[thelist] FYI - Plug this MS Application Hole

Sean G. ethanol at mathlab.sunysb.edu
Thu Sep 4 21:21:42 CDT 2003


Howdy,

I really did try to sit on my hands and let this thread die without turning to
flame, but the flesh is weak...

There are so many attacks (viruses, worms, DDOS, etc) aimed at microsoft and
microsoft products because of public relations.  With its business practices
and marketing MS has set itself up as the company we love to hate.

The reason such attacks are well publicized is the dominance of MS products and
the large number of people affected.

The reason many of these attacks are possible and will continue to be possible
is a philosophical deficiency in the way MS builds its products.  Yes, like Ken
said you will see a change in the way products are shipped.  Services will be
stopped and ports closed by default, for an administrator to activate as
needed, rather than have everything open and running out of the box.

However, MS has repeatedly said it will not change how products are
constructed.  Exhibit 1, Internet Explorer.  The current versions of IE are the
last.  In the future, the web browser will be completely assimilated into the
windows operating system and GUI.  I'm all for re-use of code, but IE has
replaced the file manager and is used by all the office apps (Word, Excel, et
al) and pretty much every other MS product.

The web browser is an inherently insecure application.  It's asked to execute
whatever code comes down the pipe, which is fine; it's a web browser.  But an
email or news reader does not need to execute whatever code comes down the
pipe.  There's some level of protection with a web browser with the presumption
you're in charge and telling the browser where to browse.  With Outlook or
Outlook Express anyone can send you an email and execute code on your machine
without you even opening the message, because those applications act like a web
browser, because those applications will use the web browser to render html and
execute scripts.

As long as the web browser is so entwined with the operating system and
applications the only way to really secure a Windows box will be to separate it
from the internet.

IMNSHO  =)


Sean G.


I have a feeling this came to me from an old tip, but I couldn't find it in the
archives, so....

<tip type="It's a unix(HP-UX), unix(Linux), unix(AIX), unix(Solaris), unix(BSD)
world">
"A Sysadmin's Unixersal Translator (ROSETTA STONE) OR   What do they call that
in this world?"
http://bhami.com/rosetta.html
Compares and contrasts administration and user commands for all sorts of unixes
and lists flavour specific references such as mailing lists and user groups.
</tip>



>Here's a question for those of you with a better understanding of security
>issues than I have. Do you think that Microsoft products have so many
>security problems because they develop sub-par products, or because the
>various flavours of Windows are the most commonly used OS, and therefore
>come under more attack by "crackers"? Or, is it possible that other
>software "distributors" (for lack of a better word), such as Apple or
>Linux, *need* to put in the extra effort to make their products more
>secure, simply in order to gain any kind of significant market share vs.
>Microsoft?
>
>(I hope this doesn't start a flame war, I am just looking for some informed
>opinions on this subject.)
>
>Sarah



More information about the thelist mailing list