|
|
Joined: Sep 2006
Posts: 3,044
Hall of Famer
|
OP
Hall of Famer
Joined: Sep 2006
Posts: 3,044 |
Patch Tuesday heads-up: 10 bulletins, 34 flaws (IE, Windows affected)http://www.zdnet.com/blog/security/patch...593?tag=nl.e589Quote:
Microsoft’s Patch Tuesday this month will be a big one: 10 bulletins fixing 34 vulnerabilities in Windows, Office and Internet Explorer.
Three of the 10 bulletins will be rated “critical,” Microsoft’s highest severity rating. The flaws addressed in those bulletins typically expose users to remote code execution attacks.
Here are the basic details on what’s coming next Tuesday (June 8, 2010):follow Ryan Naraine on twitter
* Six of the bulletins affect Windows; of those, two carry a Critical severity rating and four are rated Important.
* Two bulletins, both with a severity rating of Important, affect Microsoft Office.
* One bulletin, again with a severity rating of Important, affects both Windows and Office.
* One bulletin, with a severity rating of Critical, affects Internet Explorer.\
[ SEE: Serious XSS flaw haunts Microsoft SharePoint ]
Microsoft confirmed that this month’s patch batch will provide cover for two publicly known issues: an elevation of privilege flaw in Microsoft SharePoint that could lead to cross-site scripting attacks and aninformation disclosure hole in Internet Explorer.
Some of these vulnerabilities affect all versions of Windows, including the newest Windows 7 and Windows Server 2008 R2.
http://www.microsoft.com/technet/security/bulletin/ms10-jun.mspx
This is EPIC FAIL on Microsoft's part. I am so glad I run Linux on every machine here except for one notebook that has Windows XP on it that is very rarely used...this is such an epic fail for them....
Linux not only patches its OS(And new kernels are not all that frequent) but ever 3rd party application on the system IE Firefox, Mplayer, VLC, Totem, etc...all 3rd party apps
and Microsoft only updates Windows OS and Microsoft Software and they got this many vulns?
This is not even funny anymore.....you pay 300 bucks for a copy of Windows and this is what you get.....
I know many use the false assumption that "No one cares about Linux, thats why its not a target for malware"
not true at all, most of your web servers and web apps are running on Linux and BSD see Google, Yahoo, and other companies. Even The Stock Exchange is running Linux...don't think they are a target?
this is such an epic fail.....I am so glad I don't run that useless OS anymore unless I have too....once a person learns a bit about Linux...its much easier to use, and a ton more secure.
Happy Patch Tuesday folks!
|
|
|
|
|
Joined: Sep 2006
Posts: 50,506
Legend
|
|
Legend
Joined: Sep 2006
Posts: 50,506 |
Let Linux get on as many desktops as Windows is and we'll see how many people start attacking it then.
While Windows is not perfect by any stretch of the imagination ..... Linux is safer by virtue of the fact that an attack against Linux creates very little havoc. Linux is on what ... 2% or so of all desktops and laptops? A Linux virus lacks the impact most virus creators look for. Even Mac is only about 6% of the market.
Windows is created to be "simpler" to be more user friendly, and that creates some holes as well. The real villains are those who write malicious code to attack other people.
Micah 6:8; He has shown you, O mortal, what is good. And what does the Lord require of you? To act justly and to love mercy, and to walk humbly with your God.
John 14:19 Jesus said: Because I live, you also will live.
|
|
|
|
|
Joined: Sep 2006
Posts: 3,044
Hall of Famer
|
|
OP
Hall of Famer
Joined: Sep 2006
Posts: 3,044 |
I welcome the day Linux is on as many Desktops as Windows...it will then be proven it is much more resistant to attack then Windows is... That is an argument that has been going on for years about Linux vs Windows,however it is not really valid. ALL the most important and valuable information sits on Linux server systems. Almost every Linux distro nowdays ships with either AppArmor, SELinux, or GrSecurity...all MAC(Mandatory Access Controls) these MAC can even restrict the root account. for example...on my system AppArmor ensures Firefox can only write to the areas it needs to...nothing more....for example...you can't browse local files on my system with firefox..I don't allow it to do so. Your also forgetting that the way Windows is designed most if not all most all windows services are set up to run under either the: 1. system Account(root account) 2 Network Services Account(Equivalent to Power User Account) so a vuln in a windows service = root access pretty much every time it happens on Linux however, daemons(services on Linux) run under their own accounts with much much much less permissions....which migitates the damage. Most Desktop Nix distros nowdays ship with AppArmor or SELinux MAC turned on by default. Lets say someone does write a piece of malware....what exactly is it going to do? it will be able to write a file in my home directory at most...big deal...thats very trival to deal with, its an afterthought...it would be removed in less then 5 minutes, business as usual..no root access gained. that is the reason they don't attack most Linux boxes... moreover most Debian and Red Hat based distros don't allow users to execute files by default... yes its a novel concept, a user must use the chmod command to give the file executable permissions before you can run it... that alone stops most drive-by downloads and spyware garbage... On Windows however, all files get execute permissions by default as soon as they are saved on your hard drive..... Linux is much harder to crack in that regard also, Linux is growing on the Desktop more then you think....This time last year I knew no one running Linux, there is now 15 just in my neighborhood, Ubuntu has over 8 million users worldwide as of 2006, and that number is growing steadily there is more then enough Linux users out there, yet we keep on trucking by unfazed by this stuff http://www.internetnews.com/software/art...and-Growing.htmAs I said, most of the World's valuable data is on Linux, New York Stock Exchange, many U.S govt stuff is running on Linux http://www.theregister.co.uk/2008/02/05/us_army_linux_integration/I am just saying that argument about target is not holding up even though Mac is based off of BSD, it is IMO a noobified Apple propreitary version of BSD that is as insecure as Windows...Malware is hitting Mac not because of BSD, but of the horrible design decisions of Apple OpenBSD and FreeBSD users are unaffected by the Mac malware.....a testament to the fact..... This is still a fail for MS, if they were sending patches for all 3rd party apps like most Linux distros do, I would cut them some slack, however, 34 vulns in windows and office..my goodness thats unacceptable.... Also Microsoft doesn't disclose all its vulns and patches many of them with no disclosure, atleast Linux and Open source disclose theirs....
