Slashdot Mirror
IE Holes Not Microsoft's Fault, Says Bill
thparker writes "As part of the Media Center release discussed previously, Bill Gates had an interview with USA Today. Best quote: 'Q: Speaking of security, Internet Explorer has had well-publicized holes... Gates: Understand those are cases where you are downloading third-party software.' Well now we know -- these problems have all been our own fault." Any counterexamples?
Aaaaaugh. It's late, and I meant ActiveX... before people jump all over me in flames, since DirectX isn't that bad...
Internet Explorer's flaws are strictly the fault of Microsoft. Mozilla Firefox is far less flawed. If Microsoft hired more people in programming then it did in fixing flaws then maybe they would have a half decently secured system ala Internet Explorer.
That's interesting since current statistics are only showing:
2004 IE 6 IE 5 O 7 Moz NN 3 NN 4 NN 7
October 69.8% 6.0% 2.3% 17.0% 0.2% 0.2% 1.3%
September 69.6% 6.2% 2.3% 16.9% 0.2% 0.2% 1.3%
In other words, IE5/6 with 75.8%, not Bill's dream of 90% (not anymore). In fact, it has been since Jan 2002 that IE has had a number even close to 90%, when it was at 86.8%.
Bill, get a clue and stop using your PR department for your FUD.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
It's obvious that Bill's implying that it's perfectly safe to use IE, so long as you only browse Microsoft/Msn/Msnbc/Slate.com... It's your fault if you stray off the beaten path.
So long, and thanks for all the Phish
*sigh* having more market share is not an excuse. Just look at Apache vs. IIS and you'll see that more market share does not automatically equal more security holes.
Your analogy is more precise than mine; nicely done. But I think MS does "get" networking these days; they're just in this huge bind because they can't repair all the problems without breaking nearly every existing application out there. Most people won't throw away their entire investment in software for an OS upgrade -- even a a more secure OS upgrade -- so Microsoft winds up muddling along with things like XP Service Pack 2 (the 2 stands for "too little, too late"). Must stop typing these at 3 AM....
Well ..
I tried that with Debian Stable, guess what?
After a couple of months it was comprimised
I guess running Debian Woody without patches is no more secure that running Windows without patches
I believe that what he is referring to is the fact that you can't just put 'virus protection' on a CD with windows, install it and everything is suddenly OK. It's useless (very quickly) without pattern updates.
Because anti-virus software doesn't stand alone, continual effort is required to make it a valuable addition to Windows.
In the commercial world, continual effort like this must be funded somehow, and the easiest way is to charge people proportionally to the effort - ie. a subscription.
So MS doesn't simply have to build the software, they need the virus research, pattern creation, update mechanism etc.
This is (not surprisingly) exactly how existing vendors make their money.
--Phasmal
20 minutes? Holy shit, where do you work? Antarctica on a 300 baud modem? The time it takes now for infection is on the range of seconds.
When CodeRed came out, some of us actually noted it on the job at UC Berkeley ResComp.
The shortest one was on the range of 5 minutes., barely enough time to do an update from windows update.
Years later, for Welchia, etc, it was within 1 minute that we'd see the machine do the reboot by itself. So the infection actually took place before that (since the rest of the minute was the download and install of the virus)
Yes, Age of Mythology requires admin rights. Good game too.
This KB article makes a passing mention of this, but doesn't tell you which games require Admin privs.
Really I think this is just bad design - they could be written to operate normally under non-admin accounts, but ren't. and it's not just games - numerous applications on windows do this for various reasons (registry access/file access etc..)
Screw you all! I'm off to the pub
I just did.
Not excatly. It a) requires privileged access to the file and b) Windows will bitch about overwriting a read-only file before doing so.
Yes, most viruses get in because the user is running with admin privs, but the above should be enough for someone who assumes that he's entering a hostile environemt to recieve enough warning, allowing him to avoid any trouble. As well, most viruses in the wild don't take this into account and will not infect the binary.
BTW, making the whole damned USB key read-only - including the dynamic stuff (like your Bookmarks) - is a good idea too. That reduces the chance that one of the nasty critters could hitch a ride to your home machine too. If you want a new bookmark, e-mail it to yourself or write it down, and put it into your bookmarks where you know you're safe.
