Posted on 02/10/2004 2:37:35 PM PST by gdyniawitawa
SEATTLE/SAN FRANCISCO (Reuters) - Microsoft Corp. (MSFT.O: Quote, Profile, Research) on Tuesday said a critical flaw in most versions of its flagship Windows operating system could allow attackers to run malicious programs on personal computers.
In its monthly security bulletin, the world's largest software maker warned that Windows NT, Windows 2000, Windows XP and Windows Server 2003 were at risk and offered software updates to fix the flaws, which were given Microsoft's highest severity rating of "critical."
"It does affect all (current) versions of Windows," said Stephen Toulouse, security program manager for Microsoft's Security Response Center. "We're not aware of anyone affected by this at this time."
Marc Maiffret, co-founder of eEye Digital Security, the company that discovered the flaw, criticized Microsoft for taking more than six months to come up with a patch to fix the problem, particularly since the flaw allows an attacker multiple ways to break into a system and could do almost anything they wanted to the system.
"We contacted Microsoft about these vulnerabilities 200 days ago, which is insane," he said. "Even the most secure Windows networks are going to be vulnerable to this flaw, which is very unique."
In response, Toulouse said Microsoft needed to take time to make sure to get the fix right, especially given how pervasive the vulnerability is in the software.
"We wanted to make absolutely sure we were doing as broad an investigation as possible," he said.
Windows users can download the patch for the vulnerability from www.microsoft.com/security.
The obvious steps to take are to run Windows Update and install the patches to fix the vulnerabilities as soon as possible," said Craig Schmugar, a virus research manager at Network Associates Inc.'s (NET.N: Quote, Profile, Research) McAfee anti-virus unit.
The latest fixes for Microsoft's software are unrelated to the latest virus attacks by MyDoom and its variants, Schmugar said.
Microsoft switched to a monthly cycle of releasing security updates in order to make it easier for system administrators to keep their software secure and up to date But the company released a critical update a week ago, ahead of Tuesday's scheduled release, in order to fix a patch in its Explorer Web browser that could make PCs vulnerable to attackers. In addition, Microsoft announced a mid-grade security warning for the latest version of its server products for networked computers.
Two years ago, the Redmond, Washington-based company pledged to make its software products more secure and reliable under an initiative, called Trustworthy Computing, outlined in a companywide memo by Chairman Bill Gates.
But computers running the company's software have been hit by several high-profile attacks, such as the SQL Slammer, Nimda and SoBig attacks.
On Monday, a new worm called "Doomjuice," an offshoot of the MyDoom worm, emerged, which used personal computers compromised by the original MyDoom worm to attack and slow down parts of Microsoft's Web site, according to security experts.
The MyDoom worm, as well as its variant MyDoom.B, were designed to entice e-mail recipients to click open an attachment, which then installed malicious software on a personal computer. The worms then instructed infected PCs to flood the Web sites of the SCO Group Inc. (SCOX.O: Quote, Profile, Research) and Microsoft in an effort to shut them down
Yes it's good news, I like 98SE and was very pleased to hear they'll be keeping up support for it.
Why aren't any viruses being written for the Mac now?
Maybe because Macs aren't vulnerable to viruses?
Oh, that's a good way to get their attention while you protest... send them money but otherwise shun them.
I don't think it's gonna solve anything...
Sorry, no cigar. These "exploits" were LAN only and required that a hostile server exists on the LAN. This is so unlikely a scenario that it is almost beyond the realms of possibility. The exploit was easily fixed by merely turning one default setting from "on" to "off." It did not even require a patch.
Later release CDs of OSX shipped with the default "off."
I kinda like "venerable" better. It brought to mind legions of geezers executing malware willy-nilly... gazing at their monitors through magnifying glasses.
However, even if a user on a Mac launched a malicious program, it still could not access the core system files. 99.99% of Mac users operate their computers in a mode (Administrator or lower) that does not have sufficient access to modify system files (which requires Root access) while 99.9 percent of Windows users are natively running in PC Administrator mode which is the equivalent to Root.
How many platforms determine whether a file is executable based solely on its name?
Saw this thing earlier today. I'm sure everyone appreciates good testing of patches, but six months does seem a bit long....
Well, I was wondering where you were. Welcome.
Shall I resurrect your indignation when Apple allowed (in your words) that"critical" system flaw to continue for about 5 weeks before patching it and compare those 35 days to Microsoft's 200 (28 weeks)?
Several times, and several posters, you have been pointed to articles written by experts in Computer and Network security that have enumerated the superiority of the Macintosh platform over Windows for security and you still sing the same song.
Bush, the insecurities of Mac OS-X are the insecurities of UNIX, one of the most secure operating systems in the world.
Let's talk "venerable" shall we?
Windows in its variations has a history of about 19 years counting from its inception incarnation as a DOS shell named "Interface Manager" renamed to d Windows 1.0 before its release in 1985. As a true OPERATING SYSTEM, we should really only give it 9 years when it was no longer really a DOS shell with the introduction of Windows 95 (although it still needed DOS to even get started). Of course, THAT version is not related the current XP version because that line of Windows was a dead end. Windows XP is based on Windows 2000 (year 2000, age 4) which in turn was based on Windows NT (March 1994, age 10). Over these ten years a comparatively small number of Microsoft Engineers have been overseeing the development and security of Windows 2000 - XP.