|
|
|
|
|
Joined: Sep 2006
Posts: 1,346
Dawg Talker
|
|
Dawg Talker
Joined: Sep 2006
Posts: 1,346 |
Quote:
I am so glad I don't run that useless OS anymore unless I have too
I appreciate our commitment to Linux KOB, but useless? That is just false...an "epic" overstatement. I recently experienced stop errors and even the inability to POST and it appears it was the fault of some bad RAM from Crucial. Would it be fair to say that Crucial is useless. Of course not.
I assume that the memory problems I experienced could cause file corruption. I also assume that the BSODs I experienced from Vista are in place to prevent this. If this is fact, does any element of Linux provide such protection?
I have learned a bit about Linux via Ubuntu and I appreciate Shuttleworth's (and company) efforts towards a Linux distro for point and click end users such as myself. I appreciate all the FOSS folks for their efforts, but your disdain for MS is better expressed without such a platitude. Jmho.
|
|
|
|
|
Joined: Nov 2006
Posts: 4,126
Hall of Famer
|
|
Hall of Famer
Joined: Nov 2006
Posts: 4,126 |
You continue to leave out an important factor in computer security: the end user. All they have to do is enter the root password when prompted and that box isn't going to be very secure. There is no OS in the world that can protect a user from themselves.
|
|
|
|
|
Joined: Sep 2006
Posts: 3,044
Hall of Famer
|
|
OP
Hall of Famer
Joined: Sep 2006
Posts: 3,044 |
agreed maddog, "Useless OS" was a bit over the top 
|
|
|
|
|
Joined: Sep 2006
Posts: 15,015
Legend
|
|
Legend
Joined: Sep 2006
Posts: 15,015 |
Windows by default gives the initial user admin permissions for a reason. Most people turning on the computer for the first time would return if set to limited user access when they try to install something and get refused. If anyone read the 10 step quick start-up guide that comes with most computers, it tells you to setup user accounts as limited for daily use.
The problem is the users more than the OS itself. I have setup several PCs for people in the last couple years and spent the time explaining admin and limited user accounts to them. Usually this is the result of a wipe and reinstall after a virus issue. Those that agreed to keep a separate admin account on the machine have not been back. A couple of them that refused to do it the right way have been back already, and yet they still refuse to limit their daily accounts.
Know what your installing.
Know who an email attachment is from and why they sent it to you.
Know where you are surfing on the net.
Keep walking behind the targets at the gun range, it's only a matter of time til you get shot.
As for MS, their damn reliance on IE for folder browsing is a huge security flaw in itself. Not to mention they try to put too much into the OS. The more you put in, the more that can go wrong.
Last edited by FloridaFan; 06/07/10 07:42 AM.
We don't have to agree with each other, to respect each others opinion.
|
|
|
|
|
Joined: Sep 2006
Posts: 5,371
Hall of Famer
|
|
Hall of Famer
Joined: Sep 2006
Posts: 5,371 |
I didn't think people still used linux.
|
|
|
|
|
Joined: Sep 2006
Posts: 2,758
Dawg Talker
|
|
Dawg Talker
Joined: Sep 2006
Posts: 2,758 |
Quote:
I didn't think people still used linux.
I run linux because I dont like the o/s that MS peddles, but that is just me. but people use linux more than you know. it is in a lot of web servers as well as many of the devices out there. The California Lottery machines run off of Linux. there are plenty of other uses out there because linux is versatile and companies can change it to fit their needs.
![[Linked Image from i.imgur.com]](http://i.imgur.com/FUKyw.png) "Don't be burdened by regrets or make your failures an obsession or become embittered or possessed by ruined hopes"
|
|
|
|
|
Joined: Sep 2006
Posts: 530
All Pro
|
|
All Pro
Joined: Sep 2006
Posts: 530 |
I can tell you in the Medical IT world for anything super crucial, its linux or unix (storage, communication, hi volume re formatting) for your average desktop applications and PCW's running simple apps we use AD and Window...(but even the apps on those machiones are usually some sort of of client unix interface for the GUI)
|
|
|
|
|
Joined: Sep 2006
Posts: 3,044
Hall of Famer
|
|
OP
Hall of Famer
Joined: Sep 2006
Posts: 3,044 |
Quote:
Windows by default gives the initial user admin permissions for a reason. Most people turning on the computer for the first time would return if set to limited user access when they try to install something and get refused. If anyone read the 10 step quick start-up guide that comes with most computers, it tells you to setup user accounts as limited for daily use.
That is no excuse to default Windows to Admin users right out the gate. It is that kind of practice that puts everybody at risk. It is these types of design decisions that has made Windows a huge Malware propagator. See Code Red, Ms Blast to get the idea.
