Slashdot Mirror
Windows Users Fear Korgo Virus
An anonymous reader writes "A new virus is on the prowl that can infect your Windows XP/2K system and record every key you hit on your keyboard. The keys are then sent back to the virus creator where he/she can steal your passwords and credit card information. The virus named, Korgo, started showing up in the last week of May but it now has at least six different variants. To protect yourself from this nasty virus, Microsoft is urging all users to download the KB835732 Security Update. As with the Sasser worm, you'll get the Korgo virus without even knowing it. It does not arrive by email, but simply by being connected to a network or to the Internet without having a patched machine or a properly configured firewall."
Main details from top of SARC page: Happy cleaning.
The company that I work at pushed the KB835732 patch out to a few thousand machines. It caused some incompatability issue that cause Windows to blue screen with the error "Winsrv.dll missing or corrupt", its been a blast removing the patch through recovery console, especially walking remote users through it.
For those that have just come out from their rock, here is a removal tool for this latest worm
And IIRC, shouldn't any good (read: non-XP) firewall automatically be blocking these ports (or atleast 445) right out-of-the-box?
Hmmm.
Symantec's Advisory. Listens on TCP ports 113, 2041, and 3067. 113 is identd, 2041 is interbase, 3067 seems invented. Firewall as appropriate.
I wish that, just once, a lot of people will get ripped off. The credit card companies will cover any losses (they have to by law), and people will actually realise that yes, keeping up to date with patches is a good idea.
Puny humans fear Korgo...
Microsoft Security Bulletin MS04-011
Security Update for Microsoft Windows (835732)
Issued: April 13, 2004
Updated: May 4, 2004
Version: 1.3
If you "just get it" without having to run anything, it's a worm, not a virus. It's not complicated.
Though the listed viruses may be new, the actual update was released over a month ago and those of us here should already know better. This is the kind of "timely" information I get from Comcast support.
...you're new here, aren't you?
"Sent back to the creator" means data is dumped into an IRC channel, newsgroup, or possibly some zombied machine. There's little way to track the person behind the bot, so to speak.
Of course, a little way is all it takes to pinch some angsty German teenager...
"Life's funny sometimes." "And sometimes it isn't." --Cat's Cradle
My guess is that is just an easy way to explain that the creator has some way of retrieving the information once sent from the infected system. In some of the worm documents, it says that it connects to multiple IRC servers and unknown channels. That could be the possible dump for information or more for controlling once infected.
Hmmm.
The master would not approve.
Stop corporate
When that happens I hope Linux game support (including Windows emulation) is much further along.
:-D
Yeah, but why would you want to play a game that acts like the Windows Operating System game?
do() || do_not();
I for one salute our new script kiddie overlords.
This is hardly the bottom 5% of the internet. Most regular Joe Users that I've talked to don't even realize they have to update their machines. So there are probably a lot of people that don't even have the Blaster patch...
How can people NOT know. God, they click "yes" on enough spyware/malware/whatever email crap, but when windows update comes up to tell them there's a new patch for a bad virus, they're clicking no?
Are people really this daft?
Let's not forget that most users (which wouldn't be reading /.) don't have any idea about this stuff. This confuse virus scanners with firewall, and think patching is something you do with clothes. So no, they don't really deserve it.
Like it or not, they want their PC to work like their television. As much as you or I don't like it, they are the people that are keeping Windows suppport folks employed.
I can't say how many times I've helped with someone's machine, and they've had multiple virus infections, spyware and general crap on their machine because they don't know any better. It's a fact of life that Microsoft is going to have to own up to if they want to stay on top. They raised the beast, now they need to teach it the rules.
It's 11PM, do you know where your pants are?
>Are people really this daft?
Yes. Welcome to reality, enjoy your stay.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
I'm sure smarter people than me can come up with more ideas to post here as well. :)
"Wow, you're like some kind of superhero able to ward off happiness and success at every turn."
