Slashdot Mirror

And then you have the obvious - why is the OS allowing you to modify the MBR without appropriate rights and/or why are users running as users with the rights necessary to do this? This is STILL a problem harking back to the DOS days - everyone as administrator. With a new twist - the average user hasn't needed to BE administrator for quite a long time now.

Except in Vista, this isn't true. You need to either have elevated privileges(or have disabled UAC so that everything runs as administrator) to be able to write to the MBR, at least according to this website. Of course, UAC does not mitigate the issue if they attach to a publically available installer(say kazaa-super-deluxe-installer.exe), since you'll need elevated privileges to run the installer and thus will click "Accept". However, since writing to the MBR is a highly unusual operation, they could bring another box that clearly marks the operation as unusual before allowing the write to the MBR.

Also, since the article mentions that the rootkit does not modify the registry, it would appear that all that is required to remove it is to do a "fixmbr" from the installation CD to overwrite the MBR with a clean copy(which is corroborated by Symantec).

According to their corporate timeline, the first products Symantec released were "natural language" tools for databases. Then, they started mergers and acquisitions. Funny, I've always thought of them as a compiler company (who moved on to other things), but their compilers were from yet another buyout. In 1987, they bought Think Technologies, makers of Lightspeed C and Lightspeed Pascal.

Don't believe me? IRQ conflicts make Ghost run slow on computers (2004), and believe you me that this is still a problem on Dell Optiplex 745s in 2007 and 2008!

"You DO know you can change the login dialog for Vista back to the old dialog that lets to select the Domain, just like in XP, don't you? You can even set this as a Group Policy."

Try it. Really. Without having to download third-party software. It's *close* but it's not what you think. It really doesn't do what I need it to. I need drop-down Domain/Local.

"Please tell me which imaging system allows you to push down a 4GB image over PIIX boot in less than 5 minutes."

Certainly. Ghost. Security Suite 2 (Ghost 10 or 11, I lose count). GhostCast running via some boot-disk-emulation over a PXE boot menu. Average deployment time of an image with XP + Office + all the usual (Flash, Quicktime, Shockwave, Realplayer, Adobe Reader, an unzip util etc.) in an admittedly highly-compressed image - 3:30. You should really get yourself a new network. Unicast is much faster for what I'm talking about (single machine rebuild) but multicast does more machines, so mass deployments are best done on a closed all-gigabit network without other traffic but I get these same times over our actual production network (which isn't anything fancy to be absolutely honest). Maybe another minute or two for things like SID-regenerations etc. but then you have a working desktop.

"I've never used Ghost for Vista images (because you're not supposed to)."

See below, it's supported by Ghost. But... My point exactly. Why can't I? They've just made another reason for me to not abandon my already long-established machine build/rebuild procedure for little to no reason.

"Ghost is a shitty way to deploy Windows. Period."

It works for us. It works faster than you could get it to work yourself. It's simple, clean, efficient, and ties in perfeclty to the way the network operates. Users can do it THEMSELVES if you give them the password - boot, press F12 before Windows comes up, select from the nice netboot menu, type in password, the machine rebuilds in about 5 minutes (depends on the machine obviously, because it's mostly disk writing). And each time you do it, you KNOW the computer will end up in a perfect working state exactly how you intended. And the fact is that it works for all OS that we'll ever want to use, so long as the PC in question can PXE boot and we can get a disk image of the disk.

"If you have to have lots of multi-boot images you're doing something weird, like hardware testing."

Or, say, having more than one OS. Or even having "unusual" partitions to perform utility/rebuild functions as above. It's really not that difficult or unusual and to be honest, it's really not that important. My point is that I ALREADY possess a superior solution to the suggested built-in-to-Windows-and-crippled equivalent, as do most people who do it for a living.