Quote:
The problem is the users more than the OS itself. I have setup several PCs for people in the last couple years and spent the time explaining admin and limited user accounts to them. Usually this is the result of a wipe and reinstall after a virus issue. Those that agreed to keep a separate admin account on the machine have not been back. A couple of them that refused to do it the right way have been back already, and yet they still refuse to limit their daily accounts.
The problem is just as much the OS as it is the users. Windows Relies on a half-hearted attempt at DAC(Discretionary Access Controls) its half hearted because Windows is not a true multi-user system Like Linux is and was designed from the ground up to be from the get go. Linux actually follows the true "Principle of Least Privilege" computing model. Windows does not. If Windows was a true multi-user system, then old Windows 95 Apps(monolithic system) would not run on Windows 7..yet I have seen many Win95 apps that will. Linux truly separates the user from the system.
Quote:
Discretionary Access Control (DAC)
If access to a target is based on OWNERSHIP we talk about discretionary access control. This means that the security of the target (e.g. a file) is completely and utterly at the "descretion" of its owner. This seems to be a reasonable concept at first because who else than an owner should decide what will happen with a resource? But it includes a large potential for failure and mis-use, e.g. through program errors, attacks or handling failures by the owner. The resource cannot defend itself against any kind of misuse as long as the owner authorizes it (knowingly or without consent)
furthermore, most Windows Services by default run under either the:
1. System Account = root
2. Network Service = Power User pretty much
even if you are running as a Limited User..a Vuln in say RPC Service or Server Service = complete root access and ownage on Windows.
On Linux, Daemons(Linux version of Windows Services) run under their own accounts with much much much less access to the system...actually many of them run with less rights then users do, and the ones that need a bit more (Like CUPS(Common Unix Printing System) is confined with AppArmor or some other MAC to ensure it behaves its self.
almost all Linux distro ships with some form of MAC(Mandatory Access Control System) enabled by default...SeLinux, AppArmor, Grsecurity. That limit the rights and access network facing applications have, they are even able to restrict the root user.
Quote:
Mandatory Access Control
Anything that restricts a program or an object besides the ownersip relation establishes a form of mandatory acccess control. Restricting a program with respect to the resources or the services it can use (i.e. creating a sandbox) is one form of MAC. Restricting a user from reading or writing a resource based on a classification of the resource as "confidential" is another form of MAC. This time caused by "labelling" the resource and the user and comparing the labels at time of access.
MAC that controls the user/owner - resource relation is sometimes called multi-level security. MAC that controls the program - resource relation is called sandboxing (or domain type enforcement). A typical sign of additional MAC controls is that the user/owner - program relation suddenly becomes less critical (the relation is typically controlled through roles - RBAC). This becomes evident in the SE-Linux implementation which uses few roles for almost all processing.
The fact that MS ships their OS with horrible defaults, and users continue to cater to them is part of the problem. If users would start dumping MS in favor of Linux citing security reasons, maybe MS would be motivated to scap the old as dirt NT and start Windows over again as a true multi-user system with security in mind...but until that day, MS is not motivated to provide you with a secure computing environment, and Windows wll continue to suffer from endless barrages of malware.
the damage that could be done to any Linux distro is pretty small i scope.
also before anyone says anything, Rootkits have been around for Linux for a ver very long time. Rootkits are "new" for Windows. rootkits have been around for a longtime for Unix based systems, thats where the term rootkit comes from (undetected access to root account)
there are rootkits for Linux, however, most infections occur due to weak passwords, and not using certificate security on SHH, or some secure version of VNC, etc......this usually happens when the maintainer is asleep at the wheel or something....however there has pretty much been no wide spread outbreak of infection on Linux like Code Red, Blaster, etc...even the Slapper Worm was small in comparison, and after the Slapper worm the Community rose up and created MAC to prevent that from happening again, and its 2010 and its been successful so far. Also Linux is being further hardened all the time.
I taught my G/f to use Linux(gui) in about 2 weeks, 6 months later she has a solid grasp of the Bash Shell.
Ubuntu, Debian, Red Hat, Fedora, Suse, etc are all about the same..they all allow you to perform basic tasks from the gui (web browsing, email, photos, etc) but one still needs to understand how to user a command shell to really get the most mileage out of it...don't be afraid of the command shell, its your friend 
|
|
|
|
|
Joined: Sep 2006
Posts: 15,015
Legend
|
|
Legend
Joined: Sep 2006
Posts: 15,015 |
all hail the might Linux...
You can argue your great knowledge of Linux and how great it is, but the simple fact that the majority of home PCs are owned by people that are lucky to realize that tray is for CD's and not a cup holder.
Until we get to the point that people understand their systems and how they work, and what to do with them, you need a simple, easy to use, little training system. And I've used Linux, have 2 here at the office, and they are not always user friendly. it has come a long way in a short time, but it's still not what people have become accustomed to.
You'd be amazed, actually since your in IT you probably already know, how many people don't realize there is a difference between a PC and a Mac. All they know is Mac costs more and has funny commercials, but don't truly understand they are totally different.
Heck, I STILL deal with people that don't understand that AOL is NOT the internet, and they don't need their DSL/cable ISP AND AOL.
We don't have to agree with each other, to respect each others opinion.
|
|
|
|
|
Joined: Sep 2006
Posts: 28,201
Legend
|
|
Legend
Joined: Sep 2006
Posts: 28,201 |
How is it an epic fail that they are fixing flaws? 
