Slashdot Mirror

you don't follow the news much do you. OpenSSH. has had a butt load of exploitable flawes over the years and to do a comparison you need to compare it to RDP not to windows
http://www.securitytracker.com...
https://www.tenable.com/pvs-pl...
https://www.symantec.com/secur...

You were saying?

You mean this one, lol?

Solution: The vendor has issued a fix for the Android OpenSSL implementation and has distributed patches to Android Open Handset Alliance (OHA) partners.

Oh, that notorious piece of Java code, OpenSSL!

anyone who is interested can look up security vulnerabilities by vendor.

I'll give you credit for at least posting a link, but I have to call you on it. The latest version of OSX vulnerable to the OpenSSH vulnerability is 10.1.5, which is patched, and the other has also been patched. Both are patchable just by doing Apple Menu->Software Update.

And ya, I know you said they were possibly quite old, but still. :)

To be fair (because it applies to Microsoft, too) buffer overflows are 1) extremely hard to detect and fix, and 2) extremely hard to exploit. It sort of boils down to bad habits on the coder's part.

Without wishing to be rude, see the reply I gave to the other comment - here's a couple I chose at random (possibly quite old) from Google:

OpenSSH vulnerability
SAMBA vulnerability

If you're paranoid about it then you subscribe to Security Focus or CERT and keep an eye open for any new ones - then turn the daemon off or restrict connectivity until it's been updated.

The point is not to get complacent about security - every OS needs to be watched for vulnerabilities and updated to fix them.

I don't have a sandbox around (...) my PNG viewer

Microsoft Security Bulletin MS05-009: Vulnerability in PNG Processing Could Allow Remote Code Execution

(...) nor my MP3 player

Winamp MP3 Player Lets Malicious MP3 Files Control the Winamp Mini-browser and Cause Arbitrary HTML Scripts to Be Executed

I think most people can agree that for most purposes, any alternative to Adobe Reader is going to be faster, smaller, and more secure. But let's not delude ourselves into thinking that just because we're not using Reader that we're completely safe from PDF exploits. Witness the recent XPDF vulnerability that affects nearly every Linux-based PDF resource:

http://securitytracker.com/alerts/2010/Oct/1024526.html

We're safe from a "security through obscurity" point of view (why bother writing an exploit for such a tiny market?) but this exploit is at least as bad as most of the Reader ones.

Wasn't that how the image hacks started? A specially crafted BMP. There are more but this is one I recall off of the top of my head.

Internet Explorer advisories (5 pages)
Google Chrome advisories (1 page, total of 13 advisories)

And how is anyone supposed to believe that a browser that didn't exist before 2008 would have nearly as many flaws as one that's been around getting lusers infected for 15 years?

Internet Explorer advisories (5 pages)
Google Chrome advisories (1 page, total of 13 advisories)

And how is anyone supposed to believe that a browser that didn't exist before 2008 would have nearly as many flaws as one that's been around getting lusers infected for 15 years?

SecurityTracker lists 6 pages of security vulnerabilities for Chrome; but 7 pages for IE 6. Chrome would seem to be marginally more secure. In any case a business would be well advised not to pick a fight with Google, or at least pick a fight over a more worthy issue.

Security Tracker, best tool I know of to track security vulnerabilities.

"Windows XP SP3, Vista, and Windows Server 2008 aren't vulnerable", Shados That's two out of four not affected ..

'Impact: Execution of arbitrary code via network, User access via network'

"I didn't read how the exploit actually works to see if it can realistically be used to attack Windows Server 2003", Shados

'"limited and targeted" attacks are in progress by hackers exploiting an unpatched vulnerability in the WordPad Text Converter .. If exploited, a hacker could gain the same rights on a PC as a local user and could remotely execute code'

http://www.cio.com/article/470080/Another_Microsoft_Bug_Revealed_on_Huge_Patch_Day http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9123100

Ok, I will take a last shot - Explain to me why on the "Sandboxed" iPhone 2 OS Safari can be still be exploited to execute *arbitrary* code - http://support.apple.com/kb/HT3129 ?