-- Ryan Stiles
I read the post and immediately thought "oh gosh, here we go again" and went to MS windows update to update my workstation while I downloaded the patch. Then I realized that I'd already updated everyone here at the office back when the patch first came out.
Damn, I gotta rtfa *grin*
Seriously though, even though I check for new updates religously and try to keep all the users on my network up to date, I guess I'm still a little gun-shy.
The Digital Sorceress
The patch is six weeks old. At what point does it cease to be Microsoft's problem and become the PC owner's?
It is not Microsoft's responsibility to make sure you have installed the latest patches and are exercising proper precautions.
"Ask not what your country can do for you." --John F. Kennedy
Yes, they do. They prevented SP1 from installing on machines with blacklisted corporate keys, but Windows Update has always worked, and they recently announced that even those installs will be able to install SP2. It was covered on /. too.
The reasoning was it was better than having umpteen zillion unpatched boxes out there DDoS'ing their website.
I don't need no instructions to know how to rock!!!!
Security through obscurity!!!.... Or at least old age...
Murphy was an optimist.
As much as I hate to say it, IMHO, they almost deserve it...
I help my father keep up to date with patches on his laptop. Last time he was here I ran Windows Update only to find that three patches REFUSED TO INSTALL. He was in a hurry so I couldn't start trying to track down the individual patches and see if downloading those would magically work better (why would they?!)
I've installed Tiny Personal Firewall (with a fix for the known exploit) and I hope that will be enough to shield him against the worms, which are much more critical than IE and/or Outlook exploits.
Fucking crap.
Belief is the currency of delusion.
Sadly, that's not the bottom 5% of the userbase. In the last three months, I've had to fix six home user computers and one that was used to track the finances of a church. Four of the home computers had never had Windows Update run (and both of the other two had only been force-fed updates through manufacturer-installed support software), and the Church computer was still vulnerable to the Blaster worm (Thankfully the thing wasn't connected to the Internet)
is not slashdotted? They are running Windows Server 2003 with IIS and everyone here knows that is bad...
You mean the contact information in the About box is wrong? Damn, those haxors are tricky!
One line blog. I hear that they're called Twitters now.
Since only legal users of XP can install the updates, does this mean that all those people using illegal copies can't get the update?
Figuring so, a lot of people could get screwed.
Evolution or ID?
Slashdot has just gone to the birds since we got all of these windows astroturf's hanging around here. Perhaps it is time that Slashdot implemented a ban on all posts unless it comes from some sort of unix system. Come on it is called /. for a reason, since when did this site become c:\
Got Code?
F-Secure Weblog says Korgo doesn'ts install a key logger by default, but that the "cracker team" uses Korgo's backdoor to do so. So, you wont necessarily have the key logger installed if you have any of the Korgo variants. At least, none up to this point...
When I first saw this I thought I read a virus named Torgo! It wobbles around, moves slowly, and takes care of your computer while you're away.
"he drew his sword Ringil that glittered like ice... and he wounded Morgoth with seven wounds..."
Are the logged keystrokes of most of these viruses transmitted in the clear? If so, then couldn't one create a outbound traffic monitor that watched for certain key character strings (such as passwords, account numbers, etc.) and if the monitor see sensitive data strings in clear text, it would halt the transmission and alert the owner. This could also be used to halt snooping of files and directory structures -- just create a file with a monitor-prohibitted file name and contents.
As a side benefit, the system would also catch insecure site logins - seeing which websites are asking for unencrypted sensitive data such as passwords.
Two wrongs don't make a right, but three lefts do.
Just cache all your passwords and credit card info in your browser's form remembering thing.
Except of course that the update for this came out almost two months ago.
I'd rather be lucky than good.
Thank God I trust Internet Explorer enough to remember my bank password for me... now I don't have to worry about viruses that log my keystrokes!