Soko
"Depression is merely anger without enthusiasm." - Anonymous
Well, if the cable modem (router/gateway I assume) has a firewall, it will obviously block all invalid packets, and sometimes DoS attacks.
Otherwise, all (I think) cable modems / routers will give away their IP, BUT they should all protect the users behind them, through natting or dhcp.
But even then, the machine behind can be targeted using various techniques (one is to exploit the router itself).
If you're not talking about a router, then yes, the IP of the Windows machine (like linux) is exposed which means anyone can run checks and such on services which are vulnerable.
But then it really depends on how up-to-date your windows machine is. It's still highly unlikely that it'll be exploited, unless someone (clueless person) clicks on a link to activate a virus or such through an email, or activates a service for back-door entry.
BTW, note that the jpeg flaw was fixed very quickly, and most machines weren't vulnerable anyway (such as mine).
Windows XP is actually very stable, supporting multiple networked users (multi-user and multi-tasking), but lacks in that all accounts by default have admin privilege(!). And that is mostly the reason behind all the viruses, spyware and auto-spam-servers.
Besides all that, since most Windows vulnerabilities aren't based on a kernel attack (unlike linux), but instead the services you have activated, you can simply disable the ones you don't need, and just be sensible about which applications you open through emails (hopefully none!).
But even after all that, a user can come along and browse the web using IE and activate some activex component, or installs some other IE component or JScript which allows entry to the machine.
If the user isn't using IE and isn't running a server (such as httpd), then it's quite unlikely that anything bad will happen. Unless someone specifically targets the machine and scans for all activated services, etc, and launches an attack against an un-patched vulnerability.
I would be brave enough to state that a Win2k / WinXP / Win2003 is just as secure as UNIX / FreeBSD / OSX, if: -
* The user using the machine doesn't have admin rights,
* Windows and related networking software is kept up-to-date,
* Doesn't use IE / related mail product.
Bill does believe in interop, insomuch as IE provides an api to all sorts of things in Windows, like the phone number used for internet access. The api's a bit rough'n'ready, but who expects clean code from MS?!
J.
You're only jealous cos the little penguins are talking to me.
Quite a few things on MacOS X are directories, even though they appear as single objects in the Finder (applications are a good example of this).
It's more the Unix-style permissions you should be looking at:Directory, owner (root) can read, add to, delete from and list contents; group (admin) can read, add to, delete from and list contents; everyone else can read and list contents.Directory, owner (ilgaz) can read, add to, delete from and list contents; group (ilgaz) can read, add to, delete from and list contents; everyone else can read, add to, delete from and list contents.
So, basically, any old user could delete some important executable file from the Windows Media Plugin directory and replace it with one of their own. It's not even got the root:admin user stuff like a normal system file...
Tedious Bloggy Stuff - hooray?
You may block the packets used for the DoS from getting to your PC, but your cable line will still be saturated.
Otherwise, all (I think) cable modems / routers will give away their IP, BUT they should all protect the users behind them, through natting or dhcp.
Integrated firewalls in routers/modems are becoming more sophisticated than merely being nat drones. Firewall designers are aware that any response given from the firewall is unwise, therefore they are now stealthed firewalls. And the notion that DHCP can protect you .. well, no comment, lol.
Technical capability of the users.
Good industrial design makes sure, that the average user does per default the save things and doing unsafe things needs extra effort. For this reason, nearly all motorised saws and knives have clever hand- and finger guards to reduce the chance of accidents.
Microsoft and most other software companies take with the opposite approach, they just put the onus of safe operation on the user. Considering that most user don't have don't want the necessary knowledge to do that, this idea will fail.
The solution is not to educate users, but to build systems that can be operated in a safe manner by following simple and logical security rules that even my grandmother can understand.
Rules like: As long as you don't click on it, it can do no harm.
I thought that that would work too. I set my mom up as a restricted user under Windows 2000. After about 6 months the machine was clogged with spyware and would no longer dial.
I wrote a program to detect what directories were still writeable as the restricted user, turned out to be quite a few (even including C:\).
