Somehow I don’t think I’m going to see this story on slashdot any time soon :)


Michael Howard sent the following news article to one of our internal DL’s this morning.  For some reason, I don’t think it’s going to hit the front page of Slashdot any time soon:

Serving as the latest reminder of that fact is Antioch University in Yellow Springs, Ohio, which recently disclosed that Social Security numbers and other personal data belonging to more than 60,000 students, former students and employees may have been compromised by multiple intrusions into its main ERP server.

The break-ins were discovered Feb. 13 and involved a Sun Solaris server that had not been patched against a previously disclosed FTP vulnerability, even though a fix was available for the flaw at the time of the breach, university CIO William Marshall said today.

                                                :

“When we went in and did a further investigation, we found that there was an IRC bot installed on the system,” Marshall said.

So Antioch’s Solaris systems were (a) compromised by an old vulnerability, and (b) were being used as botnet clients.  Both of which the slashdot crowd claim only happens on “Windoze” machines.

At what point do people pull their heads out of the sand and realize that computer security and patching disciplines are an industry-wide issue and not just a single platform issue?  Even after the Pwn2Own contest last month was won by a researcher who exploited a flash vulnerability, the vast majority of the people commenting on the ZDNet article claimed that the issue was somehow “windows only”.  Ubuntu even published a blog post that claimed that they “won” (IMHO they didn’t, because Shane has said that the only reason he chose not to attack the Ubuntu machine was that he was more familiar with Windows).  The reality is that nobody “wins” these contests (except maybe the security researcher who gets a shiny new computer at the end).  It’s just a matter of time before the machine will get 0wned.

Ignoring stories like this make people believe that somehow security issues are isolated to a single platform, and that in turn leaves them vulnerable to hackers.  It’s far better to acknowledge that the IT industry as a whole has an issue with security and ask how to move forwards.

 

Edit: Ubunto->Ubuntu (oops :))


Comments (66)

  1. Mike says:

    "At what point do people pull their heads out of the sand and realize…"

    Eh, for someone to pull his head out of sand he first needs to have a head. That may prove to be a problem for some people :).

  2. mh says:

    Totally agree, and about time somebody said it.

  3. John says:

    Also, don’t forget the $ in "Micro$soft".

    I think that most Slashdot readers are reasonable people; it’s just that the prepubescent mouth-breathers make the most noise.

  4. Barry Leiba says:

    But it’s not just /. — it’s also the non-/.-reading public, the mainstream media, and such.

    I often point out to people that the reason we hear about people taking advantage of Windows vulnerabilities is that the vast majority of people use Windows — so it’s the most sensible target.  If 90% of the world used Linux or Mac systems, most of the attacks would be aimed at Linux, or at Mac systems, and it’s guaranteed that they’d find things to exploit there too.

    But when I point that out, everyone seems to glaze over around the word "vulnerabilities".

  5. Mark Sowul says:

    You might want to at least spell "Ubuntu" correctly so there’s one fewer thing to pick on.

  6. Valdas says:

    Correction: it’s Ubuntu, not Ubunto…

  7. vince says:

    Perhaps if you all stopped worrying about what people on Slashdot think and did some actual security work, maybe people wouldn’t have the perceptions they do.

    My co-workers who run Windows hate Tuesdays, because it means they most likely have to reboot their system due to security flaws.  As long as that still happens, you still have a problem.  It doesn’t matter if "everyone else is doing it to".  You guys have the billions of dollars to throw around, we expect more from you.

  8. Joshua says:

    @vince: If there is anything you should know about programming, it is that there will never be a 100% unexploitable, completely secure piece of software.

    It just isn’t possible. Frankly, I’ve been quite happy with the slightly fewer reboots required for patching Vista.

    —–

    Now, unfortunately, you know everyone is going to turn a blind eye to this… nobody cares about exploits on other systems other than Windows. It just isn’t "cool".

    Even at my work I feel like I’m the only one supporting Microsoft anymore, even though 80% of our network is running Windows and authenticates against Active Directory.

  9. Erik says:

    Well said.

    Secure programming is a difficult task.  The Slashdot crowd seems predisposed to believe programmers are exempted from these difficulties when developing on a Unix/Linux kernal, which is absurb.  It’s the mental task that’s difficult, not the platform.

