The Active Network
ActiveWin Anonymous | Create a User | Reviews | News | Forums | Advertise | Career Portal | VBA in Excel | Users Online: 96  
 

Recommended Links:

AWBridal-Highly Recommend Wedding & Bridesmaid Dress Online Store

light tower

buy arabic Twitter follower

buy spotify real followers

A great website tobuy Facebook followers from is BRSM. They have a great track record!

Essaypartner.net - your free resource for essay writing help.

Get Windows Tablet & Phones at DHgate.com

neowin.net

Amazon.com

  *  

  Linux vs. Windows Viruses
Time: 10:02 EST/15:02 GMT | News Source: The Register | Posted By: Todd Richardson

Opinion: To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it, writes SecurityFocus columnist Scott Granneman.

We've all heard it many times when a new Microsoft virus comes out. In fact, I've heard it a couple of times this week already. Someone on a mailing list or discussion forum complains about the latest in a long line of Microsoft email viruses or worms and recommends others consider Mac OS X or Linux as a somewhat safer computing platform. In response, another person named, oh, let's call him "Bill," says, basically, "How ridiculous! The only reason Microsoft software is the target of so many viruses is because it is so widely used! Why, if Linux or Mac OS X was as popular as Windows, there would be just as many viruses written for those platforms!"

Write Comment
Return to News

  Displaying Comments 1 through 25 of 249
Last Page | Next Page
  The time now is 11:35:39 AM ET.
Any comment problems or spammers? E-mail us
Spammers: Your posts will be deleted - do not waste your time!
#1 By 135 (209.180.28.6) at 10/8/2003 10:53:20 AM
Mr. Granneman is wrong. I already responded to this on slashdot in detail.

The core of his argument is two fold:
#1. Linux is really super hard to use, and because of this users will never use Linux, so that means Linux is safe. (Yes, you heard that right)
#2. Even if a virus does infect your computer. The worst that can happen is it deletes all your personal files... At least the OS survives, and that's what is important!

It's another example of some yutz from the academic world not understanding computer usage in home and business.

#2 By 2332 (216.41.45.78) at 10/8/2003 11:43:47 AM
Oh boy... I was hoping this moron's article was gonna get posted here so I could put the smack down.

And here we go....

Sure, there are Linux viruses. But let's compare the numbers.

Nobody claims that there are as many Linux viruses as Windows viruses. That would be dumb. The commentary about the "numbers" is pointless and only meant to distract from the actual issue at hand: is Linux less susceptible to viruses because it's Linux, or because of the number of users it has, or because of the kind of users it has, or a combination of all three?

It's true that those two operating systems do not have monopoly numbers, though in some industries they have substantial numbers of users

Sigh... sorry buddy, nice try though. There are probably a billion people running Windows. There are maybe a few million running Mac OS or Linux. Yes, that includes servers.

these Unix-based OS's will never experience all of the problems we're seeing now with email-borne viruses and worms in the Microsoft world. Why?

Nice. We have both the assumption that he is correct AND the logically fallacy of begging the question... all in one sentence! Good job.

First, look at the two factors that cause email viruses and worms to propagate: social engineering, and poorly designed software

Interesting. Since stupid people are more easily "socially engineered", and there are MANY more Windows users than any other OS, doesn't that also mean there are MANY more stupid Windows users than there are users of other OS's? Doesn't this kind of prove the OPPOSITE of his point? I'm sure there are plenty of stupid Mac OS users, and more than a few stupid Linux users, but, again, the user base is so small it makes them an unlikely target.

It's easy to run executables in the Windows world, and users who get an email with a subject line like "Check out this wicked screensaver!" and an attachment, too often click on it without thinking first, and bang! we're off to the races and a new worm has taken over their systems

It's just as easy on the Mac. In fact, it's considerably harder to tell if a program is executable on the Mac because that information is hidden inside the file itself. So I can send you something that seems like it's a picture, and the only way you find out that it's not a picture is either by it's icon (which can be changed), or by running it.

Continued on next post...

#3 By 2332 (216.41.45.78) at 10/8/2003 11:44:17 AM
Continued from previous post...

Even worse, Microsoft's email software is able to infect a user's computer when they do something as innocuous as read an email!

Well, Outlook Express is not Windows and has nothing to do with Windows Security. The fact it has bugs says nothing about Windows itself. I can write a buggy application for Linux or the Mac that does the exact same thing, and, in fact, there are plenty of buggy mail apps for both platforms that would allow bad guys to break stuff. Again, application security is a separate issue.

And though Microsoft's latest versions of Outlook block most executable attachments by default, it's still possible to override those protections.

Ah, ok. So it's fine that Linux makes it hard to run programs. That extra step makes Linux more secure. But when Microsoft forces you to take extra steps to open executable attachments, steps that are much more difficult than they are on Linux, it's still not good enough. "Linux is more secure because it's harder to use." I got an idea, let's make it so that people have to do calculus to get a program to run! That will make Windows really secure!

