SecurityFocus On MS Security "Hole"

friday2k writes "There is an interesting writeup at SecurityFocus that puts the latest security 'hole' in XP into perspective. It is a worthy read and should remind us all of the real issues out there." And it collects into one place much of the flak I caught after posting about the claimed security hole opened by the XP Recovery Console.

Ubiquitousness doesn't explain MS vulnerabilities

[Infonaut]

If as many people tried as hard to find security holes in OSX or Linux, there'd be reports for those daily as well.

That's patently untrue. It's a well-known fact that Microsoft's security problems are not due to exposure alone.

Microsoft's development model is fundamentally flawed from a security perspective, because it squarely places featureset additions above security. The corporate culture at Microsoft is and always has been more about gaining marketshare than about anything else.

It seems that there are differences in security, above and beyond the monopoly domination Microsoft enjoys. How many ISPs use FreeBSD to run their servers? Hmm.. I wonder if there's more to it than just speed and the fact that FreeBSD is Open Source.

I'm not alone in my assesment. There's this security guru named Bruce Schneier. Perhaps his name has crossed your desktop at some point. He's contemplating getting a Mac, because he is tired of hassling with security problems on his Windows machines.

Re:So...

[DrXym]

The registry is an awful thing for the simple reason it sticks all your eggs in one basket. Now I know technically there are various 'hives' but if the registry gets corrupted in any signifcant way you are completely screwed whether one hive is nobbled or another.

Your choices after that boil down to - restoring from a backup registry and praying that it works, or reinstalling. The recovery console is a joke and a last ditch effort. The only times I've required it are when I foolishly marked my temp folder as encrypted and a service pack used it before peppering my system32 dir with encrypted files and during recent filesystem data corruption. On neither occasion was it particularly useful and I was sorely pushed each time to recover to a working system.

At least Unix gives you a fighting chance since configuration files are all individually named and occupy different places on the disk. It is quite possible to identify the precise problem and fix it if necessary. Those files might be messier, but at least its easy to back them up (since they're not 'live') and *much* easier to restore them. It is my opinion that the registry is quite possibly the most awful things about Windows, even before considering the mess of registry keys it actually contains.

Open-source vs. Microsoft security? Apache vs. IIS

[hkmwbz]

It is difficult to prove this one way or the other. First, the source code for Linux is available, and as such more people can study it, and they probably do. Windows might be more widespread, but how many Windows users are actually knowledgeable enough to even find a security hole?

It doesn't matter how many users it has because they users won't be looking for security holes in the first place. So if you put 10 Windows users in a room, none of them would know much about these things. Putting 10 Linux users in a room, and you increase the chance that you'll find a real hacker. I'm a Windows user myself, so I'm not trying to sound like an elitist bastard. I haven't even uncovered any security holes in my life.

But it is difficult to determine this case, as there are a lot of questions and too few answers.

Let us instead look at a piece of software where the numbers are reversed - where Microsoft's product has only a small part of the market.

I am talking about the open-source Apache HTTP server, vs. Microsoft's IIS.

Apache has 60-70 per cent of the web server market. IIS has less than 30 at the moment. Yet, despite these figures, Apache has had far fewer known security issues than ISS. How does this fit with your question? Obviously, there are a lot more eyes on Apache due to its large market share?

So how does IIS come out so crappy when it comes to security?

I think we can come to the conclusion that your "it's not as frequently used so very few are looking for security holes"-like statement simply does not make sense. It is a myth. FUD?