Re: OT: Myth # 13: Macs Are Safe From Malware Attacks

PC Guy wrote on 26. May 2007:
>
> "Andreas Kohlbach" wrote in message
> news:only_broken_newsreaders_show_this_in_the_body.87k5uv408 d.fsf@usenet.=
ankman.de...
>
>> The Windows code is broken.
>
> So we've been told. Unfortunately we've never seen any proof to
> support this claim.

That's why it's Closed Source one can only assume.

>> It was patched and patched again since 1995, as all recent Windows base =
on
>> Windows NT from 1995. Since no one at MS has access to the complete sour=
ce
>> code they cannot just "fix" a bug as they cannot know of side
>> effects to code
>> they have no access to. They more or less built work arounds to a
>> bug. A similar
>> exploit might still be successful after "fixing".
>
> And this is unique to Microsoft how?

A fixed bug in other OS were not triggered by similar exploits for my
knowledge.

Another thing is the "broken by design" issue. At least 2000/XP still
came with default listening services and so responding ports (namely
137-139, 445). Which caused action by most of the ISPs to filter those
ports by default for their (residential) customers.

Or the Internet Explorer with countless bugs and strange behavior. Like it
was (or still does?) check the file's header. If a file with the
extension *.mid was to be launched it thought "Oh, MIDI isn't dangerous
so I can start it", but then checks the file's header, let's say it is an
executable, and since it determined *.mid isn't dangerous it would start
it (the executable).

A more harmless thing was TXT VS HTML. If you have a file.txt, and even
if the server sends the MIME type "text/plain" but the file starts with



the IE will (or did until 6.0?) render it in HTML.

This and other things are called "broken by design". No real bugs since
intended, but still dangerous.

>> While on Unix anybody has full access to all code and can determine if a
>> bugfix has side effects to other routines. Unix code is really fixed and
>> a similar exploit shall have no success.
>
> You're confusing open source with UNIX.

UNIX is, depending on its flavor (BSD, Linux...) Open Source.

>> It's a matter of open source.
>
> Makes no difference. Open source has not been shown to be any more
> secure than closed source.

Bug fixes work. And are done in a very short time because anyone could do
it, while MS has the Patch Day [TM] where you usually have to wait. And
still not all bugs will be fixed.

and others have lists of what OS has the most
not fixed bugs. Guess which one. ;-)

>> MS should throw away all code and design the coming Windows from the
>> scratch. Which they won't. We will see much more successful exploits in
>> Windows than in Unix. Not only because Unix isn't that far spread.
>
> Primarily because UNIX is not that far spread.

One true thing. Still it would be interesting to see how MS and UNIX would
compete at equal market share. But we'll never know since this won't ever
happen.

[...]

>> For example the Apache, based on Unix/Linux web server has a bigger mark=
et
>> share than the MS web server, but wasn't that vulnerable than the ISS
>> was.
>
> From what I can tell Apache has had more vulnerabilities than
> IIS. Especially IIS 6.0.

Source of this statement?

I cannot recall a greater impact than back in 2001 when "Code Red"
was infecting every PC with an IIS installed.

But it seems the IIS works better after 6.0.

X'post + F'up2 comp.security.misc.
=2D-=20
Andreas
My Commodore 64 classic game music page at
http://freenet-homepage.de/ankman/sid.html

Re: OT: Myth # 13: Macs Are Safe From Malware Attacks

"Andreas Kohlbach" wrote in message
news:only_broken_newsreaders_show_this_in_the_body.87ps4llw1 f.fsf@usenet.ankman.de...
PC Guy wrote on 26. May 2007:
>
> "Andreas Kohlbach" wrote in message
> news:only_broken_newsreaders_show_this_in_the_body.87k5uv408 d.fsf@usenet.ankman.de...
>
>>> The Windows code is broken.
>
>> So we've been told. Unfortunately we've never seen any proof to
>> support this claim.

> That's why it's Closed Source one can only assume.

Since you have nothing more than an assumption I will conclude that you,
like those before you, are unable to provide proof. Therefore you're
engaging in spreading FUD.

>>> It was patched and patched again since 1995, as all recent Windows base
>>> on
>>> Windows NT from 1995. Since no one at MS has access to the complete
>>> source
>>> code they cannot just "fix" a bug as they cannot know of side
>>> effects to code
>>> they have no access to. They more or less built work arounds to a
>>> bug. A similar
>>> exploit might still be successful after "fixing".
>
>> And this is unique to Microsoft how?

> A fixed bug in other OS were not triggered by similar exploits for my
> knowledge.

I have no idea what it is you're trying to say here.

> Another thing is the "broken by design" issue. At least 2000/XP still
> came with default listening services and so responding ports (namely
> 137-139, 445). Which caused action by most of the ISPs to filter those
> ports by default for their (residential) customers.