Because no sandbox is 100% free of ways to get out of it.

As noted, that goes for Java too.

If the Java application was vulnerable and some malicious hacker causes the instruction to execute native code be loaded - its just going to be caught by the Virtual CPU as VM policy violation and you will get a nice permission denied type exception dialog.

That's very naive. That's what normally happens but as noted, there are ways around that just as with any system, to exploit flaws in the VM itself.

Sandboxes are great but any system must take a defense in depth approach, because you cannot rely on one system only like VM sandboxing) for security restrictions.

That's flamebait but nonetheless...

It's not as if Java never had any buffer overflows.

As for C/C++, with great power comes great responsibility, either that or for the love of Pete use an std::vector.

NOTE WELL: This update causes BIND to choose a new, random UDP port for each new query; this may cause problems for some network configurations, particularly if firewall(s) block incoming UDP packets on particular ports.

I'll get this patch applied as soon as I reconfigure my entire network topology.

Security Tracker, best source of information on security vulnerabilities that I know of.

Of course I'll get modded down for this, as I always do, but when you make broad statements like "OSX is far more secure than Windows"... that deserves to be quantified. However, the very act of SHOWING it quantified is what gets one modded down. This site is run by Linux.com... so go figure.

Here are security issues with OSX
and here are security issues with Vista

At the moment, I'd say they are tied, if anything. However, there have been plenty of times where Vista had a really small amount of security issues, while OSX had a huge amount.

Sorry to burst all those bubbles, but there's no such thing as "intrinsically more secure". If you think so, then please explain to the rest of the class exactly what is going on under the hood in each OS, and what is going on in Windows that is fundamentally flawed.

Because while it gets people modded up around here by saying stupid crap like that, it actually infuriates security experts to hear brain-dead drivel like that... especially when the people saying it try fooling everyone into thinking they are tech savvy.

Of course I'll get modded down for this, as I always do, but when you make broad statements like "OSX is far more secure than Windows"... that deserves to be quantified. However, the very act of SHOWING it quantified is what gets one modded down. This site is run by Linux.com... so go figure.

Here are security issues with OSX
and here are security issues with Vista

At the moment, I'd say they are tied, if anything. However, there have been plenty of times where Vista had a really small amount of security issues, while OSX had a huge amount.

Sorry to burst all those bubbles, but there's no such thing as "intrinsically more secure". If you think so, then please explain to the rest of the class exactly what is going on under the hood in each OS, and what is going on in Windows that is fundamentally flawed.

Because while it gets people modded up around here by saying stupid crap like that, it actually infuriates security experts to hear brain-dead drivel like that... especially when the people saying it try fooling everyone into thinking they are tech savvy.

For one, it promises to address problems if they arise in the future. PJ of Groklaw said that's akin to 'selling you a car with four different sizes of tires and assuring that that if you see it's a problem, you can always bring it in for maintenance.

People said this same thing when the Windows 2000 source code leaked. Nothing happened.
Well, I wouldn't say that nothing happened:

http://www.securitytracker.com/alerts/2004/Feb/1009067.html
It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code.
The author states that this flaw was found by reviewing the recently leaked Microsoft Windows source code. The flaw reportedly resides in 'win2k/private/inet/mshtml/src/site/download/imgbmp.cxx'.

Ok, I know it's not much but sure is something!

I thought the real reason would be Microsoft envy. It's certainly not because it's secure, that's for sure.

But I certainly think it's amusing that people using an operating with a non-growing (despite being free) sub-1% market share think they are somehow "pressuring" Microsoft. You know who exerts pressure of MS? Large corporations. You know why? Because that's their target customer.

That's why MS changes their product... but perhaps not in ways an at-home consumer would like. MS views Windows as a network client which will connect to an Active Directory. For a home user, the only network connection will likely be the WAN connection to the internet, and it most certainly will not connect to an AD (nor will it probably be able to). But... that only makes sense if you understand that home users aren't MS's target customer.

