Image Handling Flaw Puts Windows At Risk

An anonymous reader writes "Microsoft has released word that several image handling flaws may open Windows PCs to Spyware or viruses. From the article: 'We will continue to see this type of vulnerabilities in every major application for the foreseeable future ... It is not just images, but any type of complex file format. This is something that security researchers and hackers have realized to be a weak point in many applications.'"

Huh?

Windows wasn't open to spyware and viruses before?

DUPE

[42Penguins]

This vulnerability is a dupe!
Windows has already had an image handling flaw!
Oh, it's Windows. False alarm.

Re:DUPE

So a lot like Firefox. Multiple GIF and JPEG arbitrary code execution vulnerabities found to date, though only one PNG arbitrary code vulernability (best vegas odds for the next FireFox image vulnerability?). OS X has to pick up the slack when it comes to some of the more obscure formats, having suffered execution vulnerabilities in oddball stuff like PICT.

Re:DUPE

[eln]

Times like this, you wish /. would use some other format for the posting date. Maybe one with the year in, for example. Sheesh.

If only there was some place that you could configure how posting dates are displayed. Perhaps in your user preferences somewhere...

Critical Bug?

[geomon]

Okay, so it is critical. The advisory contains the patch to correct the problem. This only becomes an issue if Windows users don't patch their machines.

What is the likelihood that users won't patch their machines? (cough!)

From TFA:

Mehta doesn't expect the latest Windows flaws to be exploited in a widespread attack. "We're not bracing for any major worm or malware outbreak, but we do expect them to be used in targeted attacks," Mehta said. "There is user interaction required, there has to be someone sitting at the other end in order to be compromised."

Yeah, like viewing an image from usenet. No one ever does that.

Re:Critical Bug?

[Marxist+Hacker+42]

Not just any image- a MetaFile. Other than when I'm on a Windows Machine using the Clipboard, I stay away from those suckers. They can, and do, contain just about anything.

Re:Critical Bug?

[ninja_assault_kitten]

No, it also becomes a problem when/if the patch breaks something else, like it did with one of last months security fixes.

Re:Critical Bug?

[geomon]

So usenet is dead?

Netcraft confirms it!

Re:Critical Bug?

[conJunk]

What is the likelihood that users won't patch their machines?

Well, it went up on the slashdot mainpage, so that likelihood for a great number of users is a lot lower than it would have been.

The 35 users I'm responsible for just got an email instructing them on how to to do the patch, with links to the patch execs that now live on our local file server.

This model -- (1) Microsoft announces it; (2) I hear about it on /. or security focus (usually both); (3) my users hear about it from me -- works well.

Sure, that's a drop in the bucket for windows PCs, but the point is that the communication chanels are open, and as long as people have the oportunity to hear about these things, we can reasonably expect them to be responsible for implementing them

Of course, that's not an excuse for making vulnerable software in the first place...

Re:Critical Bug?

[shmlco]

Of course, we also have recent announcements of imaging bugs and vulnerabilities in Apple's QuickTime that can allow machines to be hijacked. As such, I gather *nix systems can and do have similar problems.

Re:Critical Bug?

[ozmanjusri]

So usenet is dead?

alt.binaries.necrophilia has been very quiet lately.

Re:Critical Bug?

[geomon]

As such, I gather *nix systems can and do have similar problems.

The volume is different, to be sure. That is probably an artifact of the number of users running the OS.

But your point is well taken; no operating system is immune to attack. Unfortunately, Windows users generally lack the discipline to patch their machines regularly. I don't know many *nix system users who do not perform regular updates.

That probably accounts for the low infection rates of *nix-related system.

Re:Critical Bug?

[drsmithy]

I don't trust Microsoft [...]

Then why would you try to install the patch in the first place ? Heck, why would you even be running Windows ?

Re:Critical Bug?

[Taladar]

Aren't you putting users at risk when telling them to patch in an Email? After all there are lots of scams with that theme (big vulnerability, patch here, patch is trojan).

Managed code

[HeaththeGreat]

This is why we need more managed code.

Re:Managed code

[plalonde2]

But all the managed code's libraries weren't necessarily written in managed code. It's easy to see how "trusted" formats can have various pointer-arithmetic unchecked. Consider an image format that includes an offset to the start of some of its data: intercept the image, change the offset, and off you go at least feeding bad data to the application. Few loaders check that all these kinds of binary data are in range, programmers are lazy and just add the offset to their pointer :-( I guess more and more loaders will be checking more carefully now...

