Re: the exploit that wasn't

Tom Reestman (treestman@xxxxxxxxxxxxxxx) got drunk after typing this
drivel in news:Xns991ABE2F1EA01treestmanyahoocom@xxxxxxxxxxxxxxxx

Steve de Mena (steven@xxxxxxxxxxxxxxx) got drunk after typing this
drivel in news:462bf810$0$24727$4c368faf@xxxxxxxxxxxxxxxxx

Tom Reestman wrote:
Steve de Mena (steven@xxxxxxxxxxxxxxx) got drunk after typing this
drivel in news:462be784$0$4890$4c368faf@xxxxxxxxxxxxxxxxx

Tom Reestman wrote:
Steve de Mena (steven@xxxxxxxxxxxxxxx) got drunk after typing this
drivel in news:462bcdc6$0$4910$4c368faf@xxxxxxxxxxxxxxxxx

Tom Reestman wrote:
Steve de Mena (steven@xxxxxxxxxxxxxxx) got drunk after typing
this drivel in news:462b0631$0$1360$4c368faf@xxxxxxxxxxxxxxxxx

Tom Reestman wrote:
Steve de Mena (steven@xxxxxxxxxxxxxxx) got drunk after typing
this drivel in
news:462a664c$0$19452$4c368faf@xxxxxxxxxxxxxxxxx

DanielEran wrote:
And what about the others? Recall that this was a FULLY
patched system.
What about the other what?

The other Mac Book Pro? It was not compromised. There were
two, and only one was given away.

http://www.roughlydrafted.com/RD/RDM.Tech.Q2.07/616874CC-35CE
- 49 D3 -B 85 9-C2719B6FF352.html

Instead of discussing what happened at CanSecWest
we just get yet another anti-Microsoft rant,
rehashing the same old tired myths again and again.

Yawn.

Steve

Another knee-jerk dismissal of a RoughlyDrafted artice, I see.

How is the following not "discusssing what happened at
CanSecWest"?

"...Gohring?s article clearly described a local exploit.
There?s a big difference between the remote exploits that made
Windows infamous for its insecurity and a local exploit of an
application."
One sentence of news, followed by twice as much
text bashing Microsoft.


"Opening an email URL that exposes a security flaw in Safari
is both news to report and a problem for Apple to tackle, but
reporting it as a remote exploit is inaccurate, irresponsible,
and sloppy journalism, particularly for IDG's InfoWorld, which
purports to be an authority on computing."

I'd say that sums it up nicely, and his taking InfoWorld to
task for its misleading headline is perfectly valid.
Yes, and thats where he should have stopped. But
no....

As for the rest of the article, it goes on to bash Dragos
Ruiu's ridiculous statement (quoted in the IW article)
regarding OS X security, and does so well. It certainly does
not change the accuracy of the above.

Ruiu, as the principle organizer of the conference,
specifically brought Microsoft into a security discussion
about Mac OS X. That was about as dumb as it gets, and left
the door open for RoughlyDrafted to call it for the ridiculous
statement that it is.
We hear again and again how "..Unix security has
been exhaustively researched by experts for
decades." Today I installed Sun Solaris 10 in a
virtual machine (Parallels) just to play with it.
I installed the 11/2006 u3 build. After it was
done it looked for updates and there were about 83
updates, the vast majority (75?) for security issues.

Steve

You do NOT measure an OS' security by how many patches there are
for it. That's ridiculous! And why act as if "secure" somehow
means that everything that ever needs to be patched has already
been patched? No one ever said that. It's yet another
MS-defender artificial contruct to detract from what counts.

MS defenders have spread this new way to "measure" security
because they lose (oh boy do they lose!) when measured by the
only criteria that counts: How many real, bona-fide attacks
there have been in the wild. All else is just statistical
chest-thumping by people trying to hide the fact that the
purpose of security is to keep your system from being attacked
in the real world.

UNIX and UNIX-like systems have had something like 700 known
viruses in the wild, and I believe zero malware. MS Windows
systems have had over one hundred thousand, springing up a nine
BILLION dollar industry to keep them at bay. This industry has
become so ingrained in the MS mind-set that such users consider
it "normal". But for other operating systems it is most
certainly not normal. And, yes, those other OS's are 100%
correct to tout that as a major, MAJOR advantage. It's not their
fault that MS users see it only as a binary operation, and can't
tell the difference between high risk even with costly and
CPU-sucking AV/anti-malware products running constantly, and
minimal risk even without third-party "protection".