    If they wish to argue whether the general user’s familiarity with Windows outweighs the security risks due to hackers’ preference to target the dominant platform, or whether the fact that Linux/Unix is less frequently attacked by hackers outweighs the platforms’ obscurity- fine, that’s a valid discussion.

    Unfortunately the Slashdot crowd often falls back on idiological claims about the impenetrable security of Linux/Unix as if the open source development community is exempt from the challenges of secure programming and the choice is between total security and insecurity.  I don’t buy their argument that proprietary development is the cause of security bugs.  The mental difficulties of programming is the cause- not whether the development is open or not.  And the relative popularity of the software/platform is the determining factor in the number of hacker attacks, and therefore, the number of security issues found.

  10. LarryOsterman says:

    Barry, I wish I disagreed with you.  And I’ve got to say that Apple’s ad campaigns haven’t helped.  

    At least their engineers seem to have figured it out – the most recent security fixes to quicktime opts into a bunch of the security mitigations we have in Windows – DEP, ASLR and /GS.  It’s a sign that they’re starting to understand that they’re also not immune to security issues.  Now if their marketing people would just figure it out :).

  11. Yuhong Bao says:

    I agree that there aren’t that many Unix viruses. More common in Unix are hackers that do targeted attacks against particular systems.

  12. Norman Diamond says:

    "a Sun Solaris server that had not been patched against a previously disclosed FTP vulnerability, even though a fix was available for the flaw at the time of the breach"

    So this particular breach wasn’t even due to a former flaw in a proprietary system, it was due to administrators neglecting to install an existing patch.

    Open source developers might get patches out 100 times faster than proprietary vendors, but their users can get hacked just as fast when administrators are equally negligent in installing patches.

    By the way around 5 years ago I read about some company getting infected by Slammer because administrators in that company had neglected to install existing patches.  So it doesn’t matter whether the source code is open to the world, closed to the world, or available only to that company’s self, if the company’s system administrators neglect to install their own patches.

  13. Sunny says:

    It not Linux vs. Windows. Even for most of the /. readers.

    It was always been closed vs. open source products.

    You misinterpret the results from Pwn2Own contest and Shane’s words. Even if the guy have "attacked" Ubuntu – the attack vector was again buggy and un-patched on time closed source application.

    Cheers

  14. LarryOsterman says:

    Sunny:  Open vs Closed source doesn’t matter.  It’s been shown time and time again that the number of vulnerabilities in closed source applications is essentially identical to the number of vulnerabilities in open source applications.

    What matters is deploying a security focused development methodology like the SDL (something that the FreeBSD folks absolutely get).  The SDL has been directly responsible for the unquestionable reduction in vulnerabilities in MSFT code.  I don’t see any indications that open source vendors other than FreeBSD have applied any sort of security focused development methodology (if so, where are their threat models?).

    And please don’t trot out the "many eyes make shallow bugs" line, that particular argument was thoroughly debunked many years ago.

  15. LarryOsterman says:

    Btw, Vince: patching is <i>hard</i>.  Essentially you’re torn between two poles: Users hate rebooting, so reboots are bad.  On the other hand, users also hate security vulnerabilities, and there ample evidence that users would go for months at a time without rebooting after the patches were downloaded and ready to be installed on their machines.  It’s my understanding that our forensics folks who have looked at customers machines that got 0wned often found the fix for the vulnerability on the customers machine just waiting for a reboot.

    The reality is that there is no good strategy.  Every release of Windows, we’ve gotten better at deploying patches that don’t require a reboot, in fact, the same analysis that led to the minwin effort also helps to drive our patching effort; Vista is vastly better than previous OS’s.

    The *nix patching mechanism (unlink the old binary, copy in the new binary) is "interesting", but if we  adopted that, we’d still have the same problem – you don’t actually close the hole in that case, because the vulnerable code is still running on the machine (until all processes on the machine get recycled).

    I don’t think anyone "likes" patch tuesday.  But it’s better than the alternative – at least patch Tuesday is predictable.

  16. Alun Jones says:

    That’s why a "root kit" isn’t called a "BUILTINADMINISTRATOR kit" :)

  17. Dean Harding says:

    "My co-workers who run Windows hate Tuesdays"

    Funny… On my Ubuntu system at home, it downloads new patches every second day (on average). Once a month is a blessing!

  18. steveg says:

    Isn’t it also about scale? If there’s a problem in Windows it affects gazillions of people and busineses. If there’s a Linux/OSX/Solaris/Whatever problem it doesn’t affect as many people or businesses.