Opera may want to worry about some of this stuff before whining about something new.

Yeah... because using teh Lunix is SOOO secure...

He hated calling me up, asking me where that Office XP CD was only to have me tell him I have no idea.

Most people just want their computer to work and don't want to jump through a million hoops and keep track of that one cd-case whenever they want to install software on their new laptop.

Are you even paying attention? Did you even read the article?
The article itself stated that

Open source code, much like its commercial counterpart, tends to contain one security exposure for every 1,000 lines of code

Sure. But unlike you, I'm not taking the article as gospel. Where did THEY get that statistic? And what software were they testing against? Obviously not Microsoft code, since MS products are not open source, are they? And, since MS software is what we are discussing... only the rate of problems with MS's closed source code is applicable here.

But hey, sorry to throw water on your FOSSie zealot screed. But I'm not really sorry.

How does this make an argument that FOSS is a buggy mess? As others have stated, similar firms have rated the average flaws per 1000 lines higher (from 2 to 7), making 1 per 1000 equivalent to proprietary software at worst, or better depending on whose average you use.

I didn't make the argument, you FOSSies did. You guys keep saying how bulletproof and secure and stable your code is. You know, the magical byproduct of "all those eyes on it". Teh c0d3 becumz teh magiklly s3cur3!!!11!!

But hey, what's going on? You mean all that code with all that eyes ended up getting to 2006 with all those security holes in it? Looks like you guys were a few eyeballs short. Or, as my point was, it's not the number of eyes, it's the quality of the person those eyes are attached to. Which is why open/close source is (and always will be) irrelevant. If you have a good programmer, it's going to be good code. If not, it wont. It's been our collective experience that most programmers go open source in a futile attempt to get other people to fix their buggy and poorly written code (see Ruby on Rails, or Netscape, or Java)... then when it doesn't work, you guys try to throw the responsibility onto the user ("Duh... dey kan go into teh sarce kode und fix it demselfs, cuz we be teh open sarse and about teh freedumbs!!11!!")

You haven't demonstrated this, you've just asserted it blindly as if it were a well-established fact.

Same here. You just make vast generalizations without the numbers you are so fond of to back them up.

If that's the case, you shouldn't have a hard time proving me wrong.

Even as stated by Coverity, the major difference here is that we get to know the number of bugs, which we don't get for closed source apps.

And yet you ASSume that MS is somehow less secure. You know what they say about ASSuming... and you MS haters sure make a lot of ASSumptions.

and even that does not account for severity or exploitability of a flaw - which could come out in favor of FOSS or Closed-Source. Come back with some facts, and maybe we can have an actual discussion instead of ill-informed ranting.

Here you go, security noob. Knock yourself out.

If you have some evidence that IE more secure or functioning better than Firefox, then I'd like to see some documentation on that.

Here you go!! How about an entire security website for ya?

Obviously, it's not documentation which nobody else has seen, it's simply being better informed than, well, anyone else here. Not too difficult, considering Firefox users (and FOSSies in general) have a long and glorious tradition of keeping their head in the sand regarding their own faults. That's why they have no credibility, you see.

Even the top level post cites the serial lying regarding Firefox's history of memory leaks. You can't change reality, but you sure can mod it down, can't you?

I've been pointing this fact out for years. And been getting modded down for the inconvenient truth, as well!

OS X
Windows XP
I don't know why Vista doesn't have it's own category (maybe not enough to report?). But anyhow, you can check OS (Microsoft), and search for Vista. Only four things show up...

And the worst one of all, of course, is Teh Lunix.

It's been a horrible, horrible year for MS haters. Moreso than usual. Those tail lights just keep getting farther, and farther, and farther away...

Security through obscurity will never beat actual security.

I've been pointing this fact out for years. And been getting modded down for the inconvenient truth, as well!

OS X
Windows XP
I don't know why Vista doesn't have it's own category (maybe not enough to report?). But anyhow, you can check OS (Microsoft), and search for Vista. Only four things show up...