It's easy for us to say that, we're computer users who (presumably) know what we're doing. But if one is to condemn non-patchers in that way - I assume you also change your oil every 3000 miles, go to the dentist every 6 months, floss daily, get an annual physical, clean the lint filter in your dryer after every load, eat 6 daily servings of vegetables, rotate your tires every 20,000 miles, have all your car's factory recalls done, change the air filters in your heater monthly, and perform all the other mindless routine maintenance you're supposed to do.
The bottom line is, no one on earth outside the most anal retentive person alive does all that stuff. Not doing any of them could have consequences, but people simply don't have time to do all this shit.
So yes, I do blame microsoft. One shouldn't have to constantly check symantec's web page just to keep your computer usable. Computers are appliances now. They should just work, dammit.
The security update for this issue is a month old even though this particular exploit is just hitting the news. If you're not sure, windows update has "View installation history."
Look for "Security Update for Windows XP (KB835732)"
Good thing I'm not dumb enough to type anything important of my own on a Windows box. I guess if I'm infected at work, they'll get the company's code, and if I'm infected at home, they'll found out that I like to cast "Magic Missile" in conjunction with "Flamestrike" when facing strong magic users to disrupt their concentration then hit them with a heavy blast while my warriors move in for the kill.
I'm sure that latter piece is exceptionally valuable information...
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
on 99% of users there's no reason for the ports to be open and having services on them ripe for exploitation.
actually, if they advertise it as idiot proof and secure(even for idiots) it kind of becomes their problem.
world was created 5 seconds before this post as it is.
Korgo sounds so much better then sasser.
Not quite fear-of-god inducing, but whatever.
It is not Microsoft's responsibility to make sure you have installed the latest patches and are exercising proper precautions.
/. people (esp folks who work in frontline tech support) would ease up on M$.
This is a red herring. It is their responsibility to manufacture a product that, if used by an average person, can be maintained by an average person. There is absolutely nothing intuitve about the Windows patching regimen. If they simply pulled themselves out of the cave on this one issue, many
Comparing it to Windows will be a moot point, since El Dorado is going to have a 40% larger code base than XP.
OK, since that channel is gonna get flooded anyway, use
modified backend code from the virus to flood the channel
with junk data.
Or better yet, spike it with legitimate-looking data that
will help catch the originator (root passwords for honeypit
machines, special "arrest this customer" CC numbers, etc.)
>;k
I agree with the original poster. Waiting a week and a half is totally useless is a corporate environment. It's kind of silly to wait a week and half, as everyone is doing this more and more basically you wind up finding all the same problems a week and a half later.
You're assuming that someone out there in the world is going to install, test and have somewhat of a similiar environment to yours. In other words, you're hoping someone else will do the work for you.
I think a better rule of thumb is to have a testing mechanism where you can install the patch, test it and then release it for yourself. Like the original poster says, use the IT dept as guinea pigs or whatever.
It's a new virus, but the patch is the same old one as for the Sasser worm.
Prevent email address forgery. Publish SPF records for y
Korgo in itself is not the problem, it is the backdoor that it installs. Korgo does not have a keylogger or anything else harmfull it. Through the backdoor the makers can download anything, including the keyloger that is stealing everyones bank info. Its all here: http://www.f-secure.com/weblog/
What a surprise it wasn't mentioned that this was patched months ago, right?
This vulnerability is the LSASS Buffer Overrun Vulnerability, already patched way back on April 13. Slashdot probably had at least two or three articles on it back then as well if you wanna do a search for "sasser."
If you haven't patched after two months, you're just the same as all those people who got hit with Blaster, which was also already patched beforehand. Linux distros issue security patches for their vulnerabilities weekly and nobody complains, but when Microsoft releases a patch, suddenly it's this huge issue to run a tiny executable that plugs security flaws, and then people bitch at Windows two months later when a virus comes out to exploit it...
Just saying. How can one criticize their security if they won't apply their security patches? Almost all major software is gonna require a patch eventually. I don't get this steadfast need to avoid patching Windows boxes while freely recompiling Linux kernels on a whim for production servers when a minor point release comes out.