    Thus Linux/OSX/Solaris/Whatever’s currently have Immunity from Bad Press. As their popularity increases any exploits etc will have a bigger affect, thus damaging their perceived "goodness".

    Therefore… what? Microsoft had better get their security in order, because if they don’t, they will lose market share, possibly even if they’re pereceived to be "equally secure".

    Oh hang on, that’s exactly what they’re doing. Someone made a smart decision a few years ago.

    [I am not a fan of "Your computer was rebooted because of an important update." If it reopened the 26 applications I had running I’d be a little happier].

  19. Norman Diamond says:

    "It’s my understanding that our forensics folks who have looked at customers machines that got 0wned often found the fix for the vulnerability on the customers machine just waiting for a reboot."

    "The *nix patching mechanism (unlink the old binary, copy in the new binary) is "interesting", but if we  adopted that, we’d still have the same problem – you don’t actually close the hole in that case, because the vulnerable code is still running on the machine (until all processes on the machine get recycled)."

    What about showing the user a list of tasks that the user will have to close down and restart in order to avoid the need for a reboot?  (A list of tasks such as the applications list in Task Manager, or a list of processes if they don’t have visible windows.)

    ‘That’s why a "root kit" isn’t called a "BUILTINADMINISTRATOR kit" :)’

    Yeah, it needs to be a NT_AUTHORITYTRUSTED_INSTALLER kit  ^_^

  20. Drak says:

    Is it only me who turns his Windows machine on when he’s going to use it, and back off when he’s done with it? I don’t mind rebooting for a patch or fix.

    Maybe people should be using client OS machine (ie XP, Vista) for server work? Rebooting a client Windows machine shouldn’t be too much of a problem for anyone.

  21. Cheong says:

    Actually, I’ve personally seen a improperly configured (they turned off the SELinux AND the firewall… wtf……) Fedora server turned into private RO (a online game) server…

    No matter you use what OS, if the administrator(s) aren’t worth their salt, being owned is a matter of time only…

  22. Cheong says:

    Erik:While programmers are NOT exempted from these difficulties when developing on a Unix/Linux kernel, the "safety net" on *nix system when something wrong happened is used to be better than Win9X versions. Unless something serious happened in kernel level, you’re not able to bring down the whole system with single badly written user mode program.

    This has been greatly improved in WinXP and improved more in Vista, but I’d afraid that those ******* are unable to see now and future, just like those ******* who still claim you have to compile the packages one by one yourself in order to run Linux system… better just ignore them.

  23. LarryOsterman says:

    SteveG: Vista actually has an API to deal with the 26 apps that were open, it’s called the restart manager – if an app crashes that’s registered with the restart manager, it will restart it (and it’ll restart after a patch reboot, I believe).

    Norman, for many patches the list of things that need to be restarted is every process on the system.  This is especially true for system components.  But the system is getting better at analyzing what needs to be restarted – that’s a part of the reason Vista has fewer reboots.

    Drak, it’s just you :).  

    To be fair: I’m just as annoyed at the mandatory patch reboots as everyone who’s commented.  I wish that they didn’t happen (because they DO kill productivity).  I just deal with them as a once-a-month necessary evil.  And I recognise that Vista’s patches have typically involved less reboots than previous OS’s.  But it’s not perfect.

  24. FrankAu says:

    Exactly which CVE was purportedly exploited?

    In my quick review I could only find CVE-2003-1075 which is a DoS – not ownership!

    Perhaps the dudes running this uni are the risk?  FCS who runs an ftp daemon on a high security/privacy system – period!

  25. Tim Gradwell says:

    After an update, when I get the "Your system needs to be rebooted" message, I open the Services administrator tool and stop the "Automatic Update" service.

    The messages go away.  Next time I restart my computer the Automatic Update service starts up again and everything’s back to how it was without the reboot your computer message popping up every 5 minutes.

  26. Triangle says:

    This is a great argument for IBM’s AIX, which (IIRC) can apply updates and even install an entirely new kernel without any downtime.

  27. FusionGuy says:

    Slashdot crowd = People who speak loudly but know little.

  28. Anon says:

    What about hot patchability? I read about it on another msdn blog and thought Microsoft would use that so that it was possible to patch things without a reboot. Then again maybe there’s some limit on it.

    this post

    http://blogs.msdn.com/freik/archive/2006/03/07/x64-Hotpatchability.aspx

    … seems to say that only 30% of the x86 kernel is hot patchable.