Re:Managed code

[Johnno74]

I think the GP post's point is the loader should be written in a managed language... and I agree. Eventually I think we'll see unmanged code regarded in the same way as inline assembly is today - great for the places where you need absolue balls to the wall performance, but otherwise stay away from it.

Lets face it, except for corner cases managed code is usually within a few % of the same speed as unmanaged code, and that few % isn't always on the slow side either.

Of course its possible to write crap managed code, but its a hellava lot easier to write good managed code than good unmanaged code.

Practice safe image viewing folks!

[nizo]

Or your computer could get an STD (Screenally Transmitted Disease) from viewing pornographic images.

Re:Practice safe image viewing folks!

[Crimsane]

Phew, i'm safe.

My computer has already been crippled from a number of trojans...

Re:Practice safe image viewing folks!

[oberondarksoul]

I get enough funny looks from my housemates already. I am not putting a condom over my monitor.

Ack!

[rubberbando]

So now not only will looking at the goatse picture make you vommit, it will take over your Windoze PC!

Will the horrors ever stop?!!

So, Windoze merely has an image problem?

It's not really a fundamental flaw?

MSN Messenger felled by this months ago

[saskboy]

Both jpg and png was flawed in Windows, MSN Messenger, and even other image apps by a buffer overflow exploit where a specially crafted jpeg file with a virus "attachment" would crash the program and execute virus code. I have to agree that if they are still finding flaws, we'll be stuck with them for a while. Just imagine, every Windows 98 computer out there probably has this problem too, and there's no way it's going to be really fixed. It will never be safe to run even "safe" things like jpg and mp3 on old computers now. It's very, very disapointing news.

In a Messenger program that is always accepting new input in the form of pictures and messages, it's especially dangerous because anyone who's online will instantly become a zombie spewing out infection to their friends on their contact list. You really will get viruses through your personal contacts more than spamming-strangers in the future.

Re:MSN Messenger felled by this months ago

[webzone]

the current flaw affects WMF (Windows Metafile) and EMF (Enhanced Metafile) file formats only. This is not the same thing as any jpeg or png-related vulnerability

Of Course

[NanoGator]

Of course, I think the developers who left these vulnerabilities open should be financially responsible for the damage this may cause.

Re:Of Course

[Mistshadow2k4]

Here's why these things happen so much with Windows: no developer ever sees all of the code, only their own portion. They don't work together. One developer has few, if any, clues what the other developers are doing. This is Microsoft's idea of securing the code (Didn't work, did it?)

Traditionally, Microsoft Windows is built by thousands of software engineers, each producing their own segments of code that are stitched together into one program. From Microsoft Admits Trouble with Windows

Imagine it this way. Joe, Bob, Dave and Greg are coding a program. Each of them is assigned different parts of the same program. Bob's code conflicts with Greg's. Dave's code covers part of what Joe wrote, but accomplishes the same thing in a different fashion. Nobody writes a bit of code that would protect the program from a vulnerability to a certain file type.

Now multiply that by a few hundred, like a freakin' huge patchwork quilt added onto and re-sewn by generations of half-blind seamstresses. That's how Windows has been written, from 95 and on. So are the indivdual developers to blame? Some certainly could have been lazy or just mistaken (and probably have been). But since Microsft has deliberately made the code for their OS into such a total mess, how could you find out which developers to hold responsible? So you see, the problem isn't really Micorosoft's developers, it's Microsoft the company.

Now, normally, I'd agree with you. If you've got, say, 20 developers on a project working together and a vulnerability like this crops up, they are directly resposible. But in a case when they are effectively working blind at the company's behest, they don't know what their co-workers are doing or have done, so they can truthfully say they only did the part they were supposed to and wasn't that supposed to be taken care of by Department Z and not even be passing the buck, just confused.

When writing a parser, length checking is a must

[Harry+Balls]

When writing a parser (for a graphical or non-graphical data file) it is advisable to sanity check the input data at every step.

Consider ASN.1 data (used, for instance, for digital certificates, certificate revocation lists, certificate requests and so on).
Each and every ASN.1 data element and each and every sub-element contains a length field. The ASN.1 parser should check whether the length field of a sub-element goes beyond the length of the enclosing data element, and so on ad infinitum.
If the parser detects a violation, parsing stops.

Another brownie point for the cause of DRM?

