Slashdot Mirror
IE Holes Not Microsoft's Fault, Says Bill
thparker writes "As part of the Media Center release discussed previously, Bill Gates had an interview with USA Today. Best quote: 'Q: Speaking of security, Internet Explorer has had well-publicized holes... Gates: Understand those are cases where you are downloading third-party software.' Well now we know -- these problems have all been our own fault." Any counterexamples?
Aaaaaugh. It's late, and I meant ActiveX... before people jump all over me in flames, since DirectX isn't that bad...
That's interesting since current statistics are only showing:
2004 IE 6 IE 5 O 7 Moz NN 3 NN 4 NN 7
October 69.8% 6.0% 2.3% 17.0% 0.2% 0.2% 1.3%
September 69.6% 6.2% 2.3% 16.9% 0.2% 0.2% 1.3%
In other words, IE5/6 with 75.8%, not Bill's dream of 90% (not anymore). In fact, it has been since Jan 2002 that IE has had a number even close to 90%, when it was at 86.8%.
Bill, get a clue and stop using your PR department for your FUD.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
*sigh* having more market share is not an excuse. Just look at Apache vs. IIS and you'll see that more market share does not automatically equal more security holes.
Your analogy is more precise than mine; nicely done. But I think MS does "get" networking these days; they're just in this huge bind because they can't repair all the problems without breaking nearly every existing application out there. Most people won't throw away their entire investment in software for an OS upgrade -- even a a more secure OS upgrade -- so Microsoft winds up muddling along with things like XP Service Pack 2 (the 2 stands for "too little, too late"). Must stop typing these at 3 AM....
20 minutes? Holy shit, where do you work? Antarctica on a 300 baud modem? The time it takes now for infection is on the range of seconds.
When CodeRed came out, some of us actually noted it on the job at UC Berkeley ResComp.
The shortest one was on the range of 5 minutes., barely enough time to do an update from windows update.
Years later, for Welchia, etc, it was within 1 minute that we'd see the machine do the reboot by itself. So the infection actually took place before that (since the rest of the minute was the download and install of the virus)
Yes, Age of Mythology requires admin rights. Good game too.
This KB article makes a passing mention of this, but doesn't tell you which games require Admin privs.
Really I think this is just bad design - they could be written to operate normally under non-admin accounts, but ren't. and it's not just games - numerous applications on windows do this for various reasons (registry access/file access etc..)
Screw you all! I'm off to the pub
Well, if the cable modem (router/gateway I assume) has a firewall, it will obviously block all invalid packets, and sometimes DoS attacks.
Otherwise, all (I think) cable modems / routers will give away their IP, BUT they should all protect the users behind them, through natting or dhcp.
But even then, the machine behind can be targeted using various techniques (one is to exploit the router itself).
If you're not talking about a router, then yes, the IP of the Windows machine (like linux) is exposed which means anyone can run checks and such on services which are vulnerable.
But then it really depends on how up-to-date your windows machine is. It's still highly unlikely that it'll be exploited, unless someone (clueless person) clicks on a link to activate a virus or such through an email, or activates a service for back-door entry.
BTW, note that the jpeg flaw was fixed very quickly, and most machines weren't vulnerable anyway (such as mine).
Windows XP is actually very stable, supporting multiple networked users (multi-user and multi-tasking), but lacks in that all accounts by default have admin privilege(!). And that is mostly the reason behind all the viruses, spyware and auto-spam-servers.
Besides all that, since most Windows vulnerabilities aren't based on a kernel attack (unlike linux), but instead the services you have activated, you can simply disable the ones you don't need, and just be sensible about which applications you open through emails (hopefully none!).
But even after all that, a user can come along and browse the web using IE and activate some activex component, or installs some other IE component or JScript which allows entry to the machine.
If the user isn't using IE and isn't running a server (such as httpd), then it's quite unlikely that anything bad will happen. Unless someone specifically targets the machine and scans for all activated services, etc, and launches an attack against an un-patched vulnerability.
I would be brave enough to state that a Win2k / WinXP / Win2003 is just as secure as UNIX / FreeBSD / OSX, if: -
* The user using the machine doesn't have admin rights,
* Windows and related networking software is kept up-to-date,
* Doesn't use IE / related mail product.
Quite a few things on MacOS X are directories, even though they appear as single objects in the Finder (applications are a good example of this).
It's more the Unix-style permissions you should be looking at:Directory, owner (root) can read, add to, delete from and list contents; group (admin) can read, add to, delete from and list contents; everyone else can read and list contents.Directory, owner (ilgaz) can read, add to, delete from and list contents; group (ilgaz) can read, add to, delete from and list contents; everyone else can read, add to, delete from and list contents.
So, basically, any old user could delete some important executable file from the Windows Media Plugin directory and replace it with one of their own. It's not even got the root:admin user stuff like a normal system file...