    But from what he says it sounds like a function is hot patchable if it starts with a two byte instruction (which can be overwritten with jmp $-6) and has six bytes of padding afterwards (which can be overwritten with jmp NewFunc). But it seems like you could make the compiler guarantee that. So you build the kernel with the new compiler and then send it out as an update, which would require a reboot. But after that, no more reboots.

  29. Jon says:

    Steve Yegge reminds us in this talk that it takes a full generation to change your branding:

    http://blip.tv/file/319044/

    My generation of computer experts (I’m in my mid-20’s) formed its opinions of Microsoft based on Windows 95 and 98.  We have helped many friends and family members clean up virus and adware infested computers and we learned to measure uptime in hours, not days or months.  We tried Linux and FreeBSD and we didn’t have stability or security problems.  These experiences have left lasting impressions and it will take a lot of time and counter-examples to change our minds.  These kinds of sour grapes posts only go to reinforce our impression that Microsoft employees are defensive and insecure about it (no pun intended).

  30. Joshua says:

    @Norman: The only problem I see with showing the user about programs that need to be restarted: what if it’s a core part of the OS? It’s not like you can just stop and start the kernel… though I’d hate to see the logic that tries to identify who’s running what.

    @SteveG & Larry: The problem with the restart manager is that the program needs to register for it and support it in the first place, and people programming for that seem to be quite few. I have yet to actually see a program support it.

    @Drak: I don’t shutdown and startup every day, but I do put my machine into hibernation and turn everything else off while I’m off of work. I try to do what little I can to save energy.

  31. vince says:

    > The reality is that there is no good strategy.  Every release of Windows,

    > we’ve gotten better at deploying patches that don’t require a reboot, in fact,

    > the same analysis that led to the minwin effort also helps to drive our

    > patching effort; Vista is vastly better than previous OS’s.

    Vista is better than previous _Microsoft_ OSs.  Maybe in a few decades you’ll catch up with *NIX circa 1995.

    > The *nix patching mechanism (unlink the old binary, copy in the new

    > binary) is "interesting", but if we  adopted that, we’d still have the same

    > problem – you don’t actually close the hole in that case, because the

    > vulnerable code is still running on the machine (until all processes on the

    > machine get recycled).

    You don’t think the various processes get restarted when an update is installed?  All of the major services do, at least the ones that could likely be used for a root-level exploit.

    It’s true user apps like firefox and openoffice don’t restart themselves automatically, but these days both apps can recover just fine from being restarted without losing state, so it’s only a matter of time I think before this is fixed.

    > I don’t think anyone "likes" patch tuesday.  But it’s better than the

    > alternative – at least patch Tuesday is predictable.

    Or maybe the alternative is like OpenBSD… reboot once every 5 years when a rare kernel vulnerability is found.

    It is only anecdotal, but I have sat through many presentations ruined because the "MS has installed a critical patch and must reboot" popup appears every 5 minutes.  And my co-workers have lost many documents beause they hadn’t saved and left unexpectedly on Monday only to find their machine rebooted out from under them on Patch Tuesday.  

  32. Yuhong Bao says:

    "The *nix patching mechanism (unlink the old binary, copy in the new binary) is "interesting", but if we  adopted that, we’d still have the same problem – you don’t actually close the hole in that case, because the vulnerable code is still running on the machine (until all processes on the machine get recycled)."

    And it is impossible on Windows because of the fact that Windows uses memory mapping for EXEs and DLLs. Imagine if you map a file and the file changed under your back.

  33. Yuhong Bao says:

    "Vista is better than previous _Microsoft_ OSs.  Maybe in a few decades you’ll catch up with *NIX circa 1995."

    To be honest, in the area of permissions, for example, NT is already better than Unix.

  34. LarryOsterman says:

    Yuhong: We could work around that problem actually – the OS loader opens files with FILE_SHARE_DELETE, so they <i>could</i> be deleted and a new version installed.

    Vince: The last Windows kernel patch security vulnerability was something like a year ago.   Fine, the kernel doesn’t get patched that much.  What about the apps that run on top of the kernel?  Why don’t they need to be patched?

    FrankAu: I honestly don’t know.  I only know what was in the news article.  It might have been CAN-2004-0148 though.

