Slashdot Mirror
Windows Security Holes Go Mostly Unexploited
murky.waters writes "Wired News has an article with a decidedly different take on security holes in Microsoft Windows: Despite the thousands of known exploits and virii, most MS users aren't target of much harm, and the big guns such as Klez have had almost no effect on home users. An interesting read that, if true, challenges some common arguments."
of these holes are exploited by adults who are quiet about it instead of big-mouth children?
It's Christmas everyday with BitTorrent.
Thousands of people are in dark alleys every day and rarely are any shot, raped, mugged or sodomized.
Banaaaana!
because they don't notice these viruses.
Saying that unprotected windows machines go un-hacked is rediculous. Just look at your server logs (if you run a web server). How many automated hack attemps do you see? quite a few.
Tons of people are infected with viruses and spyware (now that shit should be illigal, god damn) but they never notice or care, as long as their computers keep working.
autopr0n is like, down and stuff.
That's not the point. The point is that these flaws are not necessarily practical to exploit, or can't be because of a firewall/NAT.
This doesn't mean that Windows' security doesn't need a LOT of work - it does. It's just that practically speaking many exploits are not "the end of the world" as many news sites (*cough*) would like to make it seem.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Experts who discover and report security holes seem to be far more industrious than the malicious hackers willing or able to exploit those holes.
The problem is that the article fails to mention that if the holes are not fixed, sooner or later the so called malicious hacker will find it and exploit it *quietly*. This is dangerous thing.
IMHO, better to expose it and then *quickly* fix it rather than do nothing.
The problem is now that Microsoft knows (or being told) about the holes but often takes a very long time to fix it and sometimes ditch the bugs as "unimportant". This is even worse as this *will* give a plenty opportunity for the hackers to implement the exploit.
--
Error 500: Internal sig error
- Steal the HS research paper on crop circles
- Grab secret financial information
- Use as a proxy to hide the hackers identity*
- Part of a DDOS attack*
Now, lets think of all the benefits of hacking a server/websiteAlso note the last 2 reasons for hacking a home computer are really for working with servers. The truth is, not too many people really care about hacking your computer, unless its a means to an end.
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
Just because your girlfriend's computer got compromised doesn't make the article's position incorrect. Even a few hundred zombies on some script kiddy IRC channel doesn't invalidate the contention.
I really don't think you can use your indivdual experience as a barometer for the world at large. Being cracked isn't a unique experience, but it's not as common as the FUD-mongers would have us believe.
Do we doubt that there are malicious, destructive and/or idiotic people out there? Do we doubt that there are enough relatively easy-to-exploit bugs out there that can have amazingly destructive consequences?
While I would love for there to be a more holistic approach to security, as long as the majority software platform (with all of it's variants) is rife with holes and the security repair falls exclusively to the same people who built it bad in the first place, I'll take point-by-point/line-by-line review any day of the week and twice on Tuesday.
One thing that bugs me a bit about this article is that it defines an exploit as a security hole. While this is true, the tone of the article makes it sound worse than it really is.
I mean, think about what an exploit really is: Somebody has taken a feature of Windows and turned it against the user or the user's machine. The problem I see here is that you can't have a totally secure machine and have all those fancy features you like.
I'll give you an example: I use Outlooks's to do list to keep track of my tasks. There's a feature where you can attach shortcuts to each task. I've found this handy, whenever I need to do my time sheet I just pull up the task and double click the shortcut inside of it. Now, in order to 'crack down' on security on my computer, I turned off a bunch of those handy-dandy features and found myself unable to launch that shortcut anymore!
Now, before you start saying "Oh, MS could easily fix that...", instead think about the real problem here. Either I don't use that feature at all, or MS has to think of every single malicious use of a feature and only allow the non-dangerous ones. Sorry, that's not a good solution. You're holding MS (or anybody else) responsible for other people's creativity.
I'm not saying that MS is unfairly given a bad rap for this whole topic. I think their default choices are ill-thought and have caused serious damage. However, it needs to be considered that there is always an inherent risk with any piece of software you use. It's not a matter of security holes, it's a matter of deciding whether or not it's worth the risk.