-USR1
That's kind of funny when you consider that most XP crashes are because of bad drivers too (or misbehaving malware).
That's kind of funny when you consider I'm a System Administrator, I keep my Windows box up to date and as squeaky clean as is possible, and I still experience crashes.
Most XP crashes are Software/Hardware related, not user error. I've spent the last five years having to apologize to my users for some of the screwy, quirky things that Windows does.
Even if this is true (but may not be, see below) being an admin under OSX is very different than being an admin under Windows. On Windows, you have rw permissions on everything, whereas under OSX, all it means is that you are in the sudoers file. This means that in order to do anything dangerous, you still need to type in your password again to gain (temporary) root privs.
Can someone else comment on how the OSX install/add user process prompts you to set up permissions. AFAICR the user is set up as a normal user first, and you then have to explicitly go to the user manager and give them admin permissions. Very different to Windows, where you are prompted to set up an admin user as part of the install process!
In the spoon, there is no Soviet Russia!
Why a fresh install of XP puts at least 11 instances of Alexa (known spyware) and 5 DSO exploits on a box? Try it, install XP and then Ad-Aware and Spybot. Run them both and see the results. No computer that comes into or is built at the white box store I work at, leaves without those two programs installed. Yesterdays updates put 3 instances of Alexa back in.
Professional Politicians are not the solution, they ARE the problem.
Mac OS X is the same way, FWIW. sudo only, from accounts with appropriate permission.
org.slashdot.post.SignatureNotFoundException: ewg
That is correct for additional users. The original user created during install is an Administrator.
Mod point free since 2001
Everyone says this and that about IE. A good portion of it is true and some not true. User error can't be counted out. If you download a virus without virus checking it, then yes you just got screwed. However my friends... there is a solution. Mozilla. See I used to be a fanatical IE5.0+ user. I defended it to the ends of the earth. Then ofcourse my buddy showed me what mozilla could do. I am so damn addicted to tabbed browsing. I would say the main reason I switched a good while back was that Mozilla had a built in pop-up blocker and IE didn't. Another interesting switch story was that of my fiance. She used IE 6 for a great deal of time. I tried to get her to switch but she never wanted too... that is until, the trojans started happening. Her virus checker was finding about 6-7 trojans a day and she could never figure out why. So I switch her to Mozilla to see what happens. After 3 months she has not had one trojan. Not one. I think that says alot in itself. As minorly thrilled about Mozilla as she is, I can say she is happier that her computer is now virus free.
Not to make excuses for it; basically, your average worm or spyware program will be able to propagate and do bad things as a Limited User, but it won't be able to persist on the system. Reboot and it will be gone.
Newer spyware and viruses work just fine as limited users. Remember that their job isn't usually to take over or destroy the system, it's to monitor users and/or send mail. They don't need to be root to do that. Even as limited users they can install in an XP user's Application Data directory and start themselves at boot time by something as simple as a Startup folder entry.
Whoever told you that didn't know what they were talking about. Most users create admin accounts for themselves (or use the one admin account created) because they can't be bothered to go root to install something.
funny munging
Every copy of windows since 98 MUST USE IE!!!!
You may not use it openly for for browsing the internet, but it is so embedded into the OS that it cannot be removed (just double click on your "my computer" icon and it is IE that browses the hard drive). Don't you remember the browser wars? this was Micro$ofts way of making sure their browser is installed into the OS no matter what.
MacOSX, because making *NIX better is a lot better than waiting for Micro$loth to fix Windows
So Bill your saying it was your OWN fault?
It's also a problem that has affected Gates personally. He said his home PCs have had malware, although he has personally never been affected by a virus.
"I have had malware, (adware), that crap" on some home machines, he said.
remember?
...unfortunately no one can be told what The Mat^H^H^HGoatse is...they must experience it for themselves...
Tada! KnoppMyth does that already.
They are for interoperability when it will make them money, and against it when it won't. Duh. No contradiction here,hence no funny.
Well.. maybe. Or Maybe not. But Definitely not sort of.
Wow, thats funny. The only Microsft product I like is their keyboard. They messed it up though with the newer models, too may wierd buttons.