"Sufferin' succotash."
of how to protect your computer ;)
Look in the Add/Remove Programs applet in the control panel. If this patch is installed you should see "Windows 2000 Hotfix - KB835732" listed as an installed program.
The virus named, Korgo, started showing up . . .
I highly recommend that the submitter (Anonymous User) immediately head over to his/her favorite online book retailer and purchase Eats, Shoots and Leaves.
---------------------------------------------
SERENITY NOW!!!!!!!!!!!!!!!!
It's a fact of life that Microsoft is going to have to own up to if they want to stay on top. They raised the beast, now they need to teach it the rules.
Which is why the Windows Update configuration prompt absolutely will not go away until you tell it what you want Windows to do about Critical Updates. I've seen Slashdotters complain about how XP "nags" you about things when you first run it, but it's the smartest thing to do. And if you tell it not to download any patches or not even tell you about them...you know where the fault lies. One can rightfully criticize Microsoft for missing the flaw in their original software testing, but at some point, personal responsibility comes into play. This was patched way back on April 13th!
Installing security patches is just a fact of life for absolutely any major operating system, Linux included. Distros release security advisories all the time. This isn't a criticism of any specific company. You know where the real blame lies--on the mouthbreather morons who think it's cool to dick with people's computers to begin with.
"Sufferin' succotash."
Most people who have computers use them as one tool among many. They don't have to maintain their phone weekly or even monthly, or their hammers, or their sofas. Smoke alarms are supposed to be tested once a month, but who does that?
I have a lot of relatives who used to use computers but have mostly given up on them. What with spam, and viruses, and worms, and trojans, and spyware, I can't blame them. Unless they give you a whole lot in return, they're not worth the hassle.
Thank goodness you can download critical updates manually regardless of your key. *whew*
Yes, and the 011 patch also killed about 5% of the machines it was installed on before the May 4 update. Now it only kills about 1%, or about 100 machines in our case. Not to mention the several apps it killed.
This sig is the express property of someone.
Oh, that's right, this place has a complete anti-Microsoft agenda, despite security holes buffer overruns in Linux distributions announced weekly.
yes, it's a shame, very few virus writers are supporting win98. please upgrade to win xp for the latest viruses. ;-D
Have you checked for recalls on your car, toaster, or microwave oven?
If your toaster had a recall on it, and for whatever reason caught fire in the middle of the night and burnt your house down, you'd be suing the manufacturer. Well, if you didn't, your insurance company would. They don't like giving away money, they like to get it back from somewhere else.
What's different in a product which simply exists in a larger product? Would you be checking for recalls on the radio in your car? Probably not.
People are generally greedy. Most of the people I knew that tried to get their tires replaced under the Firestone recall did it not for safety, but because their tires were pretty much worn out, and they wanted new tires for free. People with good condition tires, even though they had seen all the press on the recall, didn't bother with it. Why? "It won't happen to me."
It's just like unprotected sex. Everyone knows of the dangers of unprotected sex, but they believe, "It won't happen to me." Well, not til the day they go to the doctor and find out they have a STD, or worse, a potentially fatal STD.
I heard about one guy who kept baby wipes in his bathroom. He'd wipe himself off after sex, believing it was a "better" solution. It's the same as people who believe they've protected themselves from computer problems by not opening emails with attachments. Sure, it stops some, but not all.
"I don't have to worry about Sasser, there are so many computers on the Internet, it'll never find me."
If Microsoft made the security patches part of a cool new free "gotta have it" product, there's a pretty good chance, a larger segment of the users would get it immediately. As it is now, most users have Windows that is at the same patch state as when they took it out of the box.
Serious? Seriousness is well above my pay grade.
"The keys are then sent back to the virus creator"
I've always wondered about this sort of thing... doesn't that make the creator pretty easy to catch?
"he drew his sword Ringil that glittered like ice... and he wounded Morgoth with seven wounds..."