I, for one, would never underestimate people's creativity. I read about an insurance scam once where this guy got fire insurance for each of his cigars, over $1,000 a piece. Then he smoked them. He took the insurance company to court, and the judge reluctantly ruled that the insurance company had to pay the guy $12,000. Fortunately for the insurance company, though, they were able to charge him with arson. Heh he got a hefty fine ($10,000 ish? I don't remember..) and served jail time.
Now, if you think about this insurance company, you probably wonder why they didn't a policy about cigars or items that were meant to work with fire? Well, it's simple: They never imagined that somebody'd do that. The only way they could be fraud proof is if they were to clearly define the rules for every ridiculous outcome they can think of. Know what'd happen then? There would be people unable to redeem fair claims because their unusual case strayed outside the boundaries that are clearly defined. There would also be that one guy who figures out a creative way to buck the system anyway. The insurance company is far better off coming up with ways to deal with the eventual fraud instead of over-relying on their policies and laws to protect them.
So where does that leave us computer people? Well, it's simple: Using a computer is risky. Take a few risks but protect yourself. Worried about people stealing your credit card info on-line? My answer is not: "well don't use one then!" Instead, my answer is: "Get a credit card with a company that'll protect you in that event." Worried about data loss? Make backups once in a while. Worried about hackers breaking in on your always on connection? Use a firewall, but use common sense too. A firewall is the equivalent of shutting a few windows, it's not a structural reinforcement.
Total security is a pipe dream. Instead of blaming Microsoft, take some sensible precautions to minimize the damage done. The benefit here is that you protect yourself from damage that can happen outside of the exploit world. (Lightning strikes, hardware failure, children...)
Likewise, every remote root exploit makes it technically possible for this to happen. Even if relatively few people are being hacked by script kiddies today, that says nothing about the odds of a highly skilled attacker pulling off a single massively devestating attack.
This report is no reason for complacency.
Too late, we're already infected.
We'd have to eradicate Microsoft before the KDE, Gnome, and Mono projects finish cloning all of their convenient but insecure features (autorun when someone puts a disk in your CD drive, macros in your documents, Visual Basic scripts in attachments, click and run everything). Trade press folks saying that Linux on the desktop will never succeed until the apps work exactly the same way, when many of the security holes are simply logical consequences of the features as designed.
You might want to check your sources, as NO virus to knowledge has nor will be able to destroy a Hard Drive or BIOS on the physical level.
Overwriting the BIOS with garbage is as good as destroying it, unless you have a system with dual BIOS chips. If you can't boot to DOS, you can't re-flash it with the correct software.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
Most unlocked doors and windows don't result in a burglary, either, but for everyone to ignore the issue is a bad idea when there are bad guys running around out there who can just walk in at will.
Of course most vulnerabilities don't get exploited, it's just a matter of volume.
This is the sort of crappy reasoning that states that since most people don't get wacked by the Mob, the Mob doesn't mean much. In NYC for years everyone payed a 1 percent Mob tax. That was the amount prices were inflated to cover corprate losses to the Mob. If you wanted to build a building the cement was controlled by the Mob. Then you had, and have, labor rackettes.
If a company is hacked and blackmailed they often don't report it. But the cost is passed along to the consumer.
The biggest hole is the end user. Tight network security means nothing if the end user can run a trojanized screensaver sent to him by email or downloaded from Joe Blow's Web Emporium and infect his own machine.
And I have heard claims that as many as 90% of security breaches go undetected. Think about it. How many of even you Linux users actually run tripwire on your personal system? What percentage of people do you think even check the md5sum against their downloads before compiling as root? It is small I guarantee. I once posted the wrong md5sum for a release of an open source project and it was downloaded hundreds of times without anyone saying anything.
Another reason they go undetected is that many trojans are customized. If you were going to plant a keystroke logger on a target's computer would you use one that is found by McAfee antivirus? No. You'd compile your own; changing the signature, different size, different port, different protocol, and only use that particular version in that one instance.