"BTW, Ghost was discontinued years ago. Symantec Ghost is actually rebranded ImageCast and, unsurprisingly, it's not compatible with old Ghost images."

http://www.symantec.com/business"/products/overview.jsp?pcid=2260&pvid=865_1

Quote: Support for Microsoft Windows Vista and 64-Bit OS's.
Purchasing Options: This product is available for purchase online in the Symantec Store as well as through resellers

I bought 50 additional licenses from an large reseller just the other day and media was still available if I wanted it. How is that discontinued?

Discontinued nope. Maybe not perfectly up-to-date but then I don't really care because, as is the point of this thread, I don't care about Vista or 64-bit, like 99% of places that deploy PC's. Plus all it does is bit-copy disks to a file from a DOS shell so it's hardly a complex program to support.

"You simply don't know what you're talking about. Do you understand how these tools are even used? You do realize that you NEVER have to make custom images again?"

Yep. But the build of one/two custom images means that I save more time than it takes to even set up the systems to deploy the

Read the Symantic press release http://www.symantec.com/enterprise/security_response/weblog/2008/01/driveby_pharming_in_the_wild.html It's an email exploit, and takes advantage of a vuln in the routers, the payload does it's business without logging in. No password required.

The Drive-By part comes from the fact that you can "drive by" a website and be attacked. See the original paper http://www.symantec.com/avcenter/reference/Driveby_Pharming.pdf.

The same could happen to Linux, (Free|Open|Net)BSD, etc.

What? A trojan on Linux? That's crazy ;)

The same could happen to Linux, (Free|Open|Net)BSD, etc.

What? A trojan on Linux? That's crazy ;)

http://www.symantec.com/business/products/overview.jsp?pcid=2244&pvid=1602_1

It works with any type of server but fits better in the virtualization environment.

No anti-virus software whatsoever? Are you're talking about simple-minded myths?

http://www.symantec.com/nav/nav_mac/
http://www.mcafee.com/us/enterprise/products/anti_virus/file_servers_desktops/virex.html
http://www.clamxav.com/

That's off the top of my head - there may be more, but that's the big three...

Symantec released a mac antivirus app: http://www.symantec.com/norton/products/overview.jsp?pcid=ma&pvid=nav11mac/ however, it must be the easiest money symantec ever made :P I havent tried it, but hopefully it's not as invasive as the windows version

1. Download the malicious file with IE. Don't play it inside IE, just save it somewhere.
2. Double-click that file so that it opens in QuickTime.
3. Add "Internet Explorer" to the vulnerability writeup.

If you look at the Symantec article, the malicious file ran in the standalone QT app, not in a Firefox plugin. http://www.symantec.com/enterprise/security_response/weblog/upload/2007/11/Image_FF.html

It's really apples and oranges. In the IE test, the malicious file was running inside IE via the plugin. In the Firefox test, it was not running inside Firefox via a plugin. Since it wasn't running in a Firefox plugin, the test really doesn't say anything at all about Firefox or its plugin system.

No, the testing done in the article was not embedded inside the Firefox window. It did indeed spawn a completely separate app. http://www.symantec.com/enterprise/security_response/weblog/upload/2007/11/Image_FF.html

Apples and oranges here. The plugin inside IE is protected via IE's features. The standalone app outside Firefox, as expected, is not protected by any features of Firefox.

I don't know why it's run as a standalone app rather than as a plugin inside Firefox. Perhaps they didn't install the Netscape plugin or it's misconfigured. Perhaps Apple did a poor job of coding the Netscape plugin and it can only support some features, and has to pass other stuff out to the external program. But as it stands, Symantec's results on Firefox have nothing to do with Firefox's plugin system.

The headline should read "Vulnerability in QuickTime. IE mitigates attacks via its QT plugin. Firefox doesn't fix problem in QT."