This argument ended when SP2 was released in the summer of 2004. Almost
three years ago. Time to get something new.

> Or the Internet Explorer with countless bugs and strange behavior. Like it
> was (or still does?) check the file's header. If a file with the
> extension *.mid was to be launched it thought "Oh, MIDI isn't dangerous
> so I can start it", but then checks the file's header, let's say it is an
> executable, and since it determined *.mid isn't dangerous it would start
> it (the executable).
>
> A more harmless thing was TXT VS HTML. If you have a file.txt, and even
> if the server sends the MIME type "text/plain" but the file starts with
>
>
>
> the IE will (or did until 6.0?) render it in HTML.
>
> This and other things are called "broken by design". No real bugs since
> intended, but still dangerous.

I don't consider IE to be relevant to Windows' security model. It may have
some odd, or even dangerous, behavior but such behavior is not a reflection
on Windows' security.

>>> While on Unix anybody has full access to all code and can determine if a
>>> bugfix has side effects to other routines. Unix code is really fixed and
>>> a similar exploit shall have no success.
>>
>> You're confusing open source with UNIX.

> UNIX is, depending on its flavor (BSD, Linux...) Open Source.

UNIX is generic. Therefore unless your statement applies to all varients it
is inaccurate.

>>> It's a matter of open source.
>>
>> Makes no difference. Open source has not been shown to be any more
>> secure than closed source.

> Bug fixes work. And are done in a very short time because anyone could do
> it, while MS has the Patch Day [TM] where you usually have to wait. And
> still not all bugs will be fixed.
>
> and others have lists of what OS has the most
> not fixed bugs. Guess which one. ;-)

I am not interested in bugs. What I am interested in are facts to support
the statement:

"The fact is that Mac OS X is BUILT to be FUNDAMENTALLY safer than Windows
from the kernel on up."

If you have facts to support this statement let's see them. Otherwise you're
engaging in spin.

>>> MS should throw away all code and design the coming Windows from the
>>> scratch. Which they won't. We will see much more successful exploits in
>>> Windows than in Unix. Not only because Unix isn't that far spread.
>>
>> Primarily because UNIX is not that far spread.
>
> One true thing. Still it would be interesting to see how MS and UNIX would
> compete at equal market share. But we'll never know since this won't ever
> happen.

I think we already got a taste of what would happen with the CanSecWest
challenge.

>>> For example the Apache, based on Unix/Linux web server has a bigger
>>> market
>>> share than the MS web server, but wasn't that vulnerable than the ISS
>>> was.
>>
>> From what I can tell Apache has had more vulnerabilities than
>> IIS. Especially IIS 6.0.
>
> Source of this statement?

Various articles on the Internet.

> I cannot recall a greater impact than back in 2001 when "Code Red"
> was infecting every PC with an IIS installed.

Three things:

1. The majority of infected systems were internal systems. Many of which
were not intended to be web servers but since IIS was installed and running
on a default Windows 2000 Server install they became infected. Therefore
these systems do not count in the Netcraft statistics so often quoted to
disprove the marketshare theory.

2. Even ignoring one above Apache represents a generic term referring to
many versions. For example there are three major code lines (1.x, 2.0.x,
2.2.x), each running on a different OS (OS X, Windows, Solaris, IRIX, AIX,
HP/UX, etc), and many different hardware platforms (x86, MIPS, SPARC,
Itanium, etc). Contrast this to IIS that runs primarily on a single platform
(Windows, x86, IIS 5.0/Windows x86, IIS 6.0). So when you say "Apache has a
greater marketshare than IIS" which version of Apache are you referring too?

3. I have yet to see anyone actually prove the statement that IIS is
compromised more than Apache. It's been repeated so often people take it as
true. But until such time as proof is actually provided it's a wives tale.

> But it seems the IIS works better after 6.0.

Which has been out since the summer of 2003. Almost four years ago. If the
best you can do is an example of Code Red from back in 2001 (six years ago)
then I think its safe to say that you're assertions are invalid.

Re: OT: Myth # 13: Macs Are Safe From Malware Attacks

PC Guy wrote:


>>>> The Windows code is broken.
>>> So we've been told. Unfortunately we've never seen any proof to
>>> support this claim.
>
>> That's why it's Closed Source one can only assume.
>
> Since you have nothing more than an assumption I will conclude that you,
> like those before you, are unable to provide proof. Therefore you're
> engaging in spreading FUD.


Or you're lacking argument. Can you provide any evidence about the quality
of the code? No? Then we assume that it's bad quality until proven otherwise.

Beside that, according to the leaked parts of the Windows 2000 source code
the code actually seems to be of robust standard quality.

