And cue the old MS v Linux tit for tat....yawn
Only the truly stupid believe they know everything.
Stu.. 2004
Only the truly stupid believe they know everything.
Stu.. 2004
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Want less vulnerabilities - Don't choose Linux and Unix
- Thread starter Sympology
- Start date
- Status
sleipnir214
Programmer
There's one thing I never understand about comparisons like these. The CERT list contains third-party software listed with the OS. Why should Microsoft, for example, have counted against it the bug "Adobe License Management Service Elevated Privilege Vulnerability"? Microsoft isn't responsible for Adobe's code.
Want the best answers? Ask the best questions!
TANSTAAFL!!
Want the best answers? Ask the best questions!
TANSTAAFL!!
These comparisons are accurate...after a fashion. I'm not going to comment on the specifics on why something like the Adobe bug is included (I didn't research it nor have I monitored it at all). I believe, they include items that lead to an explotation of the OS, irregardless of what avenue is used to attack.
Now...if you'd like some bad, bad reading. This same bit of information was posted at ZDnet and has turned into a public flogging of Suzi for posting it...
Now...if you'd like some bad, bad reading. This same bit of information was posted at ZDnet and has turned into a public flogging of Suzi for posting it...
- Thread starter
- #5
MasterRacker
New member
Ya gotta love the religious flamewars. IMHO the only truly invulnerable computer is one that is never turned on. Anything that can actually do anything useful will have vulnerabilities.
We all have to pick our brand of poison then drink it.
On a side note, I've got to agree with the entertainment value of that flamewar. It got particularly infantile.
;-)
Jeff
[purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me
We all have to pick our brand of poison then drink it.
On a side note, I've got to agree with the entertainment value of that flamewar. It got particularly infantile.
;-)
Jeff
[purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me
<off-topic>
</off-topic>
James P. Cottingham
-----------------------------------------
I'm number 1,229!
I'm number 1,229!
I once saw a "study" that strongly suggested the only invulerable computer was one that was not turned, kept in a locked room that didn't have a key, and was buried in 6 feet of reinforced concrete.
</off-topic>
James P. Cottingham
-----------------------------------------
I'm number 1,229!
I'm number 1,229!
iamnotageek
Vendor
Only the truly stupid believe they know everything"...
... which is why these comparisons that tally the number of reported vulnerabilities are usually pretty meaningless. The number of vulnerabilities in using a particular os or browser does not necessarily = the amount of risk incurred. The CERT comparison only looks at one metric and does not tally the number of attacks/observed/actual exploits. Who is more vulnerable, a family in a small rural town that doesn't lock their front door or car, because there is no need to, or an urban denzien in a high-crime area that has bars on the windows and multiple locks on every door. You have to step outside sometime.
I'll opt for security-through-obscurity and relying on a motivated community of programmers that fix vulnerabilities on a prompt basis for the love of it, rather than go with a product produced by a company that still treats security like a stepchild, and still to this day, makes the kinds of mistakes listed here...
... which is why these comparisons that tally the number of reported vulnerabilities are usually pretty meaningless. The number of vulnerabilities in using a particular os or browser does not necessarily = the amount of risk incurred. The CERT comparison only looks at one metric and does not tally the number of attacks/observed/actual exploits. Who is more vulnerable, a family in a small rural town that doesn't lock their front door or car, because there is no need to, or an urban denzien in a high-crime area that has bars on the windows and multiple locks on every door. You have to step outside sometime.
I'll opt for security-through-obscurity and relying on a motivated community of programmers that fix vulnerabilities on a prompt basis for the love of it, rather than go with a product produced by a company that still treats security like a stepchild, and still to this day, makes the kinds of mistakes listed here...
- Thread starter
- #9
iamnotageek
Vendor
Thanks for making my point, but I don't use Firefox.
- Thread starter
- #11
iamnotageek
Vendor
When it comes to computer security, what you like can bite you.
Back to the original argument, which was about who had the most vulnerabilities - my argument was that it doesn't matter who has the most, what matters from a computer/network security standpoint (from 20 years of dealing with it) is whether or not those vulnerabilities get exploited.
This is why the customer machines that I fix every week get infected with adware/spyware/viruses/rootkits - because they use MS IE and OLE. Some of the exploits target known vulnerabilities and some target architectural "features" in IE/OLE and Windows (e.g. ActiveX).
The machines that come into the shop running MS Windows and non-MS browsers and emails come in for mostly other reasons. Some might have viruses, but practically none have adware, unless it was bundled with some kind of freeware.
Contrast this with IE, where adware, trojans, etc can be installed "drive-by" without any indication/notification to the user that something nasty was just installed on their machine without their permission. At least Mozilla, Opera, etc ask if you want to install it.
When customers that keep getting reinfected ask me what they can do to prevent future infection, I tell them to stop using IE, and install Firefox or similar, and they never come back with crapware infections.