And the worst one of all, of course, is Teh Lunix.

It's been a horrible, horrible year for MS haters. Moreso than usual. Those tail lights just keep getting farther, and farther, and farther away...

Security through obscurity will never beat actual security.

I've been pointing this fact out for years. And been getting modded down for the inconvenient truth, as well!

OS X
Windows XP
I don't know why Vista doesn't have it's own category (maybe not enough to report?). But anyhow, you can check OS (Microsoft), and search for Vista. Only four things show up...

And the worst one of all, of course, is Teh Lunix.

It's been a horrible, horrible year for MS haters. Moreso than usual. Those tail lights just keep getting farther, and farther, and farther away...

Security through obscurity will never beat actual security.

I've been pointing this fact out for years. And been getting modded down for the inconvenient truth, as well!

OS X
Windows XP
I don't know why Vista doesn't have it's own category (maybe not enough to report?). But anyhow, you can check OS (Microsoft), and search for Vista. Only four things show up...

And the worst one of all, of course, is Teh Lunix.

It's been a horrible, horrible year for MS haters. Moreso than usual. Those tail lights just keep getting farther, and farther, and farther away...

Security through obscurity will never beat actual security.

I understand that reality may not be quite as tidy, but it still seems like a virtualized system would be much more secure that a non-virtualized system, if only because the increased level of knowledge involved means a smaller number of hackers capable of exploiting both layers. What am I missing?

I think you might be assuming that the security provided by the OS and the VM are multiplicative, that the result of having both is much stronger than the sum of the two parts. But that might not be true, because an attacker does not have to compromise both systems at the same time. He can attack the OS, get control of that, then use it as a launch pad to hit the VM.

Others have argued that the VM will be more secure than the OS because it is smaller and simpler, and in general I think that is a good argument. Less code = less bugs. But VMware was not designed as a security tool, and it is actually very large because it contains reverse drivers for virtual hardware (Ethernet and VGA, for example). Bugs in this code could be serious security problems (example). To take another example, the QEMU VM lets you use SLIRP as a quick and dirty way to get networking running. But SLIRP is notoriously filled with security bugs. It's useful, but it's not designed to be secure, and if you use it, QEMU can't stop malicious programs escaping the VM through SLIRP.

Here is one.

Beware of a false sense of security! VMware was not designed to be a security tool.

Mod the parent up. Clearly VMWare is superior to Microsoft Virtual PC in that it allows for significantly greater functionality, such as allowing Remote Users Execute Arbitrary Code, Lets Users Read/Write Arbitrary Files, and Stores Passwords in Memory. And that's just the start of their "feature" set!

http://www.securitytracker.com/archives/target/537 .html

Obscurity: the greatest security model the FOSS community has come up with yet!

Mod the parent up. Clearly VMWare is superior to Microsoft Virtual PC in that it allows for significantly greater functionality, such as allowing Remote Users Execute Arbitrary Code, Lets Users Read/Write Arbitrary Files, and Stores Passwords in Memory. And that's just the start of their "feature" set!

http://www.securitytracker.com/archives/target/537 .html

Obscurity: the greatest security model the FOSS community has come up with yet!

As TFA mentions, this is a buffer overflow problem. Most buffer overflows can be exploited easily unless additional OS safeguards are in place -- StackGuard, Address Space Randomization, etc., and even then, a determined hacker may still find his way in.

There are a few existing examples of buffer overflows against JPEG2000, and they can be exploited much in the same way the WMF exploit is -- malformed file is read into reader, causes buffer overflow in JPEG2000 library, causing the execution of arbitrary code. Next up: the reader (and system in general) gets compromised to do the hacker's bidding.

The article doesn't mention it, but VMware has had bugs that let malicious code "escape" onto the host. An example. Virtual machines aren't perfect.

In other news, researchers were shocked to hear the sun set in the west.

Do the math yourself. Lunix has more bugs than an ant hill. OS X has more holes than swiss cheese. And by comparison, they make Windows look like Fort Knox.