  35. LarryOsterman says:

    Yuhong: We could work around that problem actually – the OS loader opens files with FILE_SHARE_DELETE, so they <i>could</i> be deleted and a new version installed.

    Vince: The last Windows kernel patch security vulnerability was something like a year ago.   Fine, the kernel doesn’t get patched that much.  What about the apps that run on top of the kernel?  Why don’t they need to be patched?

    FrankAu: I honestly don’t know.  I only know what was in the news article.  It might have been CAN-2004-0148 though.

  36. Yuhong Bao says:

    Or you can rename the old copy and put the new copy in it’s place. Of course, the new copy is not executed until the old one is released.

  37. Thom says:

    "Vista is better than previous _Microsoft_ OSs.  Maybe in a few decades you’ll catch up with *NIX circa 1995."

    On the other hand while *NIX is better than previous *NIX OSs when it comes to being user friendly and conducive to use "out of the box" by 99.995% of the earth’s population it’s still far inferior to Microsoft Windows circa 1995 on that front.

  38. Isaac Lin says:

    Not sure what happens in kernel space, but I was under the impression that user space programs/libraries are also memory-mapped with Unix (file loading being essentially the same as virtual memory). I recall the AIX documentation covering this. When a program is deleted, the OS keeps the physical bytes around until all memory-mapped instances are gone.

  39. Gregs says:

    I think I must be the only one who likes patch tuesday – the reboot gives me an excuse to go and make coffee!

  40. Norman Diamond says:

    Joshua:  "though I’d hate to see the logic that tries to identify who’s running what."

    EnumProcesses and EnumProcessModulesEx.

    Jon:  ‘My generation of computer experts (I’m in my mid-20’s) formed its opinions of Microsoft based on Windows 95 and 98.’

    Some previous generations of computer experts (I wish I were in my mid-20’s) formed our opinions of Microsoft based partly on Windows 95 and 98 and NT4 SP4 (SP3 was the good one but SP4 made up for it) and XP prior to SP2, etc., AND based partly on other OSes that existed before Microsoft bought QDOS.  Actually these aren’t the biggest parts of it, but I’ll try to avoid wandering further off-topic this time.

  41. Yuhong Bao says:

    Jon:  "My generation of computer experts (I’m in my mid-20’s) formed its opinions of Microsoft based on Windows 95 and 98."

    NT was not very popular back in the 1990s. Only around the beginning of 2000 did Windows 2000 release, and that was when NT really begin to take off, replacing 9x, which is one of the reasons Windows Me did not get popular. XP finally ended the 9x series. Some of the issues caused by this is that many third party apps and even some MS apps, such as Office 95 (search for "Office 95 and Windows NT" to see what I mean), had issues running as non-admin, even though it existed since NT 3.1!

  42. Yuhong Bao says:

    One of the reasons why NT 4 never got popular is because it did not have some of the new hardware-related features in the *original* Windows 95, such as Plug and Play and Device Manager, let alone OSR2 and Win98. Instead it still have Control Panels like Ports and Devices that were in NT 3.x. Win2000 finally catches NT up to all of the hardware support advances in the 9x series.

  43. David Walker says:

    "Users hate rebooting, so reboots are bad."

    Yes, they are bad.  Theoretically, you could patch a system without requiring a reboot.  Just figure out the memory and disk map before and after the patch is applied, temporarily stop all other running processes, and move everything around to obtain the desired after-patch layout!

    It’s surely not practical, though, given the nearly-infinite combinations of running software that a user can have.

  44. exSupport says:

    Well, hope you don’t mind me chiming in as well:

    (a) Blaming MS for security vulnerabilities is just the price for success. If you are the #1 desktop OS vendor, it is highly attractive for any virus / trojan writer to target your OS.

    Sometimes I use Zeta as OS for secure browsing. As it is totally niche (not to say "dead"), probably nobody will ever write a virus for it.

    It is not an attractive target. For a long time the Mac was also not, for a long time Linux was not — but both systems are getting there.

    (b) Any closed-source OS makes security analysis and debugging harder, just by being closed-source.

    You can’t "just look up" how this routine you’re calling in your code works exactly.

    On the bright side, as an OS vendor of a closed-source OS you can guarantee stable APIs, which in turn makes shipping of binary drivers and applications feasible. And in-box hardware support. And DRM, which gives you those Hollywood movies and tunes we all crave for so urgently.