[xclay]

It's a tangental thought, but the debate around online security, including this one, seems to be paving a wide path for DRM, or more centrally-managed content distribution methods in commercial applications.

Re:Another brownie point for the cause of DRM?

[plover]

I'm not sure how you extrapolated that. What makes you think the DRM code is going to be somehow "more resistant" to buffer exploits? It just shifts the focus from the "media viewer" portion to the "DRM decoder" portion of the software. But there are still buffers involved.

Besides, if you're passing "unprotected" content around you'll still have these issues. Not every JPG is going to suddenly be digitally signed and encrypted. Assuming the same "media viewer" application, you'll have the same bugs.

If anything, the DRM code just adds another layer of interpretation that's open to attack, making your system "less safe" rather than "more safe." More code == more potential for bugs.

phishy... phishy...

[lcde]

'We will continue to see this type of vulnerabilities in every major application for the foreseeable future ... It is not just images, but any type of complex file format. This is something that security researchers and hackers have realized to be a weak point in many applications.'

In a later interview:"Only one known product suite on the market can protect you from these ongoing threats. MS-AntiVirus and MS-AntiSpyware. Only these two programs are equipt with the proper image handling algorithims to detect these known flaws inherent in all programs."

This seems like a big scheme to get people on their proprietary AV and AntiSpyware programs. Lets see... Find hole, fix hole, release press release about hole, plug product, patch hole for product users.

eesh.we will see.

Re:phishy... phishy...

[Senzei]

So current vulnerabilities in microsoft image processing libraries are going to be used to promote a currently nonexistant (and possibly never-existant) commercial antivirus/antispyware system? What I want to know is where the tin-foil-hat code let you give someone your address so they could deliver all the crack.

An interesting question

[ThePyro]

Microsoft's .NET platform, which is supposed to be managed code, has built-in support for rendering WMF and EMF images (the image formats that are affected by this security vulnerability). So are applications written in .NET still vulnerable to the buffer overflow exploit, or was the underlying rendering code rewritten for the managed environment?

Writing managed applications won't protect you (completely) if the underlying framework isn't also managed.

Re:An interesting question

[dgatwood]

No, it isn't. There are plenty of ways to fix programming languages so that they don't have a risk of buffer overflow exploits without the performance hit of some bloated vitual machine. All that is really required is for there to be a lot stricter checking when doing operations involving pointers.

Change the following:

1. No static buffers. All buffers declared in a static fashion should be replaced by run-time dynamic buffers of the same size. This way all data objects are managed by malloc. This creates a slight performance hit, but not much. This alone nearly eliminates the possibility of buffer overflows resulting in execution because arrays are never on the stack.
2. Make each malloc store the size of the region right before the pointer. Then, when the compiler generates an array dereference (the first time it does so for a given index), it should do something like "cmp index,0; bl ERROR; cmp index, @(baseptr-4); bge ERROR;" where ERROR triggers a segfault programmatically.
3. Pointer arithmetic: the in-memory storage for a pointer should be increased to twice the actual architectural size of a pointer. When arithmetic occurs, the pointer should be stored as a base followed by an offset. This way, the original base address is always available, and thus, the original size is always available.

It's easy to very nearly eliminate these problems without every memory access being managed through a virtual machine. It's easy to fix this without a heavyweight runtime environment. It's easy to fix this without any changes to the C language at all beyond the compiler level. So why don't we? If the choice is between a relatively small performance hit doing array bounds checking and a huge performance hit from everybody doing this managed code crap, the decision should be a no-brainer....

Re:An interesting question

[SilverspurG]

How about we just raise the bar on coding practices and actually secure programming? Maybe we could teach strict logic flow structures.

The biggest excuse I hear from programmers for why they've violated strict logic flow is always,"Well, I was coding for speed and efficiency". With 3.0+GHz machines, what does it matter anymore? It's all a lot of hooey, too. The person learned that excuse from someone in 8th grade and they've latched onto it. When pressed they rarely even know what logical structure they've violated. They only know the excuse.

I think the biggest problem facing us is the inundation of object oriented programming languages. There's very little need to learn the strict mathematics of programming anymore. It is this laziness, and not any particular language, which is the root cause of the problem. Programming environments with sandboxes (ie. Java) are band-aids to a bigger problem.

The problem is with lazy programmers.

Re:An interesting question

[UncleFluffy]

The problem is with lazy programmers.

I've posted this before on Slashdot, so apologies for the dupe, but...

