Re: the exploit that wasn't

Tom Reestman wrote:
Steve de Mena (steven@xxxxxxxxxxxxxxx) got drunk after typing this
drivel in news:462bf810$0$24727$4c368faf@xxxxxxxxxxxxxxxxx

Tom Reestman wrote:
Steve de Mena (steven@xxxxxxxxxxxxxxx) got drunk after typing this
drivel in news:462be784$0$4890$4c368faf@xxxxxxxxxxxxxxxxx

Tom Reestman wrote:
Steve de Mena (steven@xxxxxxxxxxxxxxx) got drunk after typing this
drivel in news:462bcdc6$0$4910$4c368faf@xxxxxxxxxxxxxxxxx

Tom Reestman wrote:
Steve de Mena (steven@xxxxxxxxxxxxxxx) got drunk after typing
this drivel in news:462b0631$0$1360$4c368faf@xxxxxxxxxxxxxxxxx

Tom Reestman wrote:
Steve de Mena (steven@xxxxxxxxxxxxxxx) got drunk after typing
this drivel in news:462a664c$0$19452$4c368faf@xxxxxxxxxxxxxxxxx

DanielEran wrote:
And what about the others? Recall that this was a FULLY
patched system.
What about the other what?

The other Mac Book Pro? It was not compromised. There were
two, and only one was given away.

http://www.roughlydrafted.com/RD/RDM.Tech.Q2.07/616874CC-35CE-
49 D3 -B 85 9-C2719B6FF352.html

Instead of discussing what happened at CanSecWest we just get yet another anti-Microsoft rant, rehashing the same old tired myths again and again.

Yawn.

Steve

Another knee-jerk dismissal of a RoughlyDrafted artice, I see.

How is the following not "discusssing what happened at
CanSecWest"?

"...Gohring’s article clearly described a local exploit.
There’s a big difference between the remote exploits that made
Windows infamous for its insecurity and a local exploit of an
application."
One sentence of news, followed by twice as much text bashing Microsoft.


"Opening an email URL that exposes a security flaw in Safari is
both news to report and a problem for Apple to tackle, but
reporting it as a remote exploit is inaccurate, irresponsible,
and sloppy journalism, particularly for IDG's InfoWorld, which
purports to be an authority on computing."

I'd say that sums it up nicely, and his taking InfoWorld to
task for its misleading headline is perfectly valid.
Yes, and thats where he should have stopped. But no....

As for the rest of the article, it goes on to bash Dragos
Ruiu's ridiculous statement (quoted in the IW article)
regarding OS X security, and does so well. It certainly does
not change the accuracy of the above.

Ruiu, as the principle organizer of the conference,
specifically brought Microsoft into a security discussion about
Mac OS X. That was about as dumb as it gets, and left the door
open for RoughlyDrafted to call it for the ridiculous statement
that it is.
We hear again and again how "..Unix security has been exhaustively researched by experts for decades." Today I installed Sun Solaris 10 in a virtual machine (Parallels) just to play with it. I installed the 11/2006 u3 build. After it was done it looked for updates and there were about 83 updates, the vast majority (75?) for security issues.

Steve

You do NOT measure an OS' security by how many patches there are
for it. That's ridiculous! And why act as if "secure" somehow
means that everything that ever needs to be patched has already
been patched? No one ever said that. It's yet another MS-defender
artificial contruct to detract from what counts.

MS defenders have spread this new way to "measure" security
because they lose (oh boy do they lose!) when measured by the
only criteria that counts: How many real, bona-fide attacks there
have been in the wild. All else is just statistical
chest-thumping by people trying to hide the fact that the purpose
of security is to keep your system from being attacked in the
real world.

UNIX and UNIX-like systems have had something like 700 known
viruses in the wild, and I believe zero malware. MS Windows
systems have had over one hundred thousand, springing up a nine
BILLION dollar industry to keep them at bay. This industry has
become so ingrained in the MS mind-set that such users consider
it "normal". But for other operating systems it is most certainly
not normal. And, yes, those other OS's are 100% correct to tout
that as a major, MAJOR advantage. It's not their fault that MS
users see it only as a binary operation, and can't tell the
difference between high risk even with costly and CPU-sucking
AV/anti-malware products running constantly, and minimal risk
even without third-party "protection".