(that is, XP Professional Corporate, otherwise known as "Volume Licensed" and XP Professional Dumbass edition) is the product ID string in the i386/setupp.ini file on the CD.
That's the only file that's at all different between both editions. So just copy the CD to the HD, change the line in that file that reads
Pid=XXXXXYYY (where XXXXX is the first five digits, and YYY is the last three) to
PID=XXXXX270 (so we are keeping the first five digits, and changing the last 3 to "270")
Also, make sure to call the Volume Label "WXPVOL_EN".
Burn, insert, reboot. When you are asked to enter a product key, use any old XP volume license key you can find: from your employer (good idea) or that keygen util that's floating around (not a good idea unless you've paid for a copy of XP) or whatever.
Finish the install, and presto! No product activation.
Ever.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
It was pretty easy to see from the story that a patch existed and by following the links that it was the same fix as for sasser...
If you haven't patched after two months, you're just the same as all those people who got hit with Blaster, which was also already patched beforehand.
You mean the same as my parents, who until after the Sasser outbreak still had dial-up that refused to connect at 28.8K and found the experience of endlessly downloading patches at a snails pace frustrating at best and impossible at worst? Or like my sister, who bought a new machine with XP factory-installed without the patch released mere days before she purchased the PC and had her computer explioted by the virus literally WITHIN FIVE MINUTES of connecting it to her cable internet?
So many of us slashdot nerds (not to mention Microsoft employees) forget that not everyone has high-speed Internet and is so tech-savvy that they know to plug certain holes, stop certain services, install a firewall and whatever before even going on-line. Nor are there a lot of people willing to put up with all that crap just so they can compute safely.
Linux distros issue security patches for their vulnerabilities weekly and nobody complains, but when Microsoft releases a patch, suddenly it's this huge issue to run a tiny executable that plugs security flaws, and then people bitch at Windows two months later when a virus comes out to exploit it...
Do you even READ the "Linux" advisories? How often do they involve the kernel or critical system components? I see lots of stuff for mail servers, web servers, window managers and so on but nothing for the kernel, filesystem, anything in binutils. Also, how many are remote system vulnerabilities (that is, a person without physical access to the console can obtain root access)? Quite often the risk is limited because full root access is not possible or you require console access, or you have to be running an oddball setup, or exploiting the vulnerability takes some skill.
Contrast with Windows. Blaster and Welchia exploited a DCOM vulnerability with a core component of the OS. Sasser the same thing a few months later. Now this one. All of them could infect a vulnerable PC merely by having them connected to the internet and having a complete moron run set it free to scan the world.
And it's a big deal because it's a PAIN IN THE ASS...it's not like Microsoft runs TV Public service announcements all over the world every time a patch is released, or to educate the uninformed on the importance of running windows update regularly. Oh and by the way, the "tiny executables" can take over an hour just to download one over dialup on a noisy country telephone line. Oh yeah, IT people get a little pissed off when they have come in on a weekend to patch a critical application server because the "tiny little executable" often requires a reboot and subsequent disruption in service. Not so with almost all the "Linux" patches.
How can one criticize their security if they won't apply their security patches? Almost all major software is gonna require a patch eventually.
Easy. I just did above. And yes, software will never be perfect, but eventually shouldn't mean the SAME issues coming up MONTH after MONTH, with new bugs found every time, and fixes for old bugs breaking other things. It's a damn good thing MS and other software vendors don't make a lot of other products. Could you imagine...
*Having to wait in line every month to perform an "engine update" on your car?
*Burning your potroast because a script-kiddie hacked into your oven and set the temperature to 500 degrees?
*Having to mop up the bathroom because your toilet experienced a "buffer overflow" yet again?
*Missing the playoff winning goal because your TV was infested with malware that decided this was the perfect time to launch into an ad for an animal-porn reality TV series?
Somehow, users seem to have the blame pinned on t
Routers won't help with email-borne issues. It will only stop a remote-connect worm from getting through.