My first technical question in an interview is "what is wrong with this C code?"

void echo(void) { char *s; gets(s); puts(s); }

Over 50% of the "experienced C coders" I interview fail to get the answer right, and this has been a constant for about the last five years. Scary, isn't it? What's even scarier is when an employer hires them after I've flagged this in the post-interview chat.

Re:An interesting question

[rblum]

Oh, great. Another person testing for memorization of language details. The correct answer is, of course: "It will not compile, since you forgot to provide headers". (Yes, I know the problem with gets - but smart-ass questions get smart-ass answers. And it actually does matter - who am I to say if you don't have your own version of gets?)

Re:An interesting question

[cbiltcliffe]

I was going to point out that "unnessacerally" was spelled incorrectly. I was then going to suggest that you could use Google as a spell checker, by typing your spelling into it, and seeing what it suggested with its "Do you mean...." thing.

Then I went and typed that spelling into Google, and found out that enough people have spelled it incorrectly on the web that Google doesn't know how to correct it, and suggests another incorrect spelling.

Correct spelling is "unnecessary".

Now, mod me down as a pedantic twit.

typical case of code-based formats

[radarsat1]

The WMF and EMF formats are just basically little programs full of GDI instructions. When you create one, you execute a bunch of GDI calls, with the WMF file as your Device Context. So essentially it's a shortcut-- an "easy" way to create a file format, based on the structure of the operating system's drawing code. I don't know about how the potential exploit works, but at first glance it seems like this is a typical case of designing a file format for "code convenience". Loading the file basically consists of loading a series of instructions and executing them. Now THAT sounds like a good idea! Easy to code for, but also easy to take advantage of. In other words, it's a lazy approach to coding. Lesson to be learned: File formats can be complicated! They must be designed to be a good *format*, not just to make coding easier. The more Microsoft designs its own file formats for each new technology it comes up with, the more we'll see this kind of thing. Better to find out what file formats are already out there, finding one that suits your needs, and supporting THAT, instead of coming up with one on your own. This is a case of re-inventing the wheel, badly.

Re:typical case of code-based formats

[cnettel]

Oh, a file format based on instructions, just like, uh, PostScript?

If you want detailed control over layout, especially with low overhead for rendering, an instruction based approach is quite good. The point is that no GDI call, in itself, should be able to mess things up and simple parameter validation of the WMF input should be enough when spooling the calls.

(Hey, Postscript is even Turing complete. There's nothing wrong with describing a picture as instructions to a state machine with some rendering primitives.)

Besides, WMF is 15+ years old now. The availability of formats for vector graphics that matched the features of GDI (while not being expensive, money-wise or performance-wise, to render by GDI) back then was a bit different. The format has never been used much for real files, but quite a lot for clipboard transfer of vector data (Excel graphs and whatnot).

Re:typical case of code-based formats

[elsilver]

Loading the file basically consists of loading a series of instructions and executing them. Now THAT sounds like a good idea!

I'm sorry, but how does this differ from any other vector-based graphics file format? Of course it's the instructions for how to draw the item. Of course they are executed. What else would you want them to do?

This is also how Postscript and PDF work. Actually post script is more than simple instructions, it is actually a programming language. This is part of why Apple/NeXT chose to use PDF for their native graphic format on OS X, rather than PS as they used for NeXTStep. One of their concerns was, theoretically, printing a file could execute code to do something nasty like reformatted your HD. The commands the PDF contains have more limited access to the environment.

This is also how the new MS Avalon (I think I've got the right code name) drawing engine works.

So the moral of the story is not that vector-, or instruction-based graphics formats are bad, but that only a limited set of commands is needed, along with some good sanity checks.

E.

Sorta like this quicktime one

[MushMouth]

While I hold no place in my heart for microsoft. Quicktime appears to be having a very similar problem. But also remember that the libjpeg and libz also had similar problems exploitable on Linux patched in the last year. Expecting an OS, ANY OS to save you is a bigger security threat than some exploitable jpeg code.

I like this line of Grade-A bullshit....

[HotNeedleOfInquiry]

"We will continue to see this type of vulnerabilities in every major application for the foreseeable future ... It is not just images, but any type of complex file format. This is something that security researchers and hackers have realized to be a weak point in many applications."

If a programmer is taking the time and effort to interpret a complex file format, why can't he also take the time to validate it.

Re:I like this line of Grade-A bullshit....