Browns is the Browns
... there goes Joe Thomas, the best there ever was in this game.
|
|
|
|
|
Joined: Sep 2006
Posts: 3,044
Hall of Famer
|
|
OP
Hall of Famer
Joined: Sep 2006
Posts: 3,044 |
Quote:
all hail the might Linux...
You can argue your great knowledge of Linux and how great it is, but the simple fact that the majority of home PCs are owned by people that are lucky to realize that tray is for CD's and not a cup holder.
Until we get to the point that people understand their systems and how they work, and what to do with them, you need a simple, easy to use, little training system. And I've used Linux, have 2 here at the office, and they are not always user friendly. it has come a long way in a short time, but it's still not what people have become accustomed to.
You'd be amazed, actually since your in IT you probably already know, how many people don't realize there is a difference between a PC and a Mac. All they know is Mac costs more and has funny commercials, but don't truly understand they are totally different.
Heck, I STILL deal with people that don't understand that AOL is NOT the internet, and they don't need their DSL/cable ISP AND AOL.
I do know a good bit about Linux/BSd based systems, but that comes from tons of experience with them. I just wanted to share the knowledge about Linux, I feel its important for people to understand these concepts concerning security. I may come off rough around the edges at times, but with Linux I do have a passion for Open Source, and I have and still do actively contribute when I can. I also donate a few times a year as well.
I will agree that the people you mentioned are probably true, but if that's the case should we not educate these users in some way?
Futhermore, in terms of Information Security, what do you think is better?
An open source product you can patch on your own if need be, or perhaps modify and extend the OS or Software though the source code on your own?
or a closed source solution where your at the whim of a giant company with IT out-sourced to India that cares nothing but getting the money out of your pocket?
i'll go with Open Source
Yes I have wrote some of my own patches at times, it feels nice to be able to solve problems on my own, and not be held to a license that says I only rent the software.
|
|
|
|
|
Joined: Sep 2006
Posts: 15,015
Legend
|
|
Legend
Joined: Sep 2006
Posts: 15,015 |
Don't get me wrong, I agree that Linux is a much more secure product. But you tend to come off as though everyone should be using Linux, and while I agree in many ways that people should be using something more secure than Windows, be it Linux or something yet to be created, the simple fact is familiarity, and ease of use, access to information about, and general availability. I've had try to explain to people that picked up a Mac software program from the store that it won't install on their PC, and they need to return it and get the Windows version. There's just too many people that don't understand there is a difference between Windows, Mac, Linux, etc. It's all greek to them. They think all computers are the same. I don't even want to think about someone buying a PC with linux and then trying to explain to them how to install all those windows programs they have in the desk drawer. If Linux came out in the early 80's as a home PC O/S it might be different, but Windows had a huge head start and set the standard, which for many those standards are hard to change. How many people still have standard DVD players, when BluRay offers so much more. Heck I know people that still use a VCR instead of a DVR to record shows. Progress and change are slow, especially when people become familiar with something, and that change is drastic, such as an O/S change. Someone needs to unseat MS, and right now it's not going to be Linux, partly because they don't have the ad campaigns that Mac and MS have. And as sad as we IT guys find that, it is the truth. Unless you know something about computers you probably don't really even know of Linux, or what it is. You just don't see cute little penguin commercials on TV very often. 
We don't have to agree with each other, to respect each others opinion.
|
|
|
|
|
Joined: Sep 2006
Posts: 2,667
Dawg Talker
|
|
Dawg Talker
Joined: Sep 2006
Posts: 2,667 |
Quote:
I will agree that the people you mentioned are probably true, but if that's the case should we not educate these users in some way?
You are NEVER going to be able to educate the masses to the level that would be required.
FIRST it would take too much time , money, and resources.
Second, most people DO NOT WANT to educate themselves to such a point. They have other things to do in their lives. They need things to be Easy and Fast. Seniors are not going to spend the time learning the ins and outs of dll's and firewalls and the like. the plug and play can be confusing enough.
I thought I was wrong once....but I was mistaken...
What's the use of wearing your lucky rocketship underpants if nobody wants to see them????
|
|
|
|
|
Joined: Sep 2006
Posts: 3,044
Hall of Famer
|
|
OP
Hall of Famer
Joined: Sep 2006
Posts: 3,044 |
Quote:
How is it an epic fail that they are fixing flaws?
Because that sheer number of flaws shoudn't exist to begin with.,..i could see a few..but 34!? and thats only in Windows and MS software...doesn't count 3rd party apps...thats insane....
Linux may have patches too, but Linux distros also update all 3rd party software that is installed on the system in most cases via the repositories....those flaws are for Microsoft Software and Windows....thats almost unheard of....
I am glad they are patching these, but how long have they known about these flaws and waiting till now to patch them? weeks? months?
I am just asking when will folks begin to look at Microsoft more carefully when it comes to vulns and system security? afterall, terrible defaults is a big reason security risks become such a problem on Windows.
why is Internet Explorer still a part of the OS?
even though you can uninstall IE on Windows 7, its only cosmetic, mshtml.dll, and ieframe.dll(part of the core compents for the IE Trident Rendering Engine) are still left behind and still exploitable by other apps that use them.
I am saying this many holes....in just Windows and Office alone is unacceptable...that a lot of patches....that is an epic fail...since Ms doesn't disclose vulns like Open Source does...who knows how long these have been in the wild being actively exploited...
|
|
|
|
|
Joined: Sep 2006
Posts: 3,044
Hall of Famer
|
|
OP
Hall of Famer
Joined: Sep 2006
Posts: 3,044 |
Quote:
You are NEVER going to be able to educate the masses to the level that would be required.