>> A fixed bug in other OS were not triggered by similar exploits for my
>> knowledge.
>
> I have no idea what it is you're trying to say here.


No? Then you might want to look up the reoccurence of old bugs on
Microsoft's systems.

>> Another thing is the "broken by design" issue. At least 2000/XP still
>> came with default listening services and so responding ports (namely
>> 137-139, 445). Which caused action by most of the ISPs to filter those
>> ports by default for their (residential) customers.
>
> This argument ended when SP2 was released in the summer of 2004. Almost
> three years ago. Time to get something new.


Huh? Quite wrong, SP2 didn't change anything about that.

> I don't consider IE to be relevant to Windows' security model. It may have
> some odd, or even dangerous, behavior but such behavior is not a reflection
> on Windows' security.


IE is part of the shell, and therefore you're always affected, whether you
actually use it or not.

>>>> For example the Apache, based on Unix/Linux web server has a bigger
>>>> market
>>>> share than the MS web server, but wasn't that vulnerable than the ISS
>>>> was.
>>> From what I can tell Apache has had more vulnerabilities than
>>> IIS. Especially IIS 6.0.
>> Source of this statement?
>
> Various articles on the Internet.


What makes your claim even more laughable that IIS 6.0 had a reoccurence of
a bug that should have already been patched in IIS 5.0, because Microsoft
decided to only patch one single exploitation path instead of the actual
problem (and then Unicode string striked back).

IIS 6.0 is the same old buggy shit as always and when removing the totally
locked down default configuration to gain the same level as Apache, it's
even worse.

> 3. I have yet to see anyone actually prove the statement that IIS is
> compromised more than Apache. It's been repeated so often people take it as
> true. But until such time as proof is actually provided it's a wives tale.


Various articles on the internet. In contrary to your claims, these actually
exist (par example CVE).

Re: OT: Myth # 13: Macs Are Safe From Malware Attacks

>>
>> You're confusing open source with UNIX.
>
> UNIX is, depending on its flavor (BSD, Linux...) Open Source.

Actually, you are confused, and do not know what you are talking about.

Unix, IS NOT open source.

Many "Unix like" varients are open source.

There are licensing implications with confusing this, so it is
extremely important to keep it straight.

>
>>> It's a matter of open source.
>>
>> Makes no difference. Open source has not been shown to be any more
>> secure than closed source.
>
> Bug fixes work. And are done in a very short time because anyone could do
> it, while MS has the Patch Day [TM] where you usually have to wait. And
> still not all bugs will be fixed.
>
> and others have lists of what OS has the most
> not fixed bugs. Guess which one. ;-)

This is a common myth. I have yet to see a credible study that
discusses this matter.


>
>>> MS should throw away all code and design the coming Windows from the
>>> scratch. Which they won't. We will see much more successful exploits in
>>> Windows than in Unix. Not only because Unix isn't that far spread.
>>
>> Primarily because UNIX is not that far spread.
>
> One true thing. Still it would be interesting to see how MS and UNIX would
> compete at equal market share. But we'll never know since this won't ever
> happen.

Any OS with a large market share will be a security target. As long as
there is money to be made taking advantage of stupid people, operating
systems will be exploited.

Seeing that it took someone only 12 hours with a reasonable amount of
knowledge to hack OS X for a $10,000 prize, I am not depending on
Apple's "brilliance" to keep my OS X system secure.

Re: OT: Myth # 13: Macs Are Safe From Malware Attacks

michelle ronn wrote:
> Seeing that it took someone only 12 hours with a reasonable amount of
> knowledge to hack OS X for a $10,000 prize, I am not depending on
> Apple's "brilliance" to keep my OS X system secure.

but you ARE aware that the smart guy used a (btw, formerly known and
discussed) quicktime exploit that works on _any_ os that has quicktime? =P

also, even with that exploit you couldnt do much harm, especially not
install some kind of spambot (vast majority of windows attackers just want
that). except if you use the exploit on windows ofcourse =P

--

http://www.hitmen-console.org
http://www.gc-linux.org/docs/yagcd.html
http://www.pokefinder.org
http://ftp.pokefinder.org

Don't pay any attention to the critics. Don't even ignore them.

Re: OT: Myth # 13: Macs Are Safe From Malware Attacks

Andreas Kohlbach wrote:

>>> MS should throw away all code and design the coming Windows from the
>>> scratch. Which they won't. We will see much more successful exploits in
>>> Windows than in Unix. Not only because Unix isn't that far spread.
>> Primarily because UNIX is not that far spread.
>
> One true thing. Still it would be interesting to see how MS and UNIX would
> compete at equal market share. But we'll never know since this won't ever
> happen.

You may always check some market _segments_ where the share percentage
is not that much different.