Bottom line: the whole picture involves # of vulnerabilites vs # of exploits vs # of copies in use. When you do the math, MS is the clear winner at losing the security battle.
Back to the original argument, which was about who had the most vulnerabilities - my argument was that it doesn't matter who has the most, what matters from a computer/network security standpoint (from 20 years of dealing with it) is whether or not those vulnerabilities get exploited.
This is why the customer machines that I fix every week get infected with adware/spyware/viruses/rootkits - because they use MS IE and OLE. Some of the exploits target known vulnerabilities and some target architectural "features" in IE/OLE and Windows (e.g. ActiveX).
The machines that come into the shop running MS Windows and non-MS browsers and emails come in for mostly other reasons. Some might have viruses, but practically none have adware, unless it was bundled with some kind of freeware.
Contrast this with IE, where adware, trojans, etc can be installed "drive-by" without any indication/notification to the user that something nasty was just installed on their machine without their permission. At least Mozilla, Opera, etc ask if you want to install it.
When customers that keep getting reinfected ask me what they can do to prevent future infection, I tell them to stop using IE, and install Firefox or similar, and they never come back with crapware infections.
Bottom line: the whole picture involves # of vulnerabilites vs # of exploits vs # of copies in use. When you do the math, MS is the clear winner at losing the security battle.
.....
Changing browsers, eh? I've seen this tactic used before. It does help, but it's not the correct answer here. Why not? Well, there was an exploit (last year, I think) where firefox could be infected via IE, even if IE wasn't running.
See, security isn't about what you use and what you don't use. Yes, using certain products means you're less likely to be exploited or, at least, the target of a possible exploit. But that's not really true security is it?
No, true security is locking down the system properly. I use Opera and IE as my browsers, all my systems are Microsoft. How often do I get nailed? I don't...why? Because I've set my system up to make it nearly impossible for infections to hit me.
Now dash in some common sense and we're good to go. What about those lacking in common sense (at least where a PC is concerned)? Well, that would be several people of my family. They haven't been hit since I reconfigured their machine.
Want to secure your system?
NAT Router
Firewall
Run with USER rights only
Antivirus
Antispyware
Really, running with a NAT router and user level rights and a lot of common sense secures you against most threats. The rest are for additional layers of protection.
Changing browsers, eh? I've seen this tactic used before. It does help, but it's not the correct answer here. Why not? Well, there was an exploit (last year, I think) where firefox could be infected via IE, even if IE wasn't running.
See, security isn't about what you use and what you don't use. Yes, using certain products means you're less likely to be exploited or, at least, the target of a possible exploit. But that's not really true security is it?
No, true security is locking down the system properly. I use Opera and IE as my browsers, all my systems are Microsoft. How often do I get nailed? I don't...why? Because I've set my system up to make it nearly impossible for infections to hit me.
Now dash in some common sense and we're good to go. What about those lacking in common sense (at least where a PC is concerned)? Well, that would be several people of my family. They haven't been hit since I reconfigured their machine.
Want to secure your system?
NAT Router
Firewall
Run with USER rights only
Antivirus
Antispyware
Really, running with a NAT router and user level rights and a lot of common sense secures you against most threats. The rest are for additional layers of protection.
iamnotageek
Vendor
You are thinking of the exploit where a Firefox user was presented with a prompt to install something, and if they did, it would infect IE. Firefox was not infected, and this was erroneously reported in the press as a Firefox exploit, when it was in fact a social engineering exploit.
This is fundamentally different than the drive-by install that occurs with IE, where the user receives no warning whatsoever. So, within that context, it would be Firefox 1, IE, many, many more...
By the way, it is incorrect to say that IE was not running in this case, as it is always running in the background, being used to display Active Desktop and render html emails in Outlook and Outlook Express.
Again, the point of my response was that the number of vulnerabilities is only one metric and not an accurate indication of how likely you are to get whanged. As you correctly indicate, security is a layered thing. Choice of OS and browser will help or hinder your security, irrespective of firewalls and anti-malware software choice.
As far as running with limited rights, this has been a fundamental weakness of MS Windows, which is apparently being addressed (finally)in Vista.
This is fundamentally different than the drive-by install that occurs with IE, where the user receives no warning whatsoever. So, within that context, it would be Firefox 1, IE, many, many more...
By the way, it is incorrect to say that IE was not running in this case, as it is always running in the background, being used to display Active Desktop and render html emails in Outlook and Outlook Express.
Again, the point of my response was that the number of vulnerabilities is only one metric and not an accurate indication of how likely you are to get whanged. As you correctly indicate, security is a layered thing. Choice of OS and browser will help or hinder your security, irrespective of firewalls and anti-malware software choice.
As far as running with limited rights, this has been a fundamental weakness of MS Windows, which is apparently being addressed (finally)in Vista.
- Status
Similar threads