FIRST it would take too much time , money, and resources.
Second, most people DO NOT WANT to educate themselves to such a point. They have other things to do in their lives. They need things to be Easy and Fast. Seniors are not going to spend the time learning the ins and outs of dll's and firewalls and the like. the plug and play can be confusing enough.
There is no real need to know anything about that stuff to use Linux, I have first hand seen many seniors using Linux, Ubuntu has a great config out of the box with sound defaults.
in fact 95% of all functions can be done at the user level with no need to even elevate via sudo or root
most printers you plug them on, and thats it..Cups takes care of the rest and it simply works.
Ubuntu is a bit easier then Debian, but it has Debians stability...users will not be faced with stupid error messages, and junk not working half the time...linux just works....installs and uninstalls are clean through synaptic(one case use the easy Software Center in Ubuntu 10) it doesn't get any easier
All the while, the user is safe and free to use his computer with user rights(only has write access to his or her home directory) Ubuntu is much easier to use then Windows is once a user gets a few days to play with it...its really is easy to use...anyone can use Ubuntu...I stand on that fact, my g/F who knew NOTHING about Linux and was a novice in windows now prefers it and states it is just easier to use...everything is much more logically laid out, and more intuitive....
YMMV of course, but Linux is set up to be secure and is still usable..the user doesn't need to run as root to do anything productive which in windows it seems you must be admin to really be able to do anything, which is why people turn UAC off...
With Windows one needs to know about all that stuff, on Linux the firewall is on by default in most distros no need to configure a bunch of settings, ssh is turned off, etc...there isn't much for the user to do...Linux will nag you when security updates are available, only new kernels require reboots, most updates don't even require a restart
with Ubuntu how much easier could it get?
you just point in click for the most part
how ever admins can use the shell and advanced functions to their hearts content, I prefer Debian for servers however, that is a different animal...
|
|
|
|
|
Joined: Sep 2006
Posts: 15,015
Legend
|
|
Legend
Joined: Sep 2006
Posts: 15,015 |
There are several version of Linux available. Each with it's own quirks.
Again, it comes down to education. And the masses just want to hand over their money, go home, plug in, and go.
So if you want to peddle the best version for a typical home user to Best Buy, CompUSA, Dell, Gateway, HP, etc be my guest.
No one is arguing that linux doesn't have some great advantages, especially when it comes to security, just that this idea you seem to support that everyone should drop Windows and buy linux on their next PC is flawed when it comes down to the typical user.
I bet if I stood in Best Buy and acted like a sales person, that 9 out of 10 people I would try to sell a computer too and told them "This one come with Linux" their reply would be "Is that the version of windows before or after Windows 7?"
We don't have to agree with each other, to respect each others opinion.
|
|
|
|
|
Joined: Nov 2006
Posts: 4,126
Hall of Famer
|
|
Hall of Famer
Joined: Nov 2006
Posts: 4,126 |
Gotta love the fanboy mentality. "This is the perfect solution for me, therefore it should be the only solution for everyone else." Linux isn't the be all, end all of solutions. It is not the best choice for everyone. It isn't the answer for everyone. Neither is mac, neither is windows. People go with what works for them. My windows box runs just fine. No malware, no virus, nothing, plus, it will run all the apps I use that linux won't run. Linux is a fine OS, but it's not the best answer for everyone. People should be using what OS works for them, not what some fanboy (of any OS) proclaims is the best.
You continue to leave out the weakness the end user brings to the OS. Linux cannot protect a user from themselves. Something prompts for the root password, the user enters the password, game over.
I also don't understand the "open source is awesome because you can write your own security patches" logic. Well, I do understand it for those that know how to code. But for the average user, they are not going to care because they don't know how to code. Saying they should use open source because the can write their own patches is pretty pointless argument.
|
|
|
|
|
Joined: Sep 2006
Posts: 28,201
Legend
|
|
Legend
Joined: Sep 2006
Posts: 28,201 |
For someone working in computer security, you apparently don't understand much about software design or development... that or you just like to overreact. Do you even know the nature of all 34 patches? I know that the article stated that only 3 were of a critical nature. Do you happen to know which operating system s are affected? Did you ever consider that it is 34 patches spread across several different platforms? Did you ever consider that some of them may be font updates, some are routine updates for Windows Malicious Software Removal Tool, some for Root Server updates? No... you just wanna trumpet the fanboi stuff 
Browns is the Browns
... there goes Joe Thomas, the best there ever was in this game.
|
|
|
|
|
Joined: Sep 2006
Posts: 28,201
Legend
|
|
Legend
Joined: Sep 2006
Posts: 28,201 |
I went back and copied from your article:
* Six of the bulletins affect Windows; of those, two carry a Critical severity rating and four are rated Important.
* Two bulletins, both with a severity rating of Important, affect Microsoft Office.
* One bulletin, again with a severity rating of Important, affects both Windows and Office.
* One bulletin, with a severity rating of Critical, affects Internet Explorer.\
3 Critical - only Two are for Windows, one for IE.
7 Important - Only Two are for Windows, Three for Office.
That is hardly the "unacceptable, end of the world OMG Y kant Uz H8t M$!" level of bad. THAT is life in complex software across several generations and product releases.