Further, due to the strong separation between normal users and the privileged root user, our Linux user would have to be running as root to really do any damage to the system

True, but alas, but Red Hat and Mac OS make the first user created on the system an admin. Has this guy ever even used these OS's?

He could damage his /home directory, but that's about it.

This, by the way, is the only directory most people care about. They can always reinstall their OS (or get somebody like me to do it for them), but if they lose their documents, e-mail, etc, then they're pissed.

And since Linux users are taught from the get-go to never run as root

Ah, so now it's education, not the OS, that makes an OS secure?

and since Mac OS X doesn't even allow users to use the root account unless they first enable the option

Um... wrong. First user created on the OS is an Admin.

Windows XP, supposed Microsoft's most secure desktop operating system, automatically makes the first named user of the system an Administrator

As does Red Hat and Mac OS X! What's the matter with this guy?

The reasons for this decision boggle the mind

Well, maybe your mind... but it's pretty simple from my point of view. Windows is designed for the masses, and the masses want to be able to use their computer without having to worry about security. This is obviously part of the problem, and I certainly don't advocate running as admin, but it hardly boggles the mind.

Continued on next post...

#4 By 2332 (216.41.45.78) at 10/8/2003 11:44:47 AM
Continued from previous post...

On a Windows system, programs installed by a non-Administrative user can still add DLLs and other system files that can be run at a level of permission that damages the system itself

Um, no, they can't.

Even worse, the collection of files on a Windows system - the operating system, the applications, and the user data - can't be kept apart from each other

C:\Windows\ = System files.
C:\Windows\System32 = System files.
C:\Program Files\ = Applications
C:\Documents and Settings\UserName = User data.

What is this guy talking about?

The final reason why social engineering is easier in the Windows world is also an illustration of the dangers inherent in any monoculture, whether biological or technological

HAHAHAH. Ok. I love it. He starts of by saying that Microsoft's popularity is not the reason it is more affected by viruses. Yet he directly contradicts that point right there. There are tons of e-mail programs available for Windows, yet people only seem to target Microsoft's. Why? There are plenty of holes in those other applications too! They target Microsoft's because MOST PEOPLE USE MICROSOFT'S SOFTWARE, not the other guy's!

Linux runs on many architectures, not just Intel, and there are many versions of Linux, many packaging systems, and many shells

Hmmm. Mac OS only runs on Apple everything. It only comes with Apple everything. It has a very limited set of packaged software that almost everybody uses. Why isn't that targeted?

Outlook Express and Outlook both use the consistently-buggy Internet Explorer to view HTML-based emails. As a result, a hole in IE affects OE. Linux email readers don't indulge in such behavior, with two exceptions: Mozilla Mail uses the Gecko engine that powers Mozilla to view HTML-based email, while KMail relies on the KHTML engine that the Konqueror browser uses

Wait. Huh? Is it me, or did the guy just say it was bad to integrate, then give a free pass to two of the most popular e-mail readers on Linux for doing the exact same thing? If it's a flawed design for Microsoft, it's a flawed design for Linux, too.

But Linux and Mac OS X establish a more secure footing than Microsoft Windows

Considering both Linux and Mac OS X have had MORE SECURITY VULNERABILITIES than Windows this year, I would say this entire article proves the opposite of his point. The other OS's are more vulnerable, yet are exploited less. The only explanation for that is the fact that more people target Microsoft products because of their popularity.

#5 By 7754 (216.160.8.41) at 10/8/2003 1:12:43 PM
bjd145--sigh. Same here. It seems that a lot of vendors just assume you run your end user accounts with administrator-level permissions. How long will it be before they get it? This raises another point that I think is lost on many people--particularly the general media. If you have a hole in your 3rd party app, it matters little how secure the OS is. For all their troubles, Microsoft is paying attention to security. I can't say the same for some of the other software vendors I've seen.


#6 By 3339 (66.219.95.6) at 10/8/2003 1:23:59 PM
"Well, Outlook Express is not Windows and has nothing to do with Windows Security. The fact it has bugs says nothing about Windows itself. I can write a buggy application for Linux or the Mac that does the exact same thing, and, in fact, there are plenty of buggy mail apps for both platforms that would allow bad guys to break stuff. Again, application security is a separate issue."

Running executables without even opening an email is not a BUG. It was a great big FEATURE!! It has everything to do with Windows security because the feature requires Windows FUNCTIONALITY to exist.

"Ah, ok. So it's fine that Linux makes it hard to run programs. That extra step makes Linux more secure. But when Microsoft forces you to take extra steps to open executable attachments, steps that are much more difficult than they are on Linux, it's still not good enough. "Linux is more secure because it's harder to use." I got an idea, let's make it so that people have to do calculus to get a program to run! That will make Windows really secure!"

No, the point is: you can't take extra steps in Mail (OS X) and the standard Linux mail apps to allow executables to execute on their own. There is no option to turn it on. MS got burned by this several times and still wants to offer it as a feature.