    Any open-source OS makes security analysis easier – but also tampering with distributions. We already do now and will probably find more "tainted" (Linux) distribution servers in the future. So pick your download archive carefully.

    (c) "Unix security is worse than even NT"… is not true.

    Unix had already some considerable history before NT was incepted (remember OS/2?). Yes, NT had a newer scheme, and the schemes are just different.

    But Unix did offer for a long time "adequate" security that was in its usability better than WinX – again, for a long time.

    IMHO Windows Vista is the first incarnation of the OS where higher security – on the desktop, for the end user – is actually really usable.

    People built ACL-based security for Unices a long time ago, when and where they needed it.

    For Linux, or OpenBSD or FreeBSD – being open source – you can add any component or property you want anyway, or pay someone to do it it, or work with a interest group to get it.

    You can’t do this – naturally – with closed source, unless you own the company that makes the OS.

    (d) "*NIX OSs when it comes to being user friendly and conducive to use "out of the box" by 99.995% of the earth’s population it’s still far inferior to Microsoft Windows circa 1995 on that front."

    Well, in the 90’s first I worked as an admin (WfW3.11 on desktops, Novell 3.12/4.11 Servers) and then later in 2nd level support for Windows NT 4.x (desktop, later also for servers).

    At this time I got the "founded opinion" that Windows gives you a very good and nice illusion of easy usability. And as long as you have no problem everything is great.

    But once you DO have a problem, and need to get "under the hood", things start getting really bad.

    One reason things are getting bad is that you don’t get any app support from MS if you’re too small business — and for ages they were the only ones that could really analyze and fix problems in their code.

    The complexity, veiled by a prety GUI (anyone remembers "DLL hell"?) means that you cannot track problems easily to its root, the first incarnations of the registry (introduced with Office 4.3, if memory serves well) had… interesting… side effects, and the impossible separation of user and system files (not even via soft or hard links) made administration …ahem …difficult.

    When a process crashed in 16bit Windows, you could be lucky if it did not destroy your work files. People who worket with disks (b/c they assumed that would somehow be safer) sometimes found out during save of e.g. an Excel file that there was not enough disk space to store the file… at this moment the old file was overwriten with a partial file. Now introduce a crash or a brownout and your work plus the old copy are both destroyed.

    Not nice.

    And installation? I don’t want to count the wasted hours of my life trying to re-install various Windows versions to get your hardware working. NOW is a much better time, with online update services and internet connectivity and cheap laptops (so you have one working computer to set up the other one, with help of the excellent MSKB, Google, etc.)

    Progress is everywhere, though – with the need for end-user configuration via pretty interfaces, and with ever-increasing distribution packages we will soon have similar problems in Linuxland, too.

    Don’t get me wrong — Windows is not at all "bad" per se – after all it’s better to have "something usable" (with pain) than to have nothing at all! – but I want a bit of perspective for this statement of "the old times". It were not at all "good old times", it were times with a lot of work finding and tracking bugs or application annoyances, lots of lost work time and lost data because of system hiccups, not much or only beginning internet connectivity (which made support even more difficult), slow processors, slow hard disks and slow modem connections.

    So you please might reconsider this "still far inferior" statement — especially if you never worked on an Xterm / Sun Sparc or  on a HP-9000 workstation with Motif as X Window manager during that time (which I did ca. 1992).

    (e) Probably there is an intrinsic dilemma between offering huge amounts of flexibility and applications and between easy usability and maintainability. People get along quite well with single-purpose machines – the upcoming game console trend seems to highlight that, and they can handle the maintenance for them. So possible in the future people will not have to make a "dr. windows" degree to set up and run their own systems. Possibly you’ll have one computer for games (a console), one for surfing the internet (built-in into the big screen TV), and a portable one for text, calculation, mail and news.

    The future will be interesting, with so much cheap computing power available even today, and with I/O and comms devices slowly reaching or even surpassing these old "star trek" interfaces… so let’s look onward!

    … and in the mean time let’s do our best to keep people safe and happy… :-)

  45. Norman Diamond says:

    "Blaming MS for security vulnerabilities is just the price for success."

    OK, could be.  Now for a completely separate fact:

    Blaming MS for many years of refusing to fix known security vulnerabilities is just the price for arrogance.

    Fortunately things have changed most of the time, but as several people have observed here, it will take longer to lose the reputation … especially when the arrogance is still waiting to be lost.