Browns is the Browns
... there goes Joe Thomas, the best there ever was in this game.
|
|
|
|
|
Joined: Sep 2006
Posts: 5,371
Hall of Famer
|
|
Hall of Famer
Joined: Sep 2006
Posts: 5,371 |
"This is why I have a mac" 
|
|
|
|
|
Joined: Sep 2006
Posts: 28,201
Legend
|
|
Legend
Joined: Sep 2006
Posts: 28,201 |
That's fine, not everybody can operate a real computer
Browns is the Browns
... there goes Joe Thomas, the best there ever was in this game.
|
|
|
|
|
Joined: Sep 2006
Posts: 15,015
Legend
|
|
Legend
Joined: Sep 2006
Posts: 15,015 |
Quote:
"This is why I have a mac"
I have a windows 7 PC, with no virus software of any kind. I actually have 3 of them, and not one virus or malware yet.
I do love the new UAC controls in it, 1000x better than the Vista, W7 actually works right. But as KoB said, it would be nice if it was secured out of the box, since most people don't read the setup instructions and never secure it properly.
We don't have to agree with each other, to respect each others opinion.
|
|
|
|
|
Joined: Sep 2006
Posts: 28,201
Legend
|
|
Legend
Joined: Sep 2006
Posts: 28,201 |
W7 went a long way toward having things be secured properly out of the box. The simple fact that even if you are logged in under an Admin account, things do not, by default, execute with full Admin privs is rather significant.
Browns is the Browns
... there goes Joe Thomas, the best there ever was in this game.
|
|
|
|
|
Joined: Sep 2006
Posts: 15,015
Legend
|
|
Legend
Joined: Sep 2006
Posts: 15,015 |
Quote:
Apple has shipped new versions of its Safari browser with patches for at least 48 security vulnerabilities.
The Safari 4.1 and 5.0 updates, considered “highly critical,” is available for both Windows and Mac OS X. Exploitation of some of these vulnerabilities could lead to drive-by download (remote code execution) attacks.
The majority of the documented vulnerabilities affected WebKit, the open-source Web browser engine that powers Safari.
Here’s the skinny on some of the more critical issues:
* ColorSync (CVE-2009-1726) — A heap buffer overflow exists in the handling of images with an embedded ColorSync profile. Opening a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution.
* Safari (CVE-2010-1384) — Safari supports the inclusion of user information in URLs, which allows the URL to specify a username and password to authenticate the user to the named server. These URLs are often used to confuse users, which can potentially aid phishing attacks.
* Safari (CVE-2010-1385) — A use after free issue exists in Safari’s handling of PDF files. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
* Safari (CVE-2010-1750) — A use after free issue exists in Safari’s management of windows. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
* WebKit (CVE-2010-1392) — A use after free issue exists in WebKit’s rendering of HTML buttons. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
* WebKit (CVE-2010-1119) — A use after free issue exists in WebKit’s handling of attribute manipulation. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
* WebKit (CVE-2010-1422) — An implementation issue exists in WebKit’s handling of keyboard focus. If the keyboard focus changes during the processing of key presses, WebKit may deliver an event to the newly-focused frame, instead of the frame that had focus when the key press occurred. A maliciously crafted website may be able to manipulate a user into taking an unexpected action, such as initiating a purchase.
http://www.zdnet.com/blog/security/apple-plugs-48-safari-webkit-security-holes/6623?tag=nl.e539
We don't have to agree with each other, to respect each others opinion.
|
|
|
|
|
Joined: Sep 2006
Posts: 3,044
Hall of Famer
|
|
OP
Hall of Famer
Joined: Sep 2006
Posts: 3,044 |
To the contrary I do...extensive programming and scripting experience... It may be an overreaction for some, but lets look at these Vulnerabilities closely: out of the 7 Vulnerabilities Affecting Windows 6 allow Remote Code Execution Attacks Flaw for Internet Explorer Allows Remote Code Execution Attacks Flaw for Microsoft Office Allows Remote Code Execution Attacks 1 Flaw for Windows also allows "Tampering" of Sensitive data. http://www.microsoft.com/technet/security/bulletin/ms10-jun.mspxthats a lot more serious then many want to think...as I said MS doesn't disclose all vulns, how long these been around in the wild being exploited?
|
|
|
|
|
Joined: Sep 2006
Posts: 3,044
Hall of Famer
|
|
OP
Hall of Famer
Joined: Sep 2006
Posts: 3,044 |
I have never stated Open Source Software doesn't have Vulns...
However, Open Source does disclose ALL of their vulnerabilities....all of them
Also Open Source Software is patched much faster, not to mention MAC that ship with most Linux distros would have stopped those Remote Code Execution Attacks under most circumstances.
Ever see a changelog for MS Windows Service Pack? that huge giant file they put out...there are many undocumented and undisclosed bugs that are patched in secret that are never revealed or made public.....they just tell you "please install our service pack" however they don't really tell you whats in that service pack....
however, only 3 of the CVE actually apply to Webkit(the OSS) the others are Apple Vulns as Apple users a modded version of Webkit...the closest pure OS Webkit Browser is Konqueror (for KDE/KHTML) or Chrome.
However, I just want to state even though I feel Linux is superior to windows, i am not trying to be a fan boy
I am just making users aware of the risks...nothing more...a secure Windows OS is better then nothing at all....
|
|
|
|
|
Joined: Sep 2006
Posts: 28,201
Legend
|
|
Legend
Joined: Sep 2006
Posts: 28,201 |
Quote:
To the contrary I do...extensive programming and scripting experience...