I have something in common with Stephen Hawking...
Good of you to propagate this idea, except it doesn't hold water. May I draw your attention to the Apache web server vs. IIS.
Windows is indeed a larger target, but the fact that Windows gets hit more often is its the easier of the two, virus writers are just like the rest of us, lazy. These flaws in Linux differ from those in Windows in that its so much easer to exploit the Windows ones.
Windows has a larger attack area, but whomever is the first to successfully attack and damage Linux in the same way is going to go down in history, whereas who cares about who writes these, there's no skill involved.
"I use a Mac because I'm just better than you are."
They seem to code better and faster than Microsofts own people. Plus they know something about security, which seems to be lacking in Redmond.
If SP2 does not fix these holes like Microsoft claims it will then they should be libel for the money that business lose due to badly written software. Microsoft needs to change the way it updates its software. Instead of releasing a service pack and charging for it when it does come out they should step to releases every month or two, like the way OS X does.
As a matter of fact Microsoft seems to be in the same state Apple was in before Jobs came back. Lost and clueless developing products that they were not good at and had a directionless system software development. This far into WindowsXP MS should have had nearly all of the framework for longhorn laid out and most of the coding done, yet we hear of announced features being dropped because it won't meet their deadline which is two years off. Something is wrong in Redmond and now is the time for Linux and OS X take advantage of it, if they don't do it now they may not have another chance. Unless of course longhorn is the worst mistake they have ever made.
"Windows Users Fear Korgo Virus" screams the headline, reading not so much like news as just another WindowsXP sales pitch. Yes, it's true -- Windows users DO fear the Korgo virus, while the insignificant and ostracized Mac and Linux users of the world are left, yet again, fearing only the sheer and utter BOREDOM of not having any viruses or trojans to fix due to their curious choice of OS. In the area of viruses, trojans, and worms, Linux and the Mac really do stand out as being "second class citizens", trapped in a virus-free ghetto with no salvation in sight. The discrepancy is so obvious, the ultra-competitive Microsoft doesn't even feel the need to buy themselves an Official Gartner Group Research Study to prove that Windows is light-years ahead in this area. Even the most staunch Linux or Mac advocate is forced to admit it -- off the record, of course. Virus writers, known to be excellent coders who take pride in their tight, bugfree code, have overwhelmingly standardized on Microsoft Windows as their targeted system of choice in the deployment of their ongoing suite of virus applications.
And it doesn't look like the situation is going to get better any time soon.
One bearded Linux coder, who refused to be identified publicly, confessed "we just don't have the selection -- or quality -- of viruses on our platform that is available to Windows users free of charge. And it's tearing us up inside knowing that the battle is over, and Microsoft has clearly won." Similarly, a guy with an Apple logo shaved into the back of his head admitted the following once we turned off the cameras. "I don't mean to break ranks and insult our software selection," he whispered furtively, "but usually if we DO manage to get a virus that will even install on OS X, it's not that great, and we're left... disappointed, realizing that if we had simply stuck with the unwashed smelly masses, we too could be enjoying a daily barrage of free software delighting us by installing itself on our computers as a surprise gift. Instead, I'm stuck with the weak consolation prize of 40 Academy Awards for my work on Lord Of The Rings. But it's not the same. No amount of awards or million dollar paycheques can heal the feelings of neglect or massive abandonment issues this whole thing has given me."
"Is this the reason so many people choose Windows?", his innocent young son, Moof, asked me, looking like the kid off the Dave software box.
"What do you think, little one? Look at the Windows dominance in the virus field, then look at the marketshare of Windows. That ain't no coincidence, Moof. The other guys just can't keep up with the Microsoft Juggernaut. Microsoft is fighting hard to keep themselves Number One, just like the Titanic was the biggest and bestest ship, or the Hindenberg was the coolest and most flammable Zeppelin, or the dinosaurs were the toughest animals ever. How do you compete with that?"