Even Paul Thurrot, one of the biggest MS apologists on the
planet, had this to say about it:

"It's not hard to secure a PC. But you do have to secure a PC. I
don't secure my Macs. But I don't have to secure my Macs. There's
something to be said for that. Anyway, I just felt this needed to
be said. There are plenty of good reasons to use a PC, and
certainly Windows Vista fixes a lot of problems. But Macs are
more secure than PCs. Obviously."

You are talking about something completely different - realworld vulnerabilities, which are affected by the popularity of the target OS.

I was talking about OS design, and the comment that ""..Unix security has been exhaustively researched by experts for decades." from the article and how it is beaten into repeated over and over and Unix and OS X are *more secure OSs*. The number of security patches, even greater than Windows lately, refutes that. But now that this is becoming obvious to more the goal posts are being moved and we can only talk about real world exploits, and not any inherent level of security in the OS itself.

Steve
Are you trolling?

The goal posts were ALWAYS based on real-world attacks until
recently. Indeed, it's the only measure that makes any sense.
MS-defenders moved them very recently to counting patches in a
desparate attempt to paint UNIX as just as unsecure as their OS.
"Look, we issue patches, they issue patches. It's just the same!"
Please.

A few years ago no one gave a *** about how many patches there
were, they only cared (rightfully) about if their system was
actually exploited or not. Sheesh. This should be blindingly
obvious.

Besides, why would you think that since UNIX has been reviewed for decades they should somehow be "done", and never need another
patch? At least I think that's what you're implying. That's silly.
The OS is updated with features and functions all the time, new
exploits can be identified and patched. So?

As for the "popularity of the target OS", that's a crock. "Security
by obscurity" is yet another ridiculous tack for MS-defenders, and
makes no more sense than counting patches. First, it acknowledges
that UNIX-based system exploits are extremely rare compared to
Windows (which kind of refutes the "patch count" argument), but
attempts to explain it away by saying there aren't enough UNIX
systems to bother with. Heh. Tens of millions of UNIX systems
(there are over 20 million OS X systems alone) is plenty. With so
much to choose from you go for the easy target. This is common
sense. Windows is without question the easy target.

All that matters is results, the number of real-world attacks is
the only maningful measure. It makes it clear the security risk one
takes with a given platform, and that's what a potential user
should be considering. The goal post moving has all been MS
whitewash, and trips over itself anyway.
So then you would agree that Windows Vista is as secure as OS X?

Steve

By real world results? Well, for Vista there's the Animated Curser exploit. That's 1. Are there others? For OS X 10.4.9 I don't think
there are any (in fact, I'm not sure there are any in the wild for
Tiger at all).

So Vista is already not as secure as OS X. Cheer up, it's likely the closest the two OSes will ever be.

But the Windows Animated Cursor exploit was fixed, so it's no longer a vulnerability. (And on Vista was even less so due to the default IE7 Vista-only protection that protected one from the exploit)

Will there be other vulnerabilities in Vista, yes I think so. It will be fun to watch to see what happens in the next year and how things measure up a year from now.

Steve

Was it in one of the Tuesday patches? I wasn't sure.

As for Vista vulnerability being "less so", Microsoft makes no such claim in its security bulletin (MS07-017). It lists Vista right up there with 2000, XP, etc. I think Vista's inclusion was why this item got so much press in the first place.


I think I should have said "And on Vista was even less so due to the default IE7 Vista-only protection which *could* have protected one from the exploit."

http://news.com.com/8301-10784_3-6174488-7.html

MS07-017 covers multiple items, not just the animated cursor issue, and there was one other item there for Vista, so there have been two Vista patches so far.
http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx (see Vulnerability Details and the actual file contents for the XP fixes versus Vista. It seems they particularly make it hard to see the differences)

The animated cursor patch was released out-of-band the day after it was discovered but was re-released a couple of times because it broke some other things.

Steve
.