Then you have an idea of what a monumental and eternal process that bug detection and elimination is.
You also are then aware that no programmer is exempt from the laws of unintended consequences, and you are also aware of the inherent problems of legacy code.
Quote:
It may be an overreaction for some
No, it is definitely an overreaction for any.... you went all Emo on it.
Quote:
as I said MS doesn't disclose all vulns, how long these been around in the wild being exploited?
No, they'd be fools to. You don't tell people how your software is broken.
The majority of the vulnerabilities are reported by outsiders. The issues then need to be recreated and confirmed. Then their priority needs to match up with development costs and time.
Browns is the Browns
... there goes Joe Thomas, the best there ever was in this game.
|
|
|
|
|
Joined: Sep 2006
Posts: 3,044
Hall of Famer
|
|
OP
Hall of Famer
Joined: Sep 2006
Posts: 3,044 |
Quote:
Then you have an idea of what a monumental and eternal process that bug detection and elimination is.
You also are then aware that no programmer is exempt from the laws of unintended consequences, and you are also aware of the inherent problems of legacy code.
Yes I am very well aware, that is also why it is so important when maintaining an application that unnecessary legacy code is eliminated at first convenience. The best method for eliminating bugs is to reduce the lines of code, removing legacy code is part of that process. There is no reason Win 95/98/Me legacy code should exist in windows in this day and age, yet it does...
Quote:
No, it is definitely an overreaction for any.... you went all Emo on it.
How is it an overreaction? peoples data, identity, and computers are at risk because of this kind of stuff. These vulns are used to rob Americans out of a lot of wealth per year, education is key.
Quote:
No, they'd be fools to. You don't tell people how your software is broken.
The majority of the vulnerabilities are reported by outsiders. The issues then need to be recreated and confirmed. Then their priority needs to match up with development costs and time.
Why the Open Source Community, we report our flaws, does that make us any less secure? history shows it makes us MORE SECURE. disclosing flaws in an open manner allows users to take steps necessary to mitigate the damage. Keeping vulns a secret from network admins (when hacks already know about them) put the entire IT world at a disadvantage.
Costs for closing remote code execution attacks is irrelevant. they should be closed regardless of costs. Defects in a product you paid for should be fixed...those bugs are no different then the defect in your car.
just look at Windows XP how many holes are open...
http://secunia.com/advisories/product/22/?task=advisories
even Windows 7 has unpatched flaws that allow remote code execution
http://secunia.com/advisories/product/27467/?task=advisories
cost should dictate if these are fixed or not?
they are defects in the product, and should be fixed. The customer deserves at least that much.
I'll Admit, I may be biased to Open Source...I admit it
However these flaws are serious, users need to at least have a heads up about them so they can deal with them, because we know antivirus software is just not cutting it these days.
My in depth Linux rants are just part of my passion for Open Source
however I do believe there are more benefits to reap in disclosing vulns (education, mitigation, and study to prevent future like attacks) vs hiding flaws in secrecy and patching an undisclosed number in a service pack...
The Open Model has worked for the Open Source Community so far
great debate however.
|
|
|
|
|
Joined: Sep 2006
Posts: 15,015
Legend
|
|
Legend
Joined: Sep 2006
Posts: 15,015 |
Quote:
However these flaws are serious, users need to at least have a heads up about them so they can deal with them, because we know antivirus software is just not cutting it these days.
And this is a big part of the problem. You tell users about security issues and they go all  and want to know why it isn't fixed yet.
We don't have to agree with each other, to respect each others opinion.
|
|
|
|
|
Joined: Sep 2006
Posts: 5,371
Hall of Famer
|
|
Hall of Famer
Joined: Sep 2006
Posts: 5,371 |
Quote:
Quote:
"This is why I have a mac"
I have a windows 7 PC, with no virus software of any kind. I actually have 3 of them, and not one virus or malware yet.
I do love the new UAC controls in it, 1000x better than the Vista, W7 actually works right. But as KoB said, it would be nice if it was secured out of the box, since most people don't read the setup instructions and never secure it properly.
Actually that was sarcasm, I was hoping the quotation marks would give that away. I'm a faithful pc user.
I'm still using XP, W7 looks pretty and all but the only real perk I see in it for myself is that it reads 8 gigs of ram instead of 3.25. Oh and direct X 10.
|
|
|
|
|
Joined: Dec 2009
Posts: 895
All Pro
|
|
All Pro
Joined: Dec 2009
Posts: 895 |
J/C
Checking the Secunia site Im not seeing why the outrage honestly...just grabbed Kernel 2.6 for comparison.
Windows XP- 274 Advisories from 2003-2010
Kernel 2.6.x- 217 Advisories from 2003-2010
Windows XP Unpatched 12% (out of 262)
Kernel 2.6.X Unpatched 5% (out of 214)
Impact has a big difference in System Access
Windows XP 52%
Kernel 2.6.X 3%
but check
Windows XP Exposure Sensitive Info 4%
Kernel 2.6.X Exposure Sensitive Info 14%
Windows XP Security Bypass 4%
Kernel 2.6.X Security Bypass 11%
Using Kernel 2.6.X has an advantage of criticality but Linux Vendor Patch is 82% compared to WIndows XP's 87%.
Not really an "OMG it's so much better!!" from that info at least.
|
|
|
|
|
Joined: Sep 2006
Posts: 3,044
Hall of Famer
|
|
OP
Hall of Famer
Joined: Sep 2006
Posts: 3,044 |
Quote:
J/C
Checking the Secunia site Im not seeing why the outrage honestly...just grabbed Kernel 2.6 for comparison.