Tedious Bloggy Stuff - hooray?
You may block the packets used for the DoS from getting to your PC, but your cable line will still be saturated.
Otherwise, all (I think) cable modems / routers will give away their IP, BUT they should all protect the users behind them, through natting or dhcp.
Integrated firewalls in routers/modems are becoming more sophisticated than merely being nat drones. Firewall designers are aware that any response given from the firewall is unwise, therefore they are now stealthed firewalls. And the notion that DHCP can protect you .. well, no comment, lol.
Technical capability of the users.
Good industrial design makes sure, that the average user does per default the save things and doing unsafe things needs extra effort. For this reason, nearly all motorised saws and knives have clever hand- and finger guards to reduce the chance of accidents.
Microsoft and most other software companies take with the opposite approach, they just put the onus of safe operation on the user. Considering that most user don't have don't want the necessary knowledge to do that, this idea will fail.
The solution is not to educate users, but to build systems that can be operated in a safe manner by following simple and logical security rules that even my grandmother can understand.
Rules like: As long as you don't click on it, it can do no harm.
I thought that that would work too. I set my mom up as a restricted user under Windows 2000. After about 6 months the machine was clogged with spyware and would no longer dial.
I wrote a program to detect what directories were still writeable as the restricted user, turned out to be quite a few (even including C:\).
-USR1
Even if this is true (but may not be, see below) being an admin under OSX is very different than being an admin under Windows. On Windows, you have rw permissions on everything, whereas under OSX, all it means is that you are in the sudoers file. This means that in order to do anything dangerous, you still need to type in your password again to gain (temporary) root privs.
Can someone else comment on how the OSX install/add user process prompts you to set up permissions. AFAICR the user is set up as a normal user first, and you then have to explicitly go to the user manager and give them admin permissions. Very different to Windows, where you are prompted to set up an admin user as part of the install process!
In the spoon, there is no Soviet Russia!
Why a fresh install of XP puts at least 11 instances of Alexa (known spyware) and 5 DSO exploits on a box? Try it, install XP and then Ad-Aware and Spybot. Run them both and see the results. No computer that comes into or is built at the white box store I work at, leaves without those two programs installed. Yesterdays updates put 3 instances of Alexa back in.
Professional Politicians are not the solution, they ARE the problem.
Mac OS X is the same way, FWIW. sudo only, from accounts with appropriate permission.
org.slashdot.post.SignatureNotFoundException: ewg
That is correct for additional users. The original user created during install is an Administrator.
Mod point free since 2001
Not to make excuses for it; basically, your average worm or spyware program will be able to propagate and do bad things as a Limited User, but it won't be able to persist on the system. Reboot and it will be gone.
Newer spyware and viruses work just fine as limited users. Remember that their job isn't usually to take over or destroy the system, it's to monitor users and/or send mail. They don't need to be root to do that. Even as limited users they can install in an XP user's Application Data directory and start themselves at boot time by something as simple as a Startup folder entry.
Whoever told you that didn't know what they were talking about. Most users create admin accounts for themselves (or use the one admin account created) because they can't be bothered to go root to install something.
funny munging
So in a sense it's harmless; it's just a built-in web search. But it's generally considered to be spyware because of Alexa's reputation.
It probably got installed when you did the Internet Explorer update. I think you get it out-of-the-box when you install XP.
More information here: http://www.imilly.com/alexa.htm
May have downloaded spyware...
And they are not compromised? Spyware is often as bad or worse than most viruses. Most spyware sits in the background degrading your systems performance recording things that you do, from where you visit to what you type. Spyware is invaluable to crime. If you want to steal identities, accounts, etc., spyware is an invaluable tool.
I wonder who they use for a service provider, and what kind of connection they have. Almost 100% of the Windows machines I have seen hooked up (insightBB, comcast, onenet, SBC, and other smaller companies) on everything from cable to dsl to dial-up have been infected within hours at the most(the slower and more sporadic the connection, the longer the infections took.) It may be that they are being protected by their service provider or some dumb luck combination. I seriously doubt they have some special version of windows that does not have the compromises that all other versions have.
Spyware is becoming one with viruses. The difference is that most script kiddie "virus writers" want you to know they own your box (or defaced it/erased it), whereas most criminal intent wants you to know nothing at all. Their fruits of labor will not be realized if you take actions based on their intrusions. After all, if you change your card/account number or passwords, how can they use it?
Proper spyware (with criminal intent) would install itself collect some information and then delete itself, leaving no trace or suspicion behind. By doing this, they get information and leave no clues to tip off the victim. Once the cards are used, the account tapped, or whatever else they intend to do (identity theft for instance), they no longer need your system anyway, and the damage done is to late to prevent. Try telling companies that you are no the one that ruined your credit rating.
InnerWeb
Freud might say that Intelligent Design is religion's ID.