Slashdot Mirror

← Back to Stories (view on slashdot.org)

Computer Security Still Totally Inadequate

Posted by ScuttleMonkey on from the long-road-ahead dept.

Several news sources are running articles detailing the lack of computer security on all platforms. Symantec foretells a dark future for Firefox and Mac users describing their security as a "false paradise". Kernel developer and Red Hat fellow, Allan Cox stated in his recent interview with O'Reilly that "even the best systems today are totally inadequate". He goes on to say that "We are still in a world where an attack like the Slammer worm, combined with a PC BIOS eraser or disk locking tool, could wipe out half the PCs exposed to the Internet in a few hours," Cox said. "In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them."

1 of 452 comments (clear)

  1. Opt-In ActiveX is the best IE feature, ever by quazee · · Score: 5, Informative

    This, in fact, should reduce the IE's attack surface several-fold.

    MS has made a huge mistake when IE 4.x-6.x relied on CATID_SafeForScripting/CATID_SafeForInitializing COM component categories to make decisions whether it's safe to use the COM component from a JavaScript/VBScript.

    CATID_SafeForScripting is not needed when the COM component is accessed from a stand-alone .VBS/.JS script stored on the local machine (which is trusted to do anything anyway), yet a lot of MS and third-party components is in CATID_SafeForScripting for no reason at all.

    IE has a kill bit feature which allows disabling certain scriptable COM components based on their GUIDs. And most IE security fixes are, in fact, just registry updates adding more of those "kill bits".

    Examples: http://www.microsoft.com/technet/security/bulletin /fq99-032.mspx
    http://www.microsoft.com/technet/security/bulletin /fq99-037.mspx
    http://www.microsoft.com/technet/security/Bulletin /MS02-055.mspx
    http://www.microsoft.com/technet/security/Bulletin /MS02-065.mspx
    http://www.microsoft.com/technet/security/bulletin /ms02-055.asp
    http://www.microsoft.com/technet/security/bulletin /ms03-038.asp
    http://www.microsoft.com/technet/security/Bulletin /MS03-038.mspx
    http://www.microsoft.com/technet/treeview/?url=/te chnet/security/bulletin/MS03-038.asp
    ... and many-many-many more of these holes (just search for "kill bit" with the quotes)

    --
    throw new SuccessException("Sig read successfully");