I DON'T mean hardware-addons like TCPA. TCPA is inadequate for a free-programmable computer architecture.

Use a suitable programming language to implement applications; you don't need to mess around with direct memory access, pointers and such, if you're programming software for accounting or a spread sheet application. Many commercial applications for z/OS and OS/400 are written in COBOL, PL/1, etc. rather than in C, and they do not seem to have nearly as many critical bugs as most C programs; OpenVMS people will tell you the same story, I don't know what programming language they used to write most of their applications, but I know it wasn't C.
If you can't get an open source Ada, Cobol, PL/1,... compiler, at least use C++ (use std::string).
Don't forget Java; java programs might not be as fast as compiled code, but especially non-GUI applications are still pretty fast, and Java is a well-designed language.

Unfortunately, there are no results for trusted operating systems such as Trusted Solaris; it would be interesting, whether the same bugs that are critical on standard operating systems could cause system access or any similarly critical escalation of privileges on trusted operating systems (my guess is, commonly not; these systems have extremely strong security implemented in kernel code). By the way, Solaris 10 will include many key security features that were only available in Trusted Solaris before (including privilege sets and compartment-like process separation).

Book hint: "The Inside Story of the IBM iSeries" by Frank Soltis, the system architect of the iSeries 400 (aka AS/400) and OS/400; especially interesting because of the fact, that this system's design is very different from common hard- and software architecture;

A turd is a turd by burnin1965 · 2004-07-05 05:58 · Score: 1 · on Security Statistics and Operating System Conventional Wisdom

There is truth in your statement, however, it does not change the fact that Windows and its associated applications have a significantly larger number of flaws when compared to the competition.

If you look at the secunia statistics for IE you find that by itself it has nearly as many exploits as competing operating systems and all their associated applications combined.

secunia.com/product/11/

burnin

Not potential, it is a study problem by burnin1965 · 2004-07-05 05:54 · Score: 2, Informative · on Security Statistics and Operating System Conventional Wisdom

In the XP stats they show one advisory for IE. But looking at the exploits statistics on the same website you find that the one Microsoft application by itself has about as many exploits as other competing operating systems and all their applications combined:

secunia.com/product/11/

Sorry Windows lovers, its time to face the facts, your OS of choice and associated applications are a haven for worms and viruses not because there are so many of you, its because the software is crap.

burnin

Re:Counting advisories is skewed by burnin1965 · 2004-07-05 05:45 · Score: 1 · on Security Statistics and Operating System Conventional Wisdom

Agreed, and your point can be proven even with the secunia statistics. They show XP with only one advisory for Internet Exploerer and yet Internet Explorer by itself had about 40 exploits by itself during the same period of time this MS shill is reporting on.

secunia.com/product/11

burnin

# Advisories != # Vulnerabilities != Security Risk by Trevin · 2004-07-05 05:43 · Score: 5, Insightful · on Security Statistics and Operating System Conventional Wisdom

There are two major things wrong with this article, which have been touched on by other posters. One is that the number of vulnerabilities is different than the number of advisories, because advisories can cover multiple vulnerabilities.

The second is that (as other posters have covered) Linux distributors post advisories and bug fixes for all software bundled with their distribution, not just the kernel and core libraries. Looking at the list of MS Windows XP advisories, all I see are the core components, with the glaring omission of Internet Explorer (which these days is in fact a core component of the operating system).