November 11th, 2009, 06:19 PM
Browser Vulnerability Report
Found this on Slashdot. Pretty interesting.
Wonder what Byte is going to say...
Among Web browsers, Mozilla Firefox had the largest percentage of Web vulnerabilities, followed by Apple Safari, whose browser showed a vast increase in exploits, due to vulnerabilities reported in the Safari iPhone browser:
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
November 11th, 2009, 06:34 PM
I've been aware of that for some time. A couple of years or so ago secunia.com, I did a search on IE vulnerabilities and Firefox vulnerabilities. Fx had 50% more.
November 11th, 2009, 06:59 PM
Did they test it w/ NoScript?
PBTA, Firefox does not use ActiveX.
“Everybody is ignorant, only on different subjects.” — Will Rogers
November 11th, 2009, 11:41 PM
November 12th, 2009, 12:36 AM
exactly, hence the line in my signature. No matter how secure anything claims to be you will never truly know how secure it is until you have the same size think tank trying to crack it that you have trying to crack the competition. There aren't all that many people sitting at home trying to hack K-Meleon. The payoff would be too small.
November 13th, 2009, 01:12 AM
I'll give you 50% of that
I used to say that the argument that "If more people used Linux it would have just as many viruses as Windows" was flat out crap, but there is a little truth in that. If Linux had 90% of the Desktop market or whatever Windows has right now (Probably dropped after Vista) but at the same time, it's REALLY hard to get infected with Spy ware, Mal ware, and viruses if you so much as read the screens during an installation of anything else.
In Windows, which is actually harder to install than Linux since Windows had a text based installer for a long time and REALLY bad partitioning tools built in, it didn't really ask you for any type of user names for extra users. I'm not going to talk about Windows 9X since it's not fair to the Windows users here, but the NT line, you'd install, and, to my shock, the thing didn't ask for any extra users if you didn't tell it you wanted that, and it even auto logged you in with Windows XP.
Now, that means that anyone running Windows without customizing anything, was auto logging in as Admin.... That's bad. My Mom bought a new computer a few years ago with XP, I set up an account for Her as a basic user, and set the admin password, and to this day She doesn't know it. It's made fixing things easier since She can't access system files.
If you install Linux, you're told that you should make a non root account for yourself because there are security implications for not logging in as a normal user for your day to day computing, and that you should only use root when you have to do so for patches and so on.
That means during an install of Linux or BSD, you're told up front that you should not only make a different account for yourself, but why you should, and that if you don't security would be a joke. So why is it that Microsoft haven't made it default to "OK now make a user account that's not admin for yourself because the admin account has system wide access and you should not use this without needing to" and whatever else.
I've been using Linux and FreeBSD for some time now, and I've yet to have even ONE infection of anything. No intrusions (I read logs and so on, have firewalls, have a hardware firewall for when I'm doing a fresh install and so on and my passwords aren't easy) and when I install one of those, it tells me to make an account for myself and that I shouldn't log in as root unless I need to install or change something and that when I do use root to take caution because nothing is stopping me from unlinking a file system.
I don't understand why Windows lets you log in as admin without so much as a password. My own cousin one day was having troubles with his XP machine. I saw there was no password and put one on there so there was at least a password required. This machine was used to run their own business, had all their axes and legal documents, NO patches installed, no password for admin, nothing.
When I put one on there.... My aunt actually told me not to touch her computer because "we use this to run our business on here and you putting a password on here messed with it"...
I was shocked... And again, during the install, if it so much as mentioned that you should make an account for yourself that doesn't have admin access, at least people could know SOMETHING about the implications of that. But they don't. The average room temperature IQ user has no idea why there is a problem with looking at underground porn on their computer while being logged in as admin, and having no patches installed. At least they did put an update thing into XP that would tell you about updates and actually install them, but still, when something annoys a user they turn it off, like those pesky firewalls telling them that a Trojan is trying to upload it's pay dirt and they're tired of clicking on buttons so they shut the firewall off.
Apache is used on more Web Servers than any server software out there. You can look at the source code for it. So how can Microsoft claim that seeing source code is bad because people can find exploits and not tell anyone, when really, everyone looking means they can be fixed faster, and on top of that, since more people use it for servers, why isn't it being taken out more?
November 13th, 2009, 02:34 PM
could you distill that and resubmit it in the morning? LOL I was under the impression that Linux required password input for absolutely any system changes, installations, etc.. Anyway, you're correct, the average Windows user bobs around the Internet using an account that has infinitely more permissions than necessary, never realizing that it's precisely that which puts them at the greatest risk.
I don't assert that Windows and Linux or Macintosh operating systems will have the same number of vulnerabilities, what I'm saying is you will never truly know how secure any of them is or isn't until you have the same size think tank trying to crack them. We've seen with Firefox that this remarkable security had more to do with lack of popularity, than true security. Once the browser started getting a sizable market share, the holes came out in force. That's why I maintain the most secure program is the most obscure program.
November 13th, 2009, 04:40 PM
You do not need root access to modify your user session and set a process to auto run in a *nix environment. And just because attachments in *nix don't have the exe bits like windows, that doesn't mean I can't get a *nix user to infect themselves by opening my email titled "Nude Pictures of your Wife"
November 13th, 2009, 05:29 PM
Hey, I know that
The difference is this:
Say you're getting a computer for nothing more than web surfing, and email, and IM stuff. You don't know much about a computer, but you'd like to go online and look at stuff, and you want to email. What do you get? Windows is one option, and an easy one because every PC comes with it off the shelf at the store. But it's not going to be the best option because like I said; You have admin access by default without any password to stop you (Or anyone else) from infecting the crap out of it.