The problem, dear Brutus, lies not in our operating systems, but in ourselves.

Lunix's #1 deficiency is that it isn't Windows. That's going to be pretty difficult to 'fix', and creating yet another text editor isn't going to help.

You want some stuff to fix? Ok: get Lunix to auto detect and auto configure new hardware. Must function at least as well as Windows 95... a feat no Lunix distro has managed to accomplish.

Also... you might want to work on a few of these while you have your hands in the Lunix source code. Oh, and perhaps check out some of this stuff, too.

Maybe after that, you'll actually be caught up to Windows 95, rather than chasing it's tail lights. Best of luck to ya! Maybe you can have that done before Windows 95 hits 15 years old?

The problem, dear Brutus, lies not in our operating systems, but in ourselves.

Lunix's #1 deficiency is that it isn't Windows. That's going to be pretty difficult to 'fix', and creating yet another text editor isn't going to help.

You want some stuff to fix? Ok: get Lunix to auto detect and auto configure new hardware. Must function at least as well as Windows 95... a feat no Lunix distro has managed to accomplish.

Also... you might want to work on a few of these while you have your hands in the Lunix source code. Oh, and perhaps check out some of this stuff, too.

Maybe after that, you'll actually be caught up to Windows 95, rather than chasing it's tail lights. Best of luck to ya! Maybe you can have that done before Windows 95 hits 15 years old?

Yep:

http://www.securitytracker.com/

The numbers don't line: Lunix and OSX suck, compared to Vista (and XP as well).

Hmm... more secure?

Let's see what an authoritative source has to say....

Windows?

OS X?

Windows XP is obviously the more secure OS.

Here's a hint: "lets remote users execute arbitary code"... I think we can safely label that one an "exploit", in your terminology. Welcome to the real world, pal.

Hmm... more secure?

Let's see what an authoritative source has to say....

Windows?

OS X?

Windows XP is obviously the more secure OS.

Here's a hint: "lets remote users execute arbitary code"... I think we can safely label that one an "exploit", in your terminology. Welcome to the real world, pal.

For this configuration exploit, this SNMP vulnerability, this IP sequence generation problem, this ICMP vuln, this H.323 problem, and this buffer overflow.

NOTE: Some of the listed problems indicate a "Cisco 3200 Catalyst", which may not be the same as the orbiting "Cisco 3200 Mobile Access Router". IANACG (I am not a Cisco geek).

Amazing how in the rush to bash Microsoft, Slashdot overlooks just oh so much.

But I guess it's hard to keep up the drumbeat on the anti-MS FUD machine if you spend too much time in the reality-based community.

MS Exchange Server has supported IMAP for years.

If an organization really, honestly, truly wants to not use Outlook... NOBODY is forcing them to. But it's so much easier to whine and moan.

Exchange is the best product of it's kind out there. Ever try using Notes? Yech... what a train wreck. How about Openview? Disaster. Oh wait!! Let's use Fetchmail!

One victim "was fresh out of college, where he'd just earned a degree in information security. (He was actively looking for a job in the field; I suggested he may want to go back to the classroom.)

All anyone cares about is to have hardware with free drivers, from there any distro can be installed. The continued acceptance of M$'s inferior GUI and software for "hardware compatibility" is proof that the vast majority of computer users just want the system to work and will put up with all sorts of security and performance issues to get that level of "convenience". If Dell would select or demand hardware with free drivers, every major gnu/linux distribution would work - that's not hard at all. Picky people are going to reinstall the OS anyway and no one will blame Dell for that.

Anti-competitive pressure is what this ever boils down to. It will go away as hardware prices drop below $200 or so, because there's no room for software costs at that price point. That Dell is making noises like this now is good evidence that there's not much room for software costs at the $400 price point. The corporate price point is already there and that's why so many companies are dumping M$. The first vendor to deliver a $200 computer with nothing but free software on it is going to win big time and there's nothing M$ will be able to do about it.