  46. Very interesting, and although there are many people who champion Linux endlessly despite the fact that all OSes have their faults, I would like to point out that Linux != Solaris. I find it odd that Larry highlights a Solaris machine and then goes on to bash Ubuntu, which is Linux… there is a difference.

  47. Will says:

    "So you please might reconsider this "still far inferior" statement — especially if you never worked on an Xterm / Sun Sparc or  on a HP-9000 workstation with Motif as X Window manager during that time (which I did ca. 1992)."

    Many things you say are correct but they are not completely on point.  Lets face it, for all of Win95’s shortcomings it’s still far ahead of most *nix systems on ease of installation AND use for the public at large.  It doesn’t matter if a version of *nix beats Win95 on usability if that version can’t be successfully installed and configured "out of the box" by but a fraction of the users that could do the same with Win95.

  48. Yuhong Bao says:

    "the first incarnations of the registry (introduced with Office 4.3, if memory serves well)"

    I think that was introduced with either Windows 3.1 or OLE 1.0.

    "Any closed-source OS makes security analysis and debugging harder, just by being closed-source."

    NT beats any other closed-source software in making at least symbols public, most closed-source developers don’t generate symbols with release builds at all, and even if they do they don’t make it public, but still… Anyway, even shared source is much better here.

  49. Yuhong Bao says:

    "On the other hand while *NIX is better than previous *NIX OSs when it comes to being user friendly and conducive to use "out of the box" by 99.995% of the earth’s population it’s still far inferior to Microsoft Windows circa 1995 on that front."

    Or for that matter, Mac OS X even today. And it is based on UNIX and is half open source and half closed source.

  50. Igor Levicki says:

    Larry, would the flash vulnerability work on Linux? Would the attacker be able to gain the same privilege level? I doubt it unless new versions of Flash run as root.

    As for hot patching, the answer is simple — code reuse. DLLs have failed, .Net has failed (from a user perspective at least), you need to work on a new system for more efficient code reuse. Better reuse means easier patching.

  51. LarryOsterman says:

    Richard: Actually I’m bashing any and every software vendor that doesn’t acknowledge that the IT industry is facing a crisis and instead is touting that their software is somehow safer or superior (without evidence to back it up).  I picked on Ubuntu because they decided to take the contest as an opportunity to bash Windows and OSX when the reason that the Windows machine failed was because of a cross platform vulnerability (that would have just as easily affected their platform).

    Posturing like this just hurts customers and that’s NOT ok.

    Microsoft acknowledged that there was a problem back in 2002 and has been working tirelessly since then to improve the security of our systems, and the evidence is clear that the work that Microsoft is doing is paying off.  I’m starting to see a glimmer of a hope that Apple is starting to figure this out (their recent moves to enable ASLR, DEP and /GS in their application are (in my opinion) a significant step in the right direction). .

    But except for the folks at FreeBSD and Firefox folks (led by Window Snyder (who helped Microsoft design the SDL)) nobody in the FOSS community seems to be considering security to be a significant problem.  Instead they sit there and laugh at those Windoze idiots who keep on getting p0wned because the run an insecure operating system.

    If the FOSS community HAS realized that there’s an issue, I’d expect to see them publish their analyses – after all, if the code’s open, why isn’t the security analyses of the designs that back that code open?

    There is a crisis in software security that has been building for years.  Microsoft has secured it’s part of the stack, and the attackers are starting to look for weaker targets.  Until the rest of the industry stops laughing at those clueless idiots at Micro$oft and starts realizing that they’re a part of the problem, our customers (and your customers) won’t be safe.

  52. LarryOsterman says:

    Igor: According to Shane (the finder), he believes that the same vulnerability will work on Linux and will get the same privilege level (according to several people where were there, you didn’t need root to run Pwn2Own, all you had to do was demonstrate RCE).

  53. Igor Levicki says:

    Larry, "he believes that the same vulnerability will work on Linux" is not the same as "he demonstrated the same vulnerability on Linux".

    What I am trying to say is that remote code execution on Linux machine doesn’t guarantee root privileges. On Windows it almost always does. That is the main issue I see when I try to compare security of different platforms.

  54. LarryOsterman says:

    Igor, the only way that a Windows Vista user wll be running as root is if they turn of UAC.  And that rarely happens (we know, David Cross just gave a presentation where he mentioned the percentages of users that turn off UAC).