=============
Yes, sitting here at my desk 16 hours later, WindowsXP Restore Disks in hand, I can't help but let a little smile shine across my face. Those poor fools, I think, using a non-Microsoft OS really does take away most of the joy of computing and replaces it with all that productivity and recreation crap. And where's the challenge in that?
Please insert Microsoft Windows XP Restore Disk 2
Ahhh, I sigh contentedly. It's gonna be a long night.
I'm not normally an irrational zealous dickhead, but I figure "When in Rome..."
So what you're proposing, and please, correct me if I am mistaken, is that one should gather all one's sensitive pieces of data: credit card numbers, passwords, and the like, and compile them all into a plaintext set of firewall or IDS rules? Where would one store this treasure trove of sensitive information, conveniently gathered into one place for ease of use? Perhaps I have missed a critical component of your plan, which I'm sure isn't nearly as patently insane as it sounds.
Your point is a very good one. Each "security" feature adds another potential weakness to a system - witness the Witty worm for a recent example of new vulnerabilities created by security.
You are right about leaving critical data in plain text. The system would use a hashing system that compares hashed key values to a hash of running network data stream. The hash would be coded off a password and use a suitable one-way hash function that does not allow knowledge of the password to permit unhashing of the stored key values (think public key crypto).
Also, those with double-layer tin-foil hats might only enter partial substrings from key account numbers, passwords, etc. (e.g. the last 8 digits of a social security number). One could even create a simple non-useful code string such as "this string should never appear in outgoing network data" -- typing this in occassionally would catch the send activities of keyboard loggers. Innocuous, but unique strings could also be used inside files or in filenames to detect directory and file snooping.
Does the idea still sound insane?
Two wrongs don't make a right, but three lefts do.
>>the 011 patch also killed about 5% of the machines it was installed on before the May 4 update
Where'd you get that number
Like a maker of questionable vaccines, you're going to have some casualties. :P
Solid numbers, unfortunately no, but we can draw some conclusions. That harbinger of doom Netcraft, in the May 2004 internet survey has 33,892,817 sites running Apache, 67% of surveyed sites, with IIS at 10,858,168, or 21%. If we assume that the Apache sites are nicely split between Apache 1 and 2, thats still 33.5% for each putting both ahead of IIS, which also assumes that there is only one version of IIS deployed, which would be incorrect since 2k has IIS 5 and 2003 IIS 6. Now from what I've heard, Apache 2 is probably deployed less then 1, but either way you slice it, Apache has more sites then any single version of IIS.
Now while an exploit that runs on Sparc wont run on MIPS or x86, the flaw itself is there, and thanks to cross compilers, it wouldn't be much of a problem to recompile a tool to take advantage of any problem.
"I use a Mac because I'm just better than you are."
I run RH 9 and FreeBSD 4.9. I looked at the list on the front page, and none of the issues put me at risk.
There are two reasons a person can be unaffected by the vulnerability if they don't patch. One is they don't have or run the affected software. Gnome users that never use KDE aren't impacted by KDE runtime vulnerabilities. The other is that their network is protected enough to render the vulnerability useless (firewall, local IP security, chroot, NAT, etc.)
The only vulnerability I've seen announced this year that I've had any concern about was the CVS one. Fortunately, though, I have yet to open up my firewall for outside access to CVS. When I do, I plan to use SSH, in which case the vulnerability wouldn't have impacted me. Thus, so far in 2004 between the two operating systems I have had no true vulnerabilities.
Sure, you could say the version of MySQL I'm running has the symlink vulnerability. But, if an attacker can't get local non-chroot'd shell access, then what relevance is a symlink vulnerability?
Contrast it to Korgo and Sasser, which hit Windows ports that are opened by default. I can't tell you how many times I see ports 135 and 445 in my daily logs of packet rejections. Plus, the infecting the processess using those ports gives the attack complete control of the sytem.