Per the Symantec article, the issue as related to Firefox is not with a plugin. The article states that QuickTime is run as a plugin inside IE and Safari. The vulnerable software is run inside the browser, and thus falls under the browser's control. http://www.symantec.com/enterprise/security_response/weblog/upload/2007/11/Image_IE.html shows this. However, in the case of Firefox, QuickTime is run as a standalone app outside the browser. See http://www.symantec.com/enterprise/security_response/weblog/upload/2007/11/Image_FF.html. In this case, Firefox gets Item A and sees that the system is configured to handle that type of item with Program B. Therefore, Firefox hands Item A to Program B. It works exactly the same as launching the malicious file from the Run box.

Once again, it is not a problem with Firefox's plugin system because this is not running as a Firefox plugin. Let me correct your quote. See how that makes it a little less cut and dried?

Non-Firefox browser: exploit fails to execute inside browser plugin, instead protected by bounds checking
Firefox: exploit executes unchecked completely outside of Firefox

If there were a vulnerability in your email or FTP program, would you blame Firefox because it hands off mailto: and ftp: links to those external programs? Should Firefox be held responsible for malicious files (of any type - Word, MP3, .exe, etc.) that you download and then run externally? The Symantec article also mentions emailing attachments as an attack vector. Uh oh, Outlook and Thunderbird are also flawed, because they hand the file off to QuickTime to open too!

Also, judging by the IE pic, it appears that their "buffer overrun protection" is "crashing the browser". In this case, the QT vuln is also a DoS against IE, while Firefox does not have that vulnerability.

I agree that every program should do what it can to limit damage. However, Firefox can't do much about completely external programs. In this case, Firefox has no understanding of the data being downloaded, just that the system is configured to handle the data with a certain program. The only way to fix this is with filename/URL blacklisting so it doesn't open the bad URL (gee, that's practical) or by coding Firefox to understand every type of data it encounters. Essentially, code every other program into Firefox itself so that it can determine if the data is good or bad before handing it off (gee, that's practical). If this were a problem with a Firefox plugin, I would agree with you fully. However, it's a completely external program which Firefox has no control over, so I can't disagree more.

The headline should read "Vulnerability in QuickTime. IE mitigates attacks via its QT plugin. Firefox doesn't fix problem in QT."

Per the Symantec article, the issue as related to Firefox is not with a plugin. The article states that QuickTime is run as a plugin inside IE and Safari. The vulnerable software is run inside the browser, and thus falls under the browser's control. http://www.symantec.com/enterprise/security_response/weblog/upload/2007/11/Image_IE.html shows this. However, in the case of Firefox, QuickTime is run as a standalone app outside the browser. See http://www.symantec.com/enterprise/security_response/weblog/upload/2007/11/Image_FF.html. In this case, Firefox gets Item A and sees that the system is configured to handle that type of item with Program B. Therefore, Firefox hands Item A to Program B. It works exactly the same as launching the malicious file from the Run box.

Once again, it is not a problem with Firefox's plugin system because this is not running as a Firefox plugin. Let me correct your quote. See how that makes it a little less cut and dried?

Non-Firefox browser: exploit fails to execute inside browser plugin, instead protected by bounds checking
Firefox: exploit executes unchecked completely outside of Firefox

If there were a vulnerability in your email or FTP program, would you blame Firefox because it hands off mailto: and ftp: links to those external programs? Should Firefox be held responsible for malicious files (of any type - Word, MP3, .exe, etc.) that you download and then run externally? The Symantec article also mentions emailing attachments as an attack vector. Uh oh, Outlook and Thunderbird are also flawed, because they hand the file off to QuickTime to open too!

Also, judging by the IE pic, it appears that their "buffer overrun protection" is "crashing the browser". In this case, the QT vuln is also a DoS against IE, while Firefox does not have that vulnerability.

