Hot on the heels of yesterday's batch of updates from Microsoft patching five critical Windows vulnerabilities come reports of new zero-day exploits, some that appear to allow the commandeering of a PC. They underscore a growing pattern in which miscreants release their payloads shortly before or after Patch Tuesday. According …
6 years later
What I want someone at Microsoft to answer is this: how bad is your operating system when researchers and crackers are still finding flaws in it after six years? You'd think that they would have found all of the vulnerabilities by now. On a side note, I find it vaguely amusing that less than two months after Microsoft releases their "most secure" operating system to the public, there have already been two vulnerability alerts. So business as usual, then?
Vista has been out 5 months, not 2 - and the animated cursor exploit will not do any harm to a Vista machine due to the IE7+ protected mode.
1 hole in 5 months. That's more than RHES! ;-)
This isn't really news any more
"new zero-day exploits, some that appear to allow the commandeering of a PC"
What's new? Spam botnets have been in existence for ages.
To be fair, I'm pretty sure that Windows has over 95% of the market share. That means hackers target it more than any other O/S. I'm also pretty sure that it has more code than any other O/S, and if it's so bloated it has to come on a DVD, not a CD, then more lines of code = more holes = more vulnerabilities. Does anyone know if Tiger or Linux have fewer vulnerabilities per line of code than Windows ? Doubt it.
None of this is news, of course, but I still thought it worth mentioning.
RE: 6 years later
Funny I was using Mandrake (Now Mandriva) Linux between 4 and 6 years ago and used to get regular security notifications about security issues covering buffer overflows etc. - so by Chris's reckoning I should now not see any on their site - funny really they are still there
Insecure by Design
Paul Anderson brings up the common argument used to explain why windows is the primary target for malware authors. Sadly this is little more than denial that Microsoft software does have some serious issues.
(Yes windows is certainly the most common desktop operating system, but it definitely doesn't have 95% of the server market!)
One undeniable reason there are so many exploits for Windows is that it is so easy to create them - and that is simply down to its insecure design. Until Vista, Windows simply didn't have the same process memory protection and [effective] privilege based safeguards which are built into other OS's from the ground up. I even read recently that IIS was coded to share *kernel* memory space in an effort to get it to perform on par with *nix based webservers. No wonder script kiddies can walk into most IIS hosted websites - any flaw in the webserver software can be used to gain control of the entire machine its running on.
Buffer overflows forever! Long live C++ !!
Buffer overflows forever! Long live C++ !!
I'll make a daring and scandalously accurate prediction: Next month there will _another_ Microsoft Windows fix to patch a vulnerability caused by a, *! GASP !*, buffer overflow!
This would have been fixed if, years ago, billg's C++ compiler simply limited input to the intended length and didn't let anything else in once the buffer was full. But that would be like building a house where all outside doors always come with locks, and we all know that nobody builds houses like that.
-> Well, they do, don't they?
-> What, I'm wrong?
-> Oh, billg is smarter than me, and he has more money.
--> So he must be right? Yeah sure! We'll see next month .....
RE: RE: 6 years later
You seem to have missed the key point about the original poster's comment:
Windows XP: 6 years old.
Mandriva 2007.0 (clue's in the number): less than one year old.
Apart from that: of course, if you know that your enemy is only going to respond once a month, you wait till after they have, so that they can't respond where you've attacked from...
The fact that your users only need check every day when there is a *serious* problem makes things really easy for your average sysadmin.
Re: Insecure by Design
Sean Healey overlooks one really insecure design problem - the user. A large number of Windows PC that are compromised are either because they aren't patched or require a user to do some action they have been advised not to - such as send large cheques off to Nigeria. If Windows disappeared tomorrow - all these insecure users will be using something else and not patching them etc.
6 years again
Did I really miss the point – the current Linux Kernel 2.6 was release in Dec 03 (with only minor version increments since) – XP Service Pack 2 was released in 2004. Neither product is the same as it was 6 years ago and bugs will always be found as long as humans are writing code – no matter how long the software has been written
And do you really think a 6 or 12 month turnaround for new Linux distribution doesn't heavily rely on a previous version? The likely hood Mandrivia 2007 core distribution is not a lot different from the 2006, 2005 etc versions
RE: 6 years again
OK, John, even if I agree with everything you've said here, I would have to ask the question: How many of those Mandriva vulnerabilities are kernel-related, and how many are third-party packages? I'm not saying there are no kernel-related fixes. But the number of kernel-related fixes is certainly lower than the number of kernel-related fixes for WinXP every month.
My main point was that your system isn't very good if you're still finding bugs years later. And I don't limit my criticism to Windows, either. If versions of the Apple OS or Linux still contain bugs in the kernel after 3 or 6 years, then it wasn't designed properly. It's just that Windows seems especially poorly-coded when you consider the number of bugs already fixed.
There are 9 Linux Kernel Security Advisories for 2007 so far - http://secunia.com/product/2719/?task=statistics_2007 - and 14 for Windows XP Pro (but that is all of Windows not just kernel - Windows do tend to more risk but then you usually have Anti-Virus which often migates the actual attacks)
As of 2003 there are "5,929,913" lines of code in the Linux Kernel 2.6 (if you believe wikipedia) - probably about 1000 thick paperback books - if you think you can get that error free and able to handle every possible situation it is placed into you are a better coder than I