Slashdot Mirror
Windows Vulnerabilities Revealed, Patched
Saint Aardvark writes "A big MS Windows remote vulnerability has just hit BugTraq. It concerns a buffer overflow in MS' DCOM, and affects Win2k through Server 2003; here's the security advisory from Microsoft. This is in addition to an earlier vulnerability concerning conversion from HTML to RTF - there's a separate security advisory from Microsoft for this one, and it affects Win98 and NT 4.0 through Server 2003. Patch early, patch often." There's also a CNET News story with a little more explanation on the newest vulnerability.
Not that any of your possibilities are necessarily wrong, but you left out the obvious. :)
4. Because Windows is a piece of shit.
SIGFEH
Definately. But your example does not compare apples to apples.
Even if we compared apples to apples, Linux would still lose.
Why does slashdot post this to the front page, but ignores all of the Linux vulnerabilities listed there? That is the question that you fear answering.
But that very same box will not stay running more than 15 minutes with a fresh install of Windows 2000 and no patches or service packs installed. Just sitting there doing nothing at all other than waiting for input, you can stare at the screen and not touch the mouse or keyboard and it goes BSOD on you while you look at it.
Duh. Have you considered that it might be a hardware problem?
Please don't spread FUD.
Or, to rephrase, isn't it better that the system is built for security to begin with? Didn't a Microsoft representative say that their products had never been created with security in mind, but "we'll make it better now, honest!"?
Ok, NT was built with security as its main feature, pick up Inside Windows NT so you don't sound silly next time you post.
The NT platform, which includes Win2k,XP,2003 have a token client/server object based security model, which is something that no *nix to this date has or even matches.
So a new flaw has been found in a piece of Windows, and one of the first flaws in Windows 2003 Server.
Let's compare this to an average Linux distribution security alert list from the past week.
[15 Jul 2003] DSA-350 falconseye - buffer overflow
[14 Jul 2003] DSA-349 nfs-utils - buffer overflow
[11 Jul 2003] DSA-348 traceroute-nanog - integer overflow, buffer overflow
[08 Jul 2003] DSA-347 teapop - SQL injection
[08 Jul 2003] DSA-346 phpsysinfo - directory traversal
[08 Jul 2003] DSA-345 xbl - buffer overflow
[08 Jul 2003] DSA-344 unzip - directory traversal
[08 Jul 2003] DSA-343 skk, ddskk - insecure temporary file
Although not many are too serious, but denial of service, and gaining full access to the Linux server do seem a bit of a problem. Of course since this Linux distribution didn't come from Microsoft, I'm sure we won't see any of these in the main press.
Additionally since it didn't come from Microsoft we won't see posts upon posts how 'Security has never been a priority to Linux' as has been stated about Microsoft Windows.
Sure I will give you full credit that Win3.1, Win95, Win98, and WinME were NOT designed with security in mind.
But I do have to stand up when you say that any of the NT kernel based products were 'never created with security in mind'.
Not only is this not true, as it was a main design goal for the NT project, but it is also a slap in the face of people like Cutler and many of the other NT creators that were some of the top OS and Unix gurus of the time.
Even something as SIMPLE as obtaining C2 level government security certification is something NT obtained, but yet I see no listing of any Linux distribution even meeting this 'dated' and simple security certification.