I agree that every program should do what it can to limit damage. However, Firefox can't do much about completely external programs. In this case, Firefox has no understanding of the data being downloaded, just that the system is configured to handle the data with a certain program. The only way to fix this is with filename/URL blacklisting so it doesn't open the bad URL (gee, that's practical) or by coding Firefox to understand every type of data it encounters. Essentially, code every other program into Firefox itself so that it can determine if the data is good or bad before handing it off (gee, that's practical). If this were a problem with a Firefox plugin, I would agree with you fully. However, it's a completely external program which Firefox has no control over, so I can't disagree more.

It can be pretty easy to foil, as this post on Shoemoney demonstrates.

And yes, you too can have fun in /. with Google queries for goatse.cx, tubgirl and 2girls1cup.

Here's yet another redirection exploit on Google, reported in a Symantec security bulletin. This one exploits redirection in the "I'm Feeling Lucky" feature.

There are modern mail management systems that remove the user from archive functions. One such piece of software is offered by Symantec as part of a package which filters spam/virus/phishing while at the same time auto-archiving all in and out bound messages. There are other free options that the WH could take advantage of. Qmail has now a wonderful plugin ability that would make auto-archive a snap.

We are talking about GW's staff. These folks, dastardly as they are, are not tech-stupid. They have resources at their fingertips that would make any geek green with envy. They knowingly deleted messages and failed to preserve archives. The Presidential Records Act isn't a new piece of legislation, it's been around since 1978.

The technology exists, and the White House can afford it. The question remains, will the White House obey the courts when told "don't break federal laws" or will they continue to break the law as usual.

The article doesn't state it but this seems to be the worm W32.Drom. Symantec rates the threat as Very Low with 0-49 total infections. Take that with however many grains of salt you wish.

During the weekend I found an interesting sample exploiting a possibly new and undocumented vulnerability for Windows XP and 2003. The exploit is a local privilege escalation that allows users with a restricted account to gain a SYSTEM shell with higher privileges. In my tests the exploit seems to work successfully against a fully patched Windows XP-SP2 and also Windows 2003-SP1. At this time, Vista does not seem to be affected by the problem.
-- Elia Florio

And you just proved khuffie's point to a T.
Flaws in MS OS = "basic design flaws that may or may not be fixed when a service pack rolls out a year or so later"

Flaws is OS X = ""Mail.app's spam filter gives false negatives in this corner case because we accidentally used an int instead of a float in this function", and most of them are usually fixed when a service pack rolls out a few weeks later"

Funny, all those MS fixes that roll out the first Tuesday of every month must have all just been a product of my wild imagination.

P.S. All of you "there has never been a trojan or virus in the wild for OS X" can all all shut up now.

Actually, there was the "MacMag" HyperCard trojan from way back in 1988...

On our old IBM mainframe mainframe, you could create a standalone restore tape which you could IPL (boot) from. Pretty old technology in 1987, but it was built directly into the O/S without requiring 3rd party applications. But now we purchase crappy, expensive third party applications with fancy names like Bare Metal Restore (warning PDF). Everything is easier now, unless you actually need to restore anything. But "Bare Metal Restore" sounds so much cooler than "Standalone Restore". And it even has a GUI!

I, like another commenter, think it's because of OEM's so often shipping AV trials that expire and they misunderstanding and think "having antivirus included" meant having it all along. Users would probably be less confused if OEM's didn't include any antivirus at all, or offered a lifetime subscription for some extra cost.

I, like another commenter, think it's because of OEM's so often shipping AV trials that expire and they misunderstanding and think "having antivirus included" meant having it all along. Users would probably be less confused if OEM's didn't include any antivirus at all, or offered a lifetime subscription for some extra cost.

There have already been 'malicious javascript' attacks that reconfigure a router that has default user/name and password. Requires you to view a compromised (or malicious) website - but shows that even a physically plugged in router (with default credentials) can be compromised: http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html

From the blurb: Li's cyber bug, which earned him about 145,000 yuan after selling it to other hackers from December 2006 to February this year, can prevent infected computers from operating anti-virus software and all programs using the "exe" suffix.'