Many Windows programs won't function unless you're an admin. Knowing that most users have admin level permissions, they write their programs making that assumption. I've tried locking down Windows users by giving them lower permissions and half of the programs don't work because of read/write access errors. I can make it work by finding all of the folders that the program calls and resetting permissions, but this kind of defeats the purpose doesn't it?
Why doesn't anything interesting happen when I have mod points?
So in a sense it's harmless; it's just a built-in web search. But it's generally considered to be spyware because of Alexa's reputation.
It probably got installed when you did the Internet Explorer update. I think you get it out-of-the-box when you install XP.
More information here: http://www.imilly.com/alexa.htm
You are perhaps refering to a "root" account, which is non-existent by default.
This is incorrect. Root on an OS X system exists even when it's not "enabled". The only thing "enabling" the root account does is sets roots password. You can "enable" the root account with the command:
sudo passwd root
and supply a password for when prompted. Go into NetInfo Manager and you'll find that it's "magically" been "enabled".
Don't be fooled into thinking that the power of root does not exist until the root account is enabled. Any process that runs with UID 0 is running as root...regardless if the account "enabled" or not. If one of these processes is compromised you've got a root compromise. The "sudo" command is a prime example. It's setUID 0 so that it can perform root actions. If root were truely non-existant until enabled, as you claimed, then sudo wouldn't work because it requires root privileges to enable root.
May have downloaded spyware...
And they are not compromised? Spyware is often as bad or worse than most viruses. Most spyware sits in the background degrading your systems performance recording things that you do, from where you visit to what you type. Spyware is invaluable to crime. If you want to steal identities, accounts, etc., spyware is an invaluable tool.
I wonder who they use for a service provider, and what kind of connection they have. Almost 100% of the Windows machines I have seen hooked up (insightBB, comcast, onenet, SBC, and other smaller companies) on everything from cable to dsl to dial-up have been infected within hours at the most(the slower and more sporadic the connection, the longer the infections took.) It may be that they are being protected by their service provider or some dumb luck combination. I seriously doubt they have some special version of windows that does not have the compromises that all other versions have.
Spyware is becoming one with viruses. The difference is that most script kiddie "virus writers" want you to know they own your box (or defaced it/erased it), whereas most criminal intent wants you to know nothing at all. Their fruits of labor will not be realized if you take actions based on their intrusions. After all, if you change your card/account number or passwords, how can they use it?
Proper spyware (with criminal intent) would install itself collect some information and then delete itself, leaving no trace or suspicion behind. By doing this, they get information and leave no clues to tip off the victim. Once the cards are used, the account tapped, or whatever else they intend to do (identity theft for instance), they no longer need your system anyway, and the damage done is to late to prevent. Try telling companies that you are no the one that ruined your credit rating.
InnerWeb
Freud might say that Intelligent Design is religion's ID.
yeah, thats a real pain. the way around it is to:
Its worked so far. Hope its handy
I really don't think this is the case. People say that windows boxes are targeted more, and sure, they're the ideal target since you've got a great chance of getting in and a great many to get into, but to say they are targeted sooner or more overwhelmingly is taking it a bit far. The amount of IIS exploit attempts I see coming through my apache logs and the amount of failed authentication attempts I see in my smbd logs say that my Mac is getting hit plenty, and with complete disregard for platform when selecting a target, except that the expected exploit will be found in windows. The fact that I see these hits on my Mac means any node has an equal chance for getting hit just as soon or just as frequently as windows. The "windows is targetted more" only holds true when you factor in the desired target platform, the number of exploits on that platform and the number of nodes that platform has, not the frequency or timing of attacks.
sshd is not turned on by default. the only daemon that *may* be on is ntpd if you choose to use apple time servers during installation... a typical user with admin privileges would have to click a button to turn on sshd in System Preferences and then fire up Terminal.app and issue a 'sudo passwd' to enable the root account or do it the GUI way with NetInfo.app. Does this sound like a typical user to you? nah... didn't think so.
sigs are for fools and trolls. no signature is *always* appropriate. you should turn them off in your preferences.