Windows is plauged by REMOTE vulnerabilities to MICROSOFT software. Linux distrubutions mostly have LOCAL vulnerabilities with the independent APPLICATIONS that are packaged with them, not the operating system itself. Most of these vulnerabilities require LOCAL access and most of this software runs on Windows as well (e.g., Apache), so the vulnerability usually applies to both operating systems, but appears on the linux security alerts simply because they are one of the thousands of optional programs being included on the FOSS CDs. You have to download Apache if you have Windows because Microsoft is not going to include it, and Microsoft isn't going to send you a patch for it, or even post an Errata, just because you are running it on Windows.
I've also administered Windows servers for many years, using Windows 3.1, Workgroups, NT 3.5/4.0, 2000 and XP, and used just about all their software, including Visual Studio, InterDev, IIS, and COM/DCOM. I still run 2000 and XP in addition to RH 9 and FreeBSD. I've developed my opinion from experience securing production servers in both Windows and Linux, as have other people posting on /.
Open Standards Portal
If we assume that the Apache sites are nicely split between Apache 1 and 2, thats still 33.5% for each putting both ahead of IIS, which also assumes that there is only one version of IIS deployed, which would be incorrect since 2k has IIS 5 and 2003 IIS 6.
I'm not aware of any vulnerability in IIS 6. Can you point me to one?
Now from what I've heard, Apache 2 is probably deployed less then 1, but either way you slice it, Apache has more sites then any single version of IIS.
Keep going with the slicing and dicing. All you've done is made the distrinction between two major versions of Apache. There's many versions within each major release. For example there's versions: 1.3.11, 1.3.12, 1.3.14, 1.3.17, 1.3.19, 1.3.20, 1.3.22, 1.3.23, 1.3.26, 1.3.27, 1.3.28, 1.3.29, and 1.3.31. That's 13 different versions of Apache in just the 1 fork. And only versions available in or after 2000. For the 2 fork we have: 2.0a1, 2.0a2, 2.0a3, 2.0a4, 2.0a5, 2.0a6, 2.0a7, 2.0a8, 2.0a9, 2.0.35, 2.0.36, 2.0.39, 2.0.40, 2.0.42, 2.0.43, 2.0.44, 2.0.45, 2.0.46, 2.0.47, 2.0.48, and 2.0.49. That's 21 unique versions of Apache in the 2 fork...excluding alpha/beta releases.
Now one can argue that some of those old versions are few and far between. But the sheer number, 34, of different versions means that if we were to assume you're 50-50 split above and then assume equal weighting for the remaining (not that I would recommended it but bear with me) then at most any version in the 1 fork would have only 3.35% of the market. And any one version in the 2 fork would have a maximum of 2.39% of the market. One has to ask: When was a flaw introduced? When was a flaw corrected?
But then one has to factor in the different platforms that Apache runs on. Cross compilers can generate different binaries for different platforms. They are not used to make a single binary that can run on every platform. Even if someone took the time to compile a version for the most significant platforms the spread of the malicious code would be hindered by the mere fact that it cannot run on a different platform for which it was compiled.
Barring that there's the myraid of different distributions. RedHat 9.0 may have patched their Apache version 1.3.28 while version 8.0 was not. Redhat is known to use the same version with extended version numbering. Lather, rise, repeat for any number of different distributions and you can see that the "Apache outnumbers IIS" is most likely specious.
This might be true in some obscure legal system where companies think they can write their own laws.
In Europe it is generally accepted that once you bought it it is legally yours and you can do with it as you please. (like re-selling)
You own the right to run 1 copy of software product X and that is it.
There is no significant difference between the OEM or the full retail versions of the product so the differentiation Microsoft makes lives entirely in their own fantasie.
The GPL is a different matter as it *does* fit in an existing legal framework
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
Like this one?
Maybe this has been asked before, but what idiot at Microsoft decided to remove Windows Update from the default Start Menu in XP? You have to go to the help center to find it. That is at least one reason why so many simple PC users don't update.