Navidad did kind of the same thing but it seems to be a coding mistake more then the intended purpose of the virus.

Just for the record: I didn't read the article.

It doesn't really seem to do anything.

From microsofts own webiste.
List of know applications that service pack 2 broke
Untest updates are always bad for business.

OL Toolbar 1.13.2 AOL 32-bit and 64-bit (NX) http://www.aol.com/ The Information Bar blocks access to the tool's edit boxes.
PhotoShop CS 8.0 Adobe 64-bit (NX) http://www.adobe.com/products/photoshop/main.html Program installs, but will not start.
BlackICE 3.6 crj Internet Security Systems 64-bit (NX) http://www.iss.net/ When you use this program, you may receive a Stop error that causes the program to quit.
BootSkin All Stardock 32-bit and 64-bit (NX) http://www.stardock.com/ When you restart your computer during the Windows XP SP2 Setup program, a Stop error occurs. For more information, see the following Microsoft Knowledge Base article: http://support.microsoft.com/default.aspx?scid=kb;%5Bln%5D;873159.
Command Antivirus 4.9 Authentium 32-bit and 64-bit (NX) http://www.authentium.com/ This program does not start.
Encyclopedia Britannica 2000 Deluxe 1 Encyclopedia Britannica 32-bit and 64-bit (NX) http://www.britannica.com/ Java rendering does not function after you install this program.
eTrust EZ Armor 1 Computer Associates 64-bit (NX) http://www.ca.com/ The EZ Firewall part of this program generates a Stop error during installation.
Freedom Force 1 Electronic Arts 32-bit and 64-bit (NX) http://www.ea.com/ When you start the program, a message appears that points you to the following EA Web site: http://techsupport.ea.com./
Kaspersky Anti-Virus (German) 4.5 and 5.0 Kaspersky Labs 64-bit (NX) http://www.kaspersky.com/ Real-Time scanning does not work in version 4.5 or 5.0. The vendor's Web site has available product updates that are designed to address this issue.
Live Motion 1 Adobe 32-bit and 64-bit (NX) http://www.adobe.com/ This program displays various errors that prevent typical operation.
MapSend DirectRoute 1.0 Magellan 32-bit and 64-bit (NX) http://www.magellangps.com/ When you start the program, a message appears that points you to the following Web site: http://www.magellangps.com/en/support.
MPEGcraft DVD All Canopus 32-bit and 64-bit (NX) When you try to save an MPEG file, you receive a "Failed to Edit" error, and the file cannot be saved.
NBA LIVE 2000 1 Electronic Arts 32-bit and 64-bit (NX) http://www.ea.com/ This program does not start in certain systems.
NOD32 for Microsoft Windows 2.000.11 Eset 64-bit (NX) http://www.eset.com/ When this program is started on an AMD64-based computer, all network connectivity is lost. To resolve this issue, upgrade to NOD32 version 2.12.2 or higher.
Norman Personal Firewall 1.4 Norman 32-bit and 64-bit (NX) http://www.norman.com/ Norman Personal Firewall Assistant will not start.
Norman Personal Firewall 1.4 Norman 64-bit (NX) After this program installs and restarts, the desktop does not load correctly
Norton AntiVirus 2003 Symantec 32-bit and 64-bit (NX) http://www.symantec.com/ At system startup, Scheduled Tasks in Norton AntiVir

It is a backdoor trojan, not a worm - largely spread via email .exe attachments, but also installed by at least one other mass mailer worm, W32.Mixor.Q@mm.

http://en.wikipedia.org/wiki/Storm_Worm
http://www.symantec.com/security_response/writeup. jsp?docid=2007-011917-1403-99&tabid=2

It's detected and removed by the usual array of anti-virus software (it installs a malicious device service %System%\wincom32.sys, that joins it to the private distributed P2P control network). However, it does also have capability to download additional malicious software, and has changed form several times.