[cnettel]

Of course you are right, but you are also ignorant if you don't realize that writing something that seems to interpret every valid file correctly is far easier than writing something that will accept every valid file and reject any invalid file, gracefully. Not to be said that it can't be done or that it shouldn't have been done. Just that it's far more difficult. Even when it's short and seems rather solid. zlib, anyone?

Guy is from Internet Security Systems

[badriram]

Internet Security Systems != Microsoft.

This has nothing really to do with IE. IE here just happens to be a vector. If FF on windows was depending on those libraries to display those image formats they would be vulnerable as well.

Re:Time to switch to Macintosh

[evw]

You're confusing exploits with vulnerabilities. There have been plenty of vulnerabilities or haven't you been following all the security updates?

List of security updates for Mac OS X

Take for example Security Update 2005-008

This update includes the following components:

ImageIO
LibSystem
Mail
QuickDraw
Ruby
SecurityAgent
securityd

Hmm. A security update that touches the ImageIO library?

p.s. before you flame/mod me into oblivion, I'm a happy Mac OS X user. Yes, Windows has way more bugs and a much worse security record. Is OS X invulnerable? No.

Ironic. 9x not affected.

[Tackhead]

> Just imagine, every Windows 98 computer out there probably has this problem too,

Ironic.

Non-Affected Software:
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

- MS05-053 security bulletin

The usual MS obfuscation for "because we don't support 9x anymore, by definition there are no critical updates for 9x" is to state that 9x is "Not Critically Affected", with a URL to a page that defines "critically affected" in such a way as to exclude 9x.

"Not Affected", as claimed in MS05-053, is a stronger claim. That's not to say there aren't similar bugs in image-handling in 9x; only that the hole in this notice probably doesn't affect 9x.

The real threat

[griffinn]

"Microsoft has released Word"

That is the real threat, my friend.

This is probably going to get modded as funny, but

[Patchw0rk+F0g]

...I've been trying to get porn flash ads off MSNBC and Yahoo for weeks now, at home, when at work the sites are just fine. Spyware, right? Well, Spybot, Norton, and AdAware say... a resounding "No". Nothing there. Yet the front page of MSNBC and my Yahoo mail still have ads for some guitar software, daBoink.com, and some fucked-up screensaver rotating with nauseating frequency.

Oh, and before you ask... twice a week virus scans, two noted spyware blockers, and a reliable firewall. How reliable? Shit, /. port-scans me every time I freakin' post!

Okay, now go on and say it... all together now... "Serves... YOU... ......."

I've got the solution!

[SeaFox]

Only use plain text email and turn off all image loading in Internet Explorer!

Not only will this stop the spread of viruses, it will drive hundreds of thousands of noobs off the internet. Usenet will be stored to it's former glory and AOL will go out of business. Marketshare of Linux and MacOSX will skyrocket and peace and balance will be restored to the Force!

Re:Time to switch to Macintosh

[PsychicX]

Normally I'd point out that if MS actually used third party libs for things like PNG and JPEG, they wouldn't have these problems (no more than anyone else, anyway). But since this applies to metafile bitmaps, which basically nobody uses, there's nothing to be done.

Adblock filters

[TopSpin]

Add *.wmf and *.emf to your adblock filters (I presume if you browse with Windows you're using Firefox and Adblock, otherwise...) These formats hardly ever appear on the web. If you see one, it's probably an exploit.

Re:ReadOnly OS

[Dan_Bercell]

http://www.faronics.com/html/deepfreeze.asp

A good product for public places like schools/libraries...etc

If you actualy wanted to use such a product I guess it is possible (although probably annoying) to use it on a personal computer (idealy for kids).

When I tested this out for a client (public library) I browsed around and obtained several viruses/spyware variants, rebooted and all was fine :)

what is wrong with that code

[r00t]

You might hit unwritable (possibly unmapped or kernel) memory before your uninitialized pointer overflows the stack. This makes the backdoor very unreliable. Also, on a 64-bit machine, you might have to transfer many terabytes of data.

Fixed code:

void echo(void) { char S; char *s= gets(s); puts(s); putchar('\n'); }

Note that the fixed code neatly avoids many stack protection mechanisms by not using a normal array. An improvement would be to use a more interesting struct to hold the data, with enough room to hide the backdoor from testers.

Uh, this was intended to be a backdoor, right? You didn't say what the code was expected to do.