    And in Pwn2Own, you just had to demonstrate RCE, not an EoP to root.

  55. ygrek says:

    "But except for the folks at FreeBSD and Firefox folks […] nobody in the FOSS community seems to be considering security to be a significant problem."

    What about Debian? (recent http://lists.debian.org/debian-devel-announce/2008/01/msg00006.html)

  56. LarryOsterman says:

    ygrek: that’s actually great! – debian is finally adding NX protection, ASLR and banning unsafe APIs.  But those are ALL bandaids around the design problem.  

    In order to "consider security to be a significant problem", I’d want to see things like mandatory training for contributors to FOSS products, threat analyses being performed on FOSS products, code reviews for security issues, etc.  

    You don’t have to do threat models like we do (although I think they’re a really good idea); but you DO need to do some level of analysis.  And in an FOSS world, I would expect that those analyses be made public – that’s why I know they’re not being done.

    In my honest opinion, bandaids are great, but there’s no substitute for process.  The SDL is Microsoft’s version of that process, other companies have adopted their own versions (I believe Oracle has said that they’ve invested in a security assurance process, for example).

  57. exSupport says:

    "Lets face it, for all of Win95’s shortcomings it’s still far ahead of most *nix systems on ease of installation AND use for the public at large."

    (a) Will, did you actually ever do or watch any Unix installation (e.g. HP-UX, Solaris, "rolling Unix" or other)?

    As I was shown and told, initial "out of the box" installations for most of these was pretty easy — "boot into boot prompt, insert tape, issue ‘boot from tape’ command".

    (b) You can hardly compare the feature set of Win95 with Unix.

    One is a desktop system for a single end user, the other a server-grade OS designed for multi-user/multi-tasking. These systems were used for servers or scientific workstations and inaccessible (too pricey) for "normal users".

    To paraphrase: "Lets face it, for all of my bike’s shortcomings it’s still far ahead of most Space Shuttle systems on ease of installation AND use for the public at large." For example, for getting to the next lecture on the university campus… :-)

  58. Igor Levicki says:

    "Igor, the only way that a Windows Vista user wll be running as root is if they turn of UAC."

    And here I thought that turning UAC annoyance off is the first thing everone and their grandmother does after installing Vista.

  59. LarryOsterman says:

    Igor, according to the articles I’ve read, 88% of all Vista customers have UAC enabled, and 66% of all Vista "sessions" never encounter a UAC prompt.

  60. Yuhong Bao says:

    BTW, on the matter of UAC, it is similar enough to sudo that it is basically a clone of sudo.

  61. Yuhong Bao says:

    >ygrek: that’s actually great! – debian is finally adding NX protection, ASLR

    That all actually existed for years and some other distros had that even before Debian.

    BTW, on the matter of NX in Linux, from http://blogs.msdn.com/oldnewthing/archive/2008/04/10/8374144.aspx#8398520:

    "BTW, not all Linux distros provide a PAE kernel, and some provides it only on server kernels, such as Ubuntu. In Linux, with a non-PAE kernel, you could not even use NX!"

  62. Yuhong Bao says:

    "And here I thought that turning UAC annoyance off is the first thing everone and their grandmother does after installing Vista."

    That is a little far, in fact I don’t turn UAC off on my Vista machine.

  63. Yuhong Bao says:

    >"And here I thought that turning UAC annoyance off is the first thing everone and their grandmother does after installing Vista."

    >That is a little far, in fact I don’t turn UAC off on my Vista machine.

    BTW, the class of mistake Igor is making here is called over generalization. Just because geeks do something does not mean that everyone does something

  64. nikanj says:

    So Antioch’s Solaris systems were (a) compromised by an old vulnerability, and (b) were being used as botnet clients.

    You don’t have _any_ idea what IRC is or what an irc bot usually does do you.. Botnet client? What?

    Hint: logging, auto-oping known users, providing small tools like "!weather new york"

  65. LarryOsterman says:

    nikanj: I know exactly what IRC is and the difference between an IRC bot and a botnet client.

    Sure, an IRC bot does logging, etc, but a botnet client does a smidge more – it does things like launching DDOS attacks and sending spam emails.

    And this wasn’t an IRC bot that was on those machines.  My point was simply that the idea that somehow botnet clients are a uniquely windows phenomenon is simply untrue.