http://www.symantec.com/enterprise/security_respon se/weblog/2007/01/trojanpeacomm_building_a_peert.h tml
Currently the malware being downloaded is as follows:

game0.exe: A downloader + rootkit component - detected as Trojan.Abwiz.F
game1.exe: Proxy Mail Relay for spam which opens port TCP 25 on the infected machine - detected as W32.Mixor.Q@mm
game2.exe: Mail Harvester which gathers mail addresses on the machine and post them as 1.JPG to a remote server - detected as W32.Mixor.Q@mm
game3.exe: W32.Mixor.Q@mm
game4.exe: It contacts a C&C server to download some configuration file - detected as W32.Mixor.Q@mm

It is a backdoor trojan, not a worm - largely spread via email .exe attachments, but also installed by at least one other mass mailer worm, W32.Mixor.Q@mm.

http://en.wikipedia.org/wiki/Storm_Worm
http://www.symantec.com/security_response/writeup. jsp?docid=2007-011917-1403-99&tabid=2

It's detected and removed by the usual array of anti-virus software (it installs a malicious device service %System%\wincom32.sys, that joins it to the private distributed P2P control network). However, it does also have capability to download additional malicious software, and has changed form several times.

http://www.symantec.com/enterprise/security_respon se/weblog/2007/01/trojanpeacomm_building_a_peert.h tml
Currently the malware being downloaded is as follows:

game0.exe: A downloader + rootkit component - detected as Trojan.Abwiz.F
game1.exe: Proxy Mail Relay for spam which opens port TCP 25 on the infected machine - detected as W32.Mixor.Q@mm
game2.exe: Mail Harvester which gathers mail addresses on the machine and post them as 1.JPG to a remote server - detected as W32.Mixor.Q@mm
game3.exe: W32.Mixor.Q@mm
game4.exe: It contacts a C&C server to download some configuration file - detected as W32.Mixor.Q@mm

And you got all this unsubstantiated speculation from where, exactly?

Well, since you asked, Microsoft's ME II, better known as Vista, is causing unhappy faces everywhere I go. It isn't just that people don't want to use it, or that it's insecure and buggy or that the very word vista has "failure" attached to it. It isn't that Vista isn't even compatible with Microsoft's own SQL Server.

Most of the people that I know only care that it's not possible to deploy Vista with industry standard tools. A rollback is likely, and there are substantial unresolved issues preventing deployment.

Although I'm aware you don't appreciate twitter's attention to these matters, I do. I do appreciate twitter's attention to these things quite a lot.

Thanks, twitter.

Nothing. Absolutely nothing.

The story's all over the media and the internet, Symantec has a blog post and a virus writeup, and what's on the front page of Monster? Not a damn thing. No "your personal info may have been stolen", "hey, yeah, that data breach thing, we're looking into it", no acknowledgement of any kind. Their press page contains bulletins about the Monster Employment Index and their top ten workplace etiquette tips. Looks like we're going to see another good example of how not to handle negative press related to a security issue.

Nothing. Absolutely nothing.

The story's all over the media and the internet, Symantec has a blog post and a virus writeup, and what's on the front page of Monster? Not a damn thing. No "your personal info may have been stolen", "hey, yeah, that data breach thing, we're looking into it", no acknowledgement of any kind. Their press page contains bulletins about the Monster Employment Index and their top ten workplace etiquette tips. Looks like we're going to see another good example of how not to handle negative press related to a security issue.

Symantec's explanation
The trojan (Called Infostealer.Monstres) seems to be using HR login details (possibly stolen) to access hiring.monster.com and recruiter.monster.com sub-domains and download candidate information. It also seems to be similar to a previously known trojan called Trojan.Gpcoder.E
Symantec estimates that 1.6 million people (mostly from USA) have been impacted.
They have informed Monster about it

I have been using BackupPC for some time now with great results. Despite its name, the software is quite powerful and easily fits borderline enterprise requirements. It'll function with most platforms out there, and has some nifty options for laptop users - meaning the intermittently connected machines.