Re:what is wrong with that code

[UncleFluffy]

The code was different when I posted it. As usual, Slashdot eats my punctuation

Yeah, yeah, "the dog ate my homework". Heard it before ... ;-)

Image handling exploits can be good, too

[UfoZ]

Maybe it's a bit ironic that sometimes exploits like this can be considered "good" - for example, just recently a buffer overflow vulnerability in libtiff opened up the way to running homebrew code on the PSP 2.0 firmware. Of course, Sony patched up the hole in the next update.

Fortunately, PSPs aren't getting remmotely compromised over the internet (yet?...) Windows boxes are a whole different story, though :)

Re:Avoid useless Adblock filters

[adtifyj]

Mozilla won't download these files from the internet anyway.

Bug 88691 : [RFE] ability to show Windows Metafiles (for windows only builds) referenced by <IMG> is desired

...
Why do we need to add Windows Metafiles support to the imagelib? Nobody uses it on the net. WONTFIX!

Re:complex file formats?

[Xyrus]

XML == Big fat files.
Binary == Little compact files.

Plus add the parser, schema, etc. and you got yourself a big chunk of bloat. A simple RIFF style binary file with GOOD coding practices will be much smaller and more efficient.

Good example: At a past employer, we wrote software that would generate output data files. They used to be binary, and were roughly 25 to 30 KB in size. Then the whole XML hype set in and our customers just had to have it all in XML. Now output files are between 1 and 2 MB, plus roughly 8 MB of support files (Xalan/Xerces), and they're slower to load. We could have rolled our own, but try justifying the extra cost to the customer.

Don't get me wrong, XML has its uses. But fast, efficient data storage isn't one of them.

BTW, there is nothing wrong with using pointers. You just need to know what you're doing. Programmers who write shoddy code with pointers says more about the programmer than the concept.

~X~

Re:To Finish Microsoft's Quote.....

[drsmithy]

Lemme finish off that ... for them. "... until we learn that integrating IE directly into the OS was the biggest fuckup we ever made."

Let me guess, you're one of these dimwits who think "integrating IE directly into the OS" means it's part of the kernel ?

Re:What the hell is it about buffer overflows?

[HermanAB]

The main cause is the C string operators, which traditionally use Null terminated strings. So the potential length of a string is unlimited. In Linux, functions like gets() are (have been) phased out in favour of getsn(), which has an explicit length:
int getsn(char *cp, int size);

This has been a huge effort executed using automated search methods and hand coding, to vet enormous amounts of Free code. Consequently the quality of GNU systems have improved dramatically, while the same cannot be said for MS code.

The problem is that if you overflow a buffer defined on the processor stack, then you can force a new return address into the Program Counter when a routine exits, thus giving the attacker control over the next piece of code to execute. This pice of code is typically part of the string that was used to overflow the buffer.

Re:Time to switch to Macintosh

[R3d+M3rcury]

Hear hear! Actually, my favorite was the one in ColorSync. Very scary stuff, because some programs ignore ColorSync profiles, so you might still be able to view your images. But Safari and IE do not ignore them...

As an aside, this is where the the comment about "Macs have no viruses because they have low marketshare" holds some sway with me. I agree with everyone who says Macs are more secure than Windows, don't get me wrong. Once your code is running, it's much tougher to do anything to spread a virus in the same way that viruses spread in Windows. But part of it is that nobody really does the immense amount of reverse engineering necessary to write a virus or worm based upon an a published vulnerability. While, with Windows, an entire cottage industry has been built to figure that stuff out because there's money in it.

These things, as with many things in life, do not stem from one reason. Windows has viruses because of poor security. Windows has lots of viruses because of marketshare. Macs have fewer viruses because of better security. Macs have no viruses because of marketshare.

No. No. No.

[Just+Some+Guy]

As an aside, this is where the the comment about "Macs have no viruses because they have low marketshare" holds some sway with me.

Apache hosts vastly outnumber everything else combined. Postfix/Sendmail/Qmail/Exim probably have 90% of the email server market. There are many more installations of MySQL than MSSQL. And yet, how many worms have you seen roaring through the Internet unstopped that affect those applications? By any count, relatively very few.

And yet the bad guys, who even have the full source code to each of those, haven't had as much luck attacking Unix-based systems as Windows, even though Unix basically owns the Internet server market. So much for the "market share == vulnerability idea", even though the prize for owning a Unix server on a fat pipe is much greater than owning a Win95 box on a dialup.

This hypothesis gets trotted out every time the subject comes up, but it really needs to die. The overwhelming amount of evidence supports the theory that solid design is the path to good security - obscurity doesn't seem to have much to do with it.