Your other options are either a Mac (Which is expensive, and most people who only want to send emails, IM, and look on the web, are probably not going to pay that price in money) so the other option, is Linux or BSD.
I wasn't trying to say that no one running Linux or BSD has ever been infected with anything. Robert Morris Jr proved that wrong a long time ago. But when it comes down to people who know nothing at all about how or why it works, they're going to look at the screen, see "You should make a non root account for yourself because security problems could happen if you don't and nothing stops root from destroying the machine" or something to that effect.
Then they'll probably think like most people who know nothing about computers think, which is "Hey wait a minute, I saw on the news that computers and the security of them was a huge problem, I better make that account like it says to" and they'll make a non root account. Then, without trying REALLY hard, it's damn near impossible to take, lets say a Fedora machine, and screw it up, since SELinux is there by default.
What about BSD? All those jails and sandboxes?
I wasn't saying that Linux or BSD are a silver bullet, I'm just saying that they would make it a little harder for that average user to end up at the PC repair shop because the machine was now filled with spyware and viruses and Trojans all over the place and no ACLs or permissions to stop them since the user was logged in as Admin all the time.
I've personally seen this happen. I've fixed up a lot of machines where I had to personally call the owner back and ask them if they knew the password for admin. THEY DIDN'T KNOW! I had to crack their machine, change the password, and then, finally, try to fix it.
They didn't know what the admin account was, or what a password for it was. No clue. The machine's background image was "Your machine is infected"...
And since Windows has a "System" account that has more access than Admin, I was locked out of certain things because whoever installed the Trojans, managed to lock up the admin account. That meant I couldn't even uninstall some of the crap on it because System Trumps Admin.
It took hours to fix. I had to break the OS to fix it. Luckily I have no problem breaking tech stuff to get to something else. I ended up with a CD full of tools in the drive to basically... Well, I guess you'd say I hacked the Laptop to allow me to fix it. There was around 17,000 infected files / viruses / Trojans, and mal ware. Even the dreaded "fake spyware scanner" crap.
Had this been a Linux machine, I would have backed up their data as root, deleted the account and everything else, made a new one, checked the data back ups, and put them back as I checked them for problems.
That of course isn't going to work on everything, but again, not using the root account for daily stuff makes a huge difference.
November 13th, 2009, 11:00 PM
A little while ago I was looking something up and found something that reminded me of this thread I was looking up some Linux distros, which aren't related to this at all, but one thing I saw at the bottom of a Wiki article on a distro, well, it grabbed my interest!
See here for what I meant:
Like Unix systems, Linux implements a multi-user environment where users are granted specific privileges and there is some form of access control implemented. To gain control over a Linux system or cause any serious consequence to the system itself, the malware would have to gain root access to the system.
Shane Coursen, a senior technical consultant with Kaspersky Lab, claims, "The growth in Linux malware is simply due to its increasing popularity, particularly as a desktop operating system ... The use of an operating system is directly correlated to the interest by the malware writers to develop malware for that OS."
That was what I was talking about. Apache and Linux / BSD / Unix may not have DESKTOP market share, but they more than have Server Market Share, which leads me to ask a question. Such as:
However, this view is not universal. Rick Moen, an experienced Linux system administrator, says "[That argument] ignores Unix's dominance in a number of non-desktop specialties, including Web servers and scientific workstations. A virus/trojan/worm author who successfully targeted specifically Apache httpd Linux/x86 Web servers would both have an extremely target-rich environment and instantly earn lasting fame, and yet it doesn't happen."
SecurityFocus's Scott Granneman stated,
...some Linux machines definitely need anti-virus software. Samba or NFS servers, for instance, may store documents in undocumented, vulnerable Microsoft formats, such as Word and Excel, that contain and propagate viruses. Linux mail servers should run AV software in order to neutralize viruses before they show up in the mailboxes of Outlook and Outlook Express users."
If Linux / BSD / Unix have the Server status that Windows has on Desktop machines, why are there not more things aimed at it already? Why aren't any Linux viruses sweeping over servers? Virus Writers aren't going to not write a virus for servers, Servers are bigger machines with more power and take connections which would allow the virus to spread to other machines just by infecting that one server... So why aren't they doing it?
Microsoft Windows has the Desktop Market. People at Microsoft and Windows users LOVE to point out that "Well if Linux had the same amount of installations on Desktops as Windows does, there WOULD be Linux viruses".... Well, Linux and Unix and BSD DO have that kind of installed base that Windows does, but they have it on servers. So why aren't there more if they have a GREAT target like servers?
By Galiath in forum Web Security
Last Post: April 21st, 2006, 02:57 AM
By therenegade in forum Web Security
Last Post: April 1st, 2005, 08:03 AM
By Szafran in forum Miscellaneous Security Discussions
Last Post: September 7th, 2003, 09:41 PM
By xmaddness in forum Miscellaneous Security Discussions
Last Post: January 28th, 2003, 08:12 PM
By souleman in forum Microsoft Security Discussions
Last Post: April 11th, 2002, 11:39 PM