I have also used Symantec's BackupExec with the Desktop and Laptop Option (DLO) with mixed results. It fits the bill if you're running a homogeneous network.

I wish you good luck. Having fully backed up laptop machines is A Good Thing in my book. I often find disks in portables to be more error prone than stationary machines', though this is probably caused by the wear and tear of a mobile PC.

No imagination required, they have existed for ages. Numerous malicious worms / trojans try to kill off the competition, and there have been some "benign" ones in the wild just as you describe, e.g. Code Green and friends created to respond to Code Red / Code Red 2. The problem is that there can't really be a truly benign / beneficial worm because it's still changing systems without permission, e.g. some of the anti-Code-Red ones made it hard to tell which machines had been patched properly. Also any self-replicating code tends to have unexpected side effects. Welchia was created to combat Blaster, but bought subnets to their knees ping scanning for machines to patch, in many cases causing more disruption than Blaster did ...

Its true http://www.symantec.com/about/news/release/article .jsp?prid=20070129_02 Yet another product that is soon to be symantec crap.I miss when Norton was good.I'm glad I still have a copy of the last non-symantec partition magic and drive image.Everytime they buy a company its products turn to poo-it's the magic of symantec!

Symantec have quite a lot of products. Are you saying none of them are any good?

I sure do. Apple screwed up an implementation and therefore no one else will ever be able to get it right.

Similarly, Nimda, Blaster, and SQLSlammer permanently ended the use of webservers, operating systems, and databases.

Symantec corporate flags the alexa toolbar as spyware, so I couldn't run it if I desired to.

http://www.symantec.com/security_response/writeup. jsp?docid=2004-062410-3624-99

According to Symantec (who else?), Inqtana is a proof of concept worm that never left the lab, described here. Symantec describes Leap as a worm (described here), though frankly I would call it a Trojan horse - it delivers itself as an attachment to an iChat message, and must be locally saved and executed.

Never seen either of them, myself.

According to Symantec (who else?), Inqtana is a proof of concept worm that never left the lab, described here. Symantec describes Leap as a worm (described here), though frankly I would call it a Trojan horse - it delivers itself as an attachment to an iChat message, and must be locally saved and executed.

Never seen either of them, myself.

1. Prove it. What you're saying is absurd, if signatures where that easy to forge, the whole e-commerce industry would be falling apart (and not only).

Must I prove it? Well, okay. go here:

http://www.eweek.com/article2/0,1759,1995993,00.as p

Then, go on to read this:

http://www.symantec.com/avcenter/reference/Securit y_Implications_of_Windows_Vista.pdf

I'll admit that those above are related largely to Vista, but the concept of driver signing started in Win2000 and each release did manage to add more to the original notion.

And while it's true that locking out unsigned drivers entirely is a good deal, I think it will demonstrate more problem than benefit. The real problem will result from forged signatures and if you would like to assert that people out there would not be able to break the encryption involved in the process, please stand up and make yourself humiliated publicly. If it can be encrypted, it can be decrypted. If there is a key, it can be unlocked. These are not laws I just make up, these are laws of nature. These security mechanisms rely on secrecy and if you think it through to conclusion, no secret can withstand the determination of the crackers that exist today.

2. That's the case with XP. Vista doesn't allow *at all* unsigned kernel drivers to be installed. The user has no choice but.. well, he has no choice. He won't install the driver.

Uhm... people are actually *using* Vista? Okay, that's sarcasm mostly, but I think it's pretty clear that a strong and dominant portion of the population are resistant to Vista for the moment and will continue to be resistant, I predict, until no other options are available.

When I was younger my best tactic for fixing a computer issue was to format. As I got older I realized that solution is impractical.

Yeah, i guess that's why products like this aren't popular at all with Windows users. Half of our office computers at work had Windows reinstalled atleast once, from scratch. This is all too common with Windows systems, in my experience.