Windows XP- 274 Advisories from 2003-2010
Kernel 2.6.x- 217 Advisories from 2003-2010
Windows XP Unpatched 12% (out of 262)
Kernel 2.6.X Unpatched 5% (out of 214)
Impact has a big difference in System Access
Windows XP 52%
Kernel 2.6.X 3%
but check
Windows XP Exposure Sensitive Info 4%
Kernel 2.6.X Exposure Sensitive Info 14%
Windows XP Security Bypass 4%
Kernel 2.6.X Security Bypass 11%
Using Kernel 2.6.X has an advantage of criticality but Linux Vendor Patch is 82% compared to WIndows XP's 87%.
Not really an "OMG it's so much better!!" from that info at least.
The System Access from Remote is the key factor...look at the big difference.
when looking at the "few" un-patched fixes in the Linux 2.6x Kernel, the un-patched ones are only exploitable with "local access" which means a person has to have physical access to your system to do anything, and if a person has physical access to your system, you got bigger fish to fry.
on the flipside the windows vulns, a good many of them, allow System Access from Remote which is the deal breaker.
However, you do make some good points on your percentages.
|
|
|
|
|
Joined: Sep 2006
Posts: 50,506
Legend
|
|
Legend
Joined: Sep 2006
Posts: 50,506 |
The scarier part for Linux is that they tend to attract the "uber-geek" (said respectfully) where as Windows attracts anyone who wants a computer and can find the power button. Windows is on 90+% of all PCs in the US. Linux has a much, much smaller, but far more devoted folliwing.. Many Linux usres are also vehement believers in the system, and would never do anything to hurt it .... but revel everytime a Windows exploit is found. (which is true) If Linux was the predominant O/S in the US ..... it would either be exploited a great deal ... or PC usage would be far less prevelant. Overall the system is less user friendly than Windows. I have used both, and Windows is far more intuitive right out of the box. Linux makes you work harder .... and if there's anything I learned in the years I spent doing tech work it's that people don't want to work hard when it comes to using a computer. I cannot tell you hiw many times I worked to secure systems on the network I used to administer, only to have users beg the bosses for more access to stuff they didn;t need while at work ...... and then seeinbg them wind up blowing up their computer. (Not literally, but in some cases it might as well have been) In summary, it seems to me that Linux could be tweaked by users and "dumbed down" to a point where it could be less secure than a Windiows box, and conversely a Windows box can be secured just as tightly, or even moreso than a Linux box. As with most things in the world, it's the operator more than the machinery. 
Micah 6:8; He has shown you, O mortal, what is good. And what does the Lord require of you? To act justly and to love mercy, and to walk humbly with your God.
John 14:19 Jesus said: Because I live, you also will live.
|
|
|
|
|
Joined: Sep 2006
Posts: 15,015
Legend
|
|
Legend
Joined: Sep 2006
Posts: 15,015 |
Quote:
I'm still using XP, W7 looks pretty and all but the only real perk I see in it for myself is that it reads 8 gigs of ram instead of 3.25. Oh and direct X 10.
I thought so too, but after jumping from XP to W7, I am impressed and glad I did. It is much more intuitive than XP, runs smoother, and some of the little bells and whistles I didn't think I'd care about, I am lost without when working on the XP systems at work.
Guess that's an advantage to being in IT, I can justify upgrading my work PC so that I am familiar with the OS when we buy new PCs.
Last edited by FloridaFan; 06/08/10 10:15 PM.
We don't have to agree with each other, to respect each others opinion.
|
|
|
|
|
Joined: Sep 2006
Posts: 28,201
Legend
|
|
Legend
Joined: Sep 2006
Posts: 28,201 |
W7 is loads nicer to use than XP, and it is WAY smoother. I'm still running XP at work, I run W7 at home... I far prefer W7. p.s. It addresses a heck of a lot more than just 8GB of ram, too
Browns is the Browns
... there goes Joe Thomas, the best there ever was in this game.
|
|
|
|
|
Joined: Sep 2006
Posts: 50,506
Legend
|
|
Legend
Joined: Sep 2006
Posts: 50,506 |
There were some aspects of Windows that I didn't really like yesterday that I have come to kind of appreciate today. I guess that I adapt rather quickly.
Micah 6:8; He has shown you, O mortal, what is good. And what does the Lord require of you? To act justly and to love mercy, and to walk humbly with your God.
John 14:19 Jesus said: Because I live, you also will live.
|
|
|
|
|
Joined: Sep 2006
Posts: 5,371
Hall of Famer
|
|
Hall of Famer
Joined: Sep 2006
Posts: 5,371 |
Quote:
Guess that's an advantage to being in IT, I can justify upgrading my work PC so that I am familiar with the OS when we buy new PCs.
It definitely gives you a different perspective in that area. Although I admit I have two hard drives but I was just too lazy to attempt the free trial of W7.
I trust your and purp's thoughts greatly when it comes to this subject. So I'll give it some thought. But will my tight behind spend the cheese? It's doubtful. lol
|
|
|
DawgTalkers.net
Forums DawgTalk Tailgate Forum Epic Fail for Microsoft 10
Bulletins, 34 Vulnerabilities in
Windows
|
|
![[Linked Image]](http://www.dawgtalkers.net/uploads/Maddog/PDVD_000Z.jpg)