On the UNIX (1969, age 35) side, we have an unbroken (although many branched) development since 1969 with legions of developers modifying and improving the code. More people by at least an order of magnitude have looked at the UNIX code and tested and improved its security. Number of years of development = 10.
So, on one side we have the Microsoft OS... maintained by one company, a small group of developers responsible for its proprietary code... and on the other side we have an open-source multi-developer OS... developed by thousands of people working to improve the utility and security of UNIX. Number of years of development = 35.
Which do you think might be more secure?
Let's see what a computer security expert has to say about Linux, OSX, and Microsoft Windows, shall we?
'There are about 60,000 viruses known for Windows, 40 or so for the Macintosh, about 5 for commercial Unix versions, and perhaps 40 for Linux. Most of the Windows viruses are not important, but many hundreds have caused widespread damage. Two or three of the Macintosh viruses were widespread enough to be of importance. None of the Unix or Linux viruses became widespread - most were confined to the laboratory.'
So there are far fewer viruses for Mac OS X and Linux. It's true that those two operating systems do not have monopoly numbers, though in some industries they have substantial numbers of users. But even if Linux becomes the dominant desktop computing platform, and Mac OS X continues its growth in businesses and homes, these Unix-based OS's will never experience all of the problems we're seeing now with email-borne viruses and worms in the Microsoft world. Why?"
". . . Microsoft's email software is able to infect a user's computer when they do something as innocuous as read an email! Don't believe me? Take a look at Microsoft Security Bulletins MS99-032, MS00-043, MS01-015, MS01-020, MS02-068, or MS03-023, for instance. Notice that's at least one for the last five years. And though Microsoft's latest versions of Outlook block most executable attachments by default, it's still possible to override those protections."
"This sort of social engineering, so easy to accomplish in Windows, requires far more steps and far greater effort on the part of the Linux user. Instead of just reading an email (... just reading an email?!?), a Linux user would have to read the email, save the attachment, give the attachment executable permissions, and then run the executable. Even as less sophisticated users begin to migrate to Linux, they may not understand exactly why they can't just execute attachments, but they will still have to go through the steps. . .
"due to the strong separation between normal users and the privileged root user, our Linux user would have to be running as root to really do any damage to the system. He could damage his /home directory, but that's about it. So the above steps now become the following: read, save, become root, give executable permissions, run. The more steps, the less likely a virus infection becomes, and certainly the less likely a catastrophically spreading virus becomes. And since Linux users are taught from the get-go to never run as root, and since Mac OS X doesn't even allow users to use the root account unless they first enable the option, it's obvious the likelihood of email-driven viruses and worms lessens on those platforms.
Unfortunately, running as root (or Administrator) is common in the Windows world. In fact, Microsoft is still engaging in this risky behavior. Windows XP, supposed Microsoft's most secure desktop operating system, automatically makes the first named user of the system an Administrator, with the power to do anything he wants to the computer. . . "
". . . Even if the OS has been set up correctly, with an Administrator account and a non-privileged user account, things are still not copasetic. On a Windows system, programs installed by a non-Administrative user can still add DLLs and other system files that can be run at a level of permission that damages the system itself. Even worse, the collection of files on a Windows system - the operating system, the applications, and the user data - can't be kept apart from each other. Things are intermingled to a degree that makes it unlikely that they will ever be satisfactorily sorted out in any sensibly secure fashion."
and finally:
"Security is, as we all know, a process, not a product. So when you use Linux (Or UNIX, or OS-X - Swordmaker), you're not using a perfectly safe OS. There is no such thing. But Linux and Mac OS X establish a more secure footing than Microsoft Windows, one that makes it far harder for viruses to take hold in the first place, but if one does take hold, harder to damage the system, but if one succeeds in damaging the system, harder to spread to other machines and repeat the process. When it comes to email-borne viruses and worms, Linux may not be completely immune - after all, nothing is immune to human gullibility and stupidity - but it is much more resistant. To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it. I know which one I'll trust. How about you?
Me, I chose UNIX based Macintosh OS-X.3 Panther.
I really like this quote:
To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it.
It is inclusive of OS-X. By the way, the Macintosh virii referred to are Macintosh Classic viruses, affecting OS-9.2.2 and below, not OS-X. OS-X would be susceptible to the Unix virii.
The ACTUAL portion of the post above including the link to the article as originally written (except for a omitted quotation mark):
Let's see what a computer security expert has to say about Linux, OSX, and Microsoft Windows, shall we?
Linux vs. Windows Viruses
by Scott Granneman, SecurityFocus,
The Register (UK).
June 10, 2003.
That's the link to the entire article. Here are some quotations from the article:
"To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it, writes SecurityFocus columnist Scott Granneman."
"According to Dr. Nic Peeling and Dr Julian Satchell's Analysis of the Impact of Open Source Software . . .
Odd, they built within the last year or so, an Apple store in an upscale mall here in Indy. Seems to be doing a good business. Strange, for a product nobody uses or cares about.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.