I know that /. is renowed for it's anti-Windows slant, but sheeze, if it's broken, fix it. An OS that requires a full disc image to get working again every once in a while has a problem.

Naming convention idea: follow Symantec's lead: http://www.symantec.com/avcenter/vnameinfo.html

Ex: W32.BAT.FirefoxAndIEriskThisAffectsYouAndItsReally BigItCanEvenSpawnBatchFilesOMG.dr.A

"Check the percentage of pwned IIS servers and the uptime of Apache on Linux" - by Technician (215283) on Wednesday June 20, @01:12AM (#19574975)

I tell you what, I will use the # of vulnerabilities found in BOTH webservers, because I could find it easily enough!

Bookmark this page;
http://isc.sans.org/ The SANS Internet Storm Center keeps track of data swarms caused by worms, bots, and other out of control threats. When they occur, pay attention to what machines are exploited. It's not always workstations on cable modems.

http://news.yahoo.com/s/ap/20070620/ap_on_go_ca_st _pe/dhs_computer_security

Care to guess the OS exploited?

Nice try.
IIS (first URL) shows less bugs/vulnerabilities than Apache (2nd URL) does (and less critical ones) & in fact, 10 TIMES LESS!

They tested Apache version 2.0.x. The current versions are 2.2.x. I can declare Windows 98 full of unpatched problems.. and be right.

IIS secure? Apache secure?
They both have exploits. The number of exploits is one thing. The number of exploited machines is another.
http://www.google.com/search?hl=en&q=IIS+exploits& btnG=Search
http://www.google.com/search?hl=en&q=Apache+exploi ts

To make you feel good, here is a current Linux exploit;
http://www.scanit.be/uploads/php-file-upload.pdf
And Windows exploits
http://www.symantec.com/enterprise/security_respon se/weblog/2007/05/mpack_packed_full_of_badness.htm l
http://isc.sans.org/diary.html?storyid=2994
http://isc.sans.org/diary.html?storyid=2985
http://isc.sans.org/diary.html?storyid=2979
http://isc.sans.org/diary.html?storyid=2976

A Safari exploit;
http://isc.sans.org/diary.html?storyid=2982 (It's on Windows, not Apple)

To be fair some Linux worms and exploits;
http://www.packetstormsecurity.org/unix-exploits/l inux-exploits/

For workstations which visit the web, I avoid Windows. Just seeing the headlines is enough.
http://news.bbc.co.uk/2/hi/technology/6465833.stm

I know they were nice and didn't bother to mention the OS, but I think it's very likely the monoculture OS. If you have any data on the number of non Windows bots in the herds, let me know. I'm looking for any data on the breakdown of OS on exploited bots.

Current June 2007 exploit list... http://www.packetstormsecurity.org/0706-exploits/
From the list.. 06072007-CVE-2007-2237.zip
Description:
Microsoft Windows GDI+ ICO file remote denial of service exploit.

comicsense-sql.txt
Description:
Comicsense suffers from a SQL injection vulnerability in index.php.

CVE-2007-2815.txt
Description:
Exploit that takes advantage of the Microsoft IIS5 NTLM and basic authentication bypass vulnerability. I wonder if this is one of the patched MS ones?

Many of the exploits are php / SQL exploits. I don't think MSSQL is immune.

Feel free to resear

It's amazing how many XP problems can be fixed by running Symantec's symnrt utility and installing something not made by Symantec afterwards.

This actually does a good job of removing all Symantec products. I finally removed NPF & NAV from my work PC and it got everything minus one empty Symantec folder in Program Files\Common Files. Removal tool.

It's an asynchronous download service that runs in the background and downloads patches, updates and other files without consuming network bandwidth. It's a very nice component and if you consider that it supports HTTP and can be programmed via COM API, it's the perfect tool to make Windows download anything you want.