Of the breaches that are detected, many are not reported. What bank or online retailer wants people to know that their personal data was stolen? So just because there hasn't been a Code Red lately doesn't mean all is well.
People who run antivirus software and keep it up to date are almost completely immune to this nonsense. And it's not like they haven't been warned; anyone who thinks about this knows. Almost everything out there that's prevelant in the wild was patched by MS or put in everyone's virus definitions long ago.
Here's the virus count for my gateway since July 4 of this year:
717 WORM_KLEZ.H
120 WORM_SIRCAM.A
45 WORM_YAHA.E
11 PE_NIMDA.E
6 WORM_BUGBEAR.A
2 WORM_HYBRIS.B
1 JS_NIMDA.A
1 WORM_HYBRIS.C
1 WORM_KLEZ.E
It's not at all puzzling that we haven't seen malicious virii. Something which destroys its own host hampers its ability to spread (you can't keep infecting new computers after you destroy the current one).
Outbreaks of Ebola and other very quick killing virii stamp themselves out due to lack of new hosts.
Doug
Venn ist das nurnstuck git und Slotermeyer? Ya! Beigerhund das oder die Flipperwaldt gersput!
yes, it is true that microsoft has alot of security flaws and they get the appropriate amount of flame for it, but the irony is how the open source losers completely ignore all the flaws that are publically addressed regarding their own "kind" get dismissed on grounds of "who cares? its been fixed.", "it's not that significant, its open source!"
Despite the thousands of known exploits and virii, most MS users aren't target of much harm
3 words... no shit sherlock. Despitesthe incredible stupidity of claims that klez is ineffective, I'd have to say the reason that thousands of different virii/exploits/etc aren't being used is because the existing ones work very well to nail a large range of people. If 2% of the exploits hit such a large audience of say 100000+ people, why bother trying to hack up new methods.
Once a given method begins to be less effective, then the hackers/etc can move onto something more effective.
It's like having a changeroom with 1000 peepholes. Why do you need 998 of them when the one or two in the corner are showing you all you need to see?
Security is, and never will, be perfect but it does make it harder for an intruder to pull something off. Florida in the late '70s probably had the most stringent security of any airports in the states (lots of cuban hijackers wanting to go home, etc.). Nontheless, I was able to walk all over their security systems before I made the mistake of tellling someone what I'd just done (asking for help, I was).
It's not that most home users aren't affected by viruses, it's that most home users don't notic when they're infected. Most home users don't have the money to pay for someone who can watch their network on an ongoing basis for signs of intrusion. Even fewer are geekheads like me who can look at the blinking lights on my hub, go 'where did that traffic come from' and then load up ethereal and/or go through my firewall logs (firewall? what fireall) to figure out if what happened was really benign.
Even businesses -- One place that I do occasional work (the only Unix-head in a sea of Windows) didn't know that they were infected until I noticed way too much traffic for the time of day and started up ethereal. I told their admin, he plugged the holes, and a little while later I found more signs of exploitation on their net. The last time I told their Windows admin about a problem, he had given up trying to secure their boxes. Spammers are still using their proxy boxes to deliver email but most majour services (except Hotmail!) are refusing their connection, now.
If Al Quaida was using the thousands of 'benign' Windows exploits to setup a distributed meltdown of the internet, we wouldn't know it untill after the pieces fell down. They spent 4 years setting up September 11. How much damage could they do with 4 years worth of Windows exploits?
OS Software is like love: The best way to make it grow is to give it away.
In Sudan there are about 2 millions landmines remaining, and there are more than 700,000 landmines victims since WWII.
"The average citizens wouldn't know a hack if it walked up and bit them," Sweeney said. "And many of the so-called landmines require a very specific event to occur and the odds are very slim that it will occur. "
Idiot. People care about the security problems is like Sudan's citizens care about landmines problems. The fact that majority of them are not victims doesn't mean it's safe out there.