Even Paul Thurrot, one of the biggest MS apologists on the
planet, had this to say about it:

"It's not hard to secure a PC. But you do have to secure a PC. I
don't secure my Macs. But I don't have to secure my Macs.
There's something to be said for that. Anyway, I just felt this
needed to be said. There are plenty of good reasons to use a PC,
and certainly Windows Vista fixes a lot of problems. But Macs
are more secure than PCs. Obviously."

You are talking about something completely
different - realworld vulnerabilities, which are
affected by the popularity of the target OS.

I was talking about OS design, and the comment
that ""..Unix security has been exhaustively
researched by experts for decades." from the
article and how it is beaten into repeated over
and over and Unix and OS X are *more secure OSs*.
The number of security patches, even greater
than Windows lately, refutes that. But now that
this is becoming obvious to more the goal posts
are being moved and we can only talk about real
world exploits, and not any inherent level of
security in the OS itself.

Steve
Are you trolling?

The goal posts were ALWAYS based on real-world attacks until
recently. Indeed, it's the only measure that makes any sense.
MS-defenders moved them very recently to counting patches in a
desparate attempt to paint UNIX as just as unsecure as their OS.
"Look, we issue patches, they issue patches. It's just the same!"
Please.

A few years ago no one gave a *** about how many patches there
were, they only cared (rightfully) about if their system was
actually exploited or not. Sheesh. This should be blindingly
obvious.

Besides, why would you think that since UNIX has been reviewed for
decades they should somehow be "done", and never need another
patch? At least I think that's what you're implying. That's silly.
The OS is updated with features and functions all the time, new
exploits can be identified and patched. So?

As for the "popularity of the target OS", that's a crock.
"Security by obscurity" is yet another ridiculous tack for
MS-defenders, and makes no more sense than counting patches.
First, it acknowledges that UNIX-based system exploits are
extremely rare compared to Windows (which kind of refutes the
"patch count" argument), but attempts to explain it away by saying
there aren't enough UNIX systems to bother with. Heh. Tens of
millions of UNIX systems (there are over 20 million OS X systems
alone) is plenty. With so much to choose from you go for the easy
target. This is common sense. Windows is without question the easy
target.

All that matters is results, the number of real-world attacks is
the only maningful measure. It makes it clear the security risk
one takes with a given platform, and that's what a potential user
should be considering. The goal post moving has all been MS
whitewash, and trips over itself anyway.
So then you would agree that Windows Vista is as
secure as OS X?

Steve


By real world results? Well, for Vista there's the Animated Curser
exploit. That's 1. Are there others? For OS X 10.4.9 I don't think
there are any (in fact, I'm not sure there are any in the wild for
Tiger at all).

So Vista is already not as secure as OS X. Cheer up, it's likely the
closest the two OSes will ever be.


But the Windows Animated Cursor exploit was fixed,
so it's no longer a vulnerability. (And on Vista
was even less so due to the default IE7 Vista-only
protection that protected one from the exploit)

Will there be other vulnerabilities in Vista, yes
I think so. It will be fun to watch to see what
happens in the next year and how things measure up
a year from now.

Steve

Was it in one of the Tuesday patches? I wasn't sure.

As for Vista vulnerability being "less so", Microsoft makes no such
claim in its security bulletin (MS07-017). It lists Vista right up
there with 2000, XP, etc. I think Vista's inclusion was why this item
got so much press in the first place.


I should point out that just because it's fixed doesn't mean it doesn't
count as an exploit in the wild. I mean, for people who fell victim to it
it's little use that it's fixed NOW. The system was exploited in the
wild, and it counts.

Don't believe past Windows' exploits in the wild somehow no longer count
when "fixed". While I'm sure MS would love to wipe the slate clean with
each new security patch, um, no.

First, for those who got it before it was fixed the damage is done. The
fix is too little, too late except to help assure that that particular
Hell will not occur again. In some cases, that Hell caused a great deal
of lost time and money.

Second, OF COURSE it's going to be fixed after it's been exploited. I
mean, duh! The whole freakin' point of security (which MS only recently
seems to understand) is to keep an exploit in the wild from happening in
the first place. Compared to UNIX-based systems Windows has been pathetic
in that regard.

Maybe Vista truly represents "a new dawn" for Windows security, and a
couple of years from now we'll have statistics to show that post-01/30/07
the Windows-to-UNIX exploit ratio is much closer. That would be great. It
really would. Honestly, I don't think Windows is near that point yet. One
could argue that Vista is only the second concerted effort at addressing
Windows security (XP SP2 was the first) and it'll take more than two
major updates of Windows to flush the weak foundation from underneath.
Vienna closing all ports by default (which I've heard will be the case)
will be a very nice beginning for the third major update.

--
Tom
.

Quantcast