SecurityFocus On MS Security "Hole"

friday2k writes "There is an interesting writeup at SecurityFocus that puts the latest security 'hole' in XP into perspective. It is a worthy read and should remind us all of the real issues out there." And it collects into one place much of the flak I caught after posting about the claimed security hole opened by the XP Recovery Console.

So what?

If as many people tried as hard to find security holes in OSX or Linux, there'd be reports for those daily as well.

Re:So what?

[El+Cubano]

If as many people tried as hard to find security holes in OSX or Linux, there'd be reports for those daily as well.

There are as many people. Only with respect to Linux, they tend to be the developers themselves. Thus, the problems are usually fixed before the official kernel (or whatever other product) is released.

Not only that, but if you fall victim to a security breach in an unstable or development version of a product, you were probably warned. I have yet to see an unstable or development release that did not include something to the effect of: "Don't use this if your data is particularly valuable to you."

It's different with products from companies like Microsoft and Oracle, because we are almost always talking about "stable and complete" products.

Ubiquitousness doesn't explain MS vulnerabilities

[Infonaut]

If as many people tried as hard to find security holes in OSX or Linux, there'd be reports for those daily as well.

That's patently untrue. It's a well-known fact that Microsoft's security problems are not due to exposure alone.

Microsoft's development model is fundamentally flawed from a security perspective, because it squarely places featureset additions above security. The corporate culture at Microsoft is and always has been more about gaining marketshare than about anything else.

It seems that there are differences in security, above and beyond the monopoly domination Microsoft enjoys. How many ISPs use FreeBSD to run their servers? Hmm.. I wonder if there's more to it than just speed and the fact that FreeBSD is Open Source.

I'm not alone in my assesment. There's this security guru named Bruce Schneier. Perhaps his name has crossed your desktop at some point. He's contemplating getting a Mac, because he is tired of hassling with security problems on his Windows machines.

Re:So...

[CrazyDuke]

I do!

(boot sequence)

Windows has detected an error in the system registry and is now restoring a previous backup.

Registry fixed. The computer will now reboot.

(boot sequence)

Windows has detected an error in the system registry and is now restoring a previous backup.

Registry fixed. The computer will now reboot.

(boot sequence)

Windows has detected an error in the system registry and is now restoring a previous backup.

Registry fixed. The computer will now reboot.
...ad infinatum...

Re:I certainly do.

[zapfie]

You got the joke wrong.

They get Halloween and Christmas confused, because 31 OCT is 25 DEC.

(31 OCT would be 19 HEX)

Re:So...

[DrXym]

The registry is an awful thing for the simple reason it sticks all your eggs in one basket. Now I know technically there are various 'hives' but if the registry gets corrupted in any signifcant way you are completely screwed whether one hive is nobbled or another.

Your choices after that boil down to - restoring from a backup registry and praying that it works, or reinstalling. The recovery console is a joke and a last ditch effort. The only times I've required it are when I foolishly marked my temp folder as encrypted and a service pack used it before peppering my system32 dir with encrypted files and during recent filesystem data corruption. On neither occasion was it particularly useful and I was sorely pushed each time to recover to a working system.

At least Unix gives you a fighting chance since configuration files are all individually named and occupy different places on the disk. It is quite possible to identify the precise problem and fix it if necessary. Those files might be messier, but at least its easy to back them up (since they're not 'live') and *much* easier to restore them. It is my opinion that the registry is quite possibly the most awful things about Windows, even before considering the mess of registry keys it actually contains.

Open-source vs. Microsoft security? Apache vs. IIS

[hkmwbz]

It is difficult to prove this one way or the other. First, the source code for Linux is available, and as such more people can study it, and they probably do. Windows might be more widespread, but how many Windows users are actually knowledgeable enough to even find a security hole?

It doesn't matter how many users it has because they users won't be looking for security holes in the first place. So if you put 10 Windows users in a room, none of them would know much about these things. Putting 10 Linux users in a room, and you increase the chance that you'll find a real hacker. I'm a Windows user myself, so I'm not trying to sound like an elitist bastard. I haven't even uncovered any security holes in my life.

But it is difficult to determine this case, as there are a lot of questions and too few answers.

Let us instead look at a piece of software where the numbers are reversed - where Microsoft's product has only a small part of the market.

I am talking about the open-source Apache HTTP server, vs. Microsoft's IIS.

Apache has 60-70 per cent of the web server market. IIS has less than 30 at the moment. Yet, despite these figures, Apache has had far fewer known security issues than ISS. How does this fit with your question? Obviously, there are a lot more eyes on Apache due to its large market share?

So how does IIS come out so crappy when it comes to security?

I think we can come to the conclusion that your "it's not as frequently used so very few are looking for security holes"-like statement simply does not make sense. It is a myth. FUD?

Re:Ubiquitousness doesn't explain MS vulnerabiliti

[mystran]

I agree here. I've been using Linux since 1995 almost exclusively at home, for security, stability and development reasons, but the older I grow, the more I think of this:

It's great that we have security. Most people won't mind security. Even Joe Sixpack seems to understand that security is generally good. Now, people are starting to get that Open Source is secure, stable, blah blah blah..

The thing with Linux (and probably BSD's though I don't have much experience there) is that most people that know what is a server, can set up a linux server. Even most of those people can keep their server relatively secure with security.debian.org and shutting down redundant stuff and such. But even many of those people are not willing to switch to Open Source on desktop.

As I see it. Linux IS decent desktop OS too. If you pre-install Gnome or KDE or pretty much anything else for someone, they will be able to use it. My girl-friend has no trouble at all with my wmx-based desktop, after about 2 minutes of briefing. But the thing is, once things get nasty on Linux desktop they often need even MORE experience with the OS than when running a server.

Once you have to touch the command-line, it can be a pain before you get used to it, but finding the relationships between the nice GUI and all the scripting and configs and stuff, is even more so.

No flames though, this is getting better all the time, I think, but the fundamental nature of UNIX as opposed to Windows seems to make UNIX easier for someone who knows what he's doing (like sysadmin or developer) while Windows is still easier for my mother, which unfortunately might have to mess with the network settings to read her mail, even if somebody assisted her by phone.

I'm currently doing a toy desktop OS with the idea of trying to combine the ease of use, even when going to system levels, with easy to develop with API, and strong security.. then again, don't hold your breath =)