#7 By 13997 (68.7.81.55) at 10/8/2003 1:46:26 PM
jdl:

Have you have ever used Mac OS X, RMD? If you did, then you would know that Mac OS X's admin-level account is not a root account. The admin account is a special level, lower than root and higher than a "normal" user level; the admin account allows the user to change specific settings (e.g. Internet, energy, etc. settings) and preferences, but is definitely not the same as a system-wide accessible root account.

Um... wrong? True, the first user created in Mac OS X is an admin-level account: however, and again, it is not a root account. It is true that the root account is factory disabled unless specifically enabled by an admin.

Um... wrong. (in concept). Mac OS X's administrator account is roughly equivalent to the Power User level in Win2k+. Win2k+'s administrator account is equivalent to Mac OS X/*nix's root account, with system-wide accessibility for the user and programs.


Ok have you used Windows? Do you understand the concept of the Administrator Account and the variations of the ACL in Windows and security in OSX or Linux as compared to the root and user and process permissions between the different architectures?

If you did, you would also notice that a Windows 'Administrator' is STILL Restricted from performing many operations that are ALLOWED with root access on MacOSX or Linux.

It is NOT a FULL Root level account, as NO USER in Windows gets that power without taking it directly from the SYSTEM.

So comparing the Windows Administrator account to the 'ROOT' level account in Linux or OSX is a misnomer. The WIndows Administrator Account is closer to par with the OSX Admin level account than it is to a true Root account.

If you don't believe me, log in as an administrator and try to delete files from the System32 folder, or replace Windows System files with an arbitrary file. It will NOT let you do it, unless you specifically set out to circumvent this protection.

A 'ROOT' account on MacOSX or Linux can modify and change ANY system file or setting, a Windows Administrator has to specifically give themselves the permission to do so, and then be subjected to several warning before being able to modify files or settings in this 'realm' of the OS, so that the casual users can't simply screw up the OS.

From all this it is evident people just DON’T get the Windows NT security model. Instead they try to wrap their mind around it by comparing it to a *nix model or other authentication model. NT’s Security Model extends far beyond the *nix concepts of users and limited user roles. Not only are users and accounts managed by the NT security mechanism, but EVERY PROCESS must ask for security permissions, take the token to modify and then give it back for EVERYTHING the process does or is allowed to do, even drivers that function at Ring 0 level have to do this. NT has a OBJECT Based Client/Server security model.

NT Securty model, that even after 15 years of being a better OS theory of engineering for security and managing the security of processes and programs within a system, is still only seen in a handful of modern OSes, and OSX and Linux are not ones that use this ‘newer’ security theory model - instead sticking to an aged *nix model.


This post was edited by thenetavenger on Wednesday, October 08, 2003 at 13:48.

#8 By 3339 (66.219.95.6) at 10/8/2003 2:34:25 PM
"It seems that a lot of vendors just assume you run your end user accounts with administrator-level permissions."

Including Microsoft which is the problem. They FINALLY introduced "Run Install As Other User..." but they didn't do the same for such things as ODBC Data Sources (It's hilarious--you can sit there and create data connections all day but nothing happens... Why? Because you don't have local or system admin rights. But does the wizard tell you the connection wasn't created? No. Does it prompt you for an admin password BEFORE creating a connection? No.)

Run a Win Media update... it will go through most of the installation process before checking to see whether the user has the appropriate rights to complete the install... Why? Because Microsoft assumes and prefers that every user has at least local administration rights.

#9 By 135 (209.180.28.6) at 10/8/2003 2:49:24 PM
From now on when we are going to discuss Linux versus Windows, I think it would be prudent for us to deal with the current state of the software... not something 5 years old.

I'm not going to respond to ignorant comments such as sodajerk's that don't take this into account. I mean how can you accuse a company of not learning a lesson that they clearly have learned and have implemented?

Anyway, back to the point. Mr. Granneman shouldn't be writing about security as he clearly does not know what he is talking about.

#10 By 7754 (216.160.8.41) at 10/8/2003 2:56:20 PM
sodajerk, in Outlook 2002--or earlier versions with the security update--you can't execute a file attachment by default. Yes, you can circumvent the system--if you have the appropriate rights and permissions--just as you can find a way to execute the file on a Linux or OS X box. But with Exchange, you can control what types of files can be opened from a central location, which I think is preferable from an administrator/maintenance standpoint.

Run install as another user has been there from Windows 2000 onward, so it's been around for awhile. You can do it for ODBC connections as well--hold the shift-key when using right-clicking on the applet, and you'll see the Run As... option. I wouldn't want my users trying to create an ODBC connection on their own (and I'd like to know if they tried, actually). If this is something you need your users to do, you could give them that right through Group Policy. I wouldn't want them running Windows Update, either. It's an inconvenience to the end user--and rightly so. It's a common knowledge that security and functionality are often at odds. If OS X or RedHat allow their update utilities to run under non-admin accounts, I think that's a flawed approach. Consistency among systems goes a long way towards reducing support costs, and these protections in Windows are a great asset to administrators.

#11 By 135 (209.180.28.6) at 10/8/2003 3:03:27 PM
BTW. For the people arguing about root accounts...

You've missed the point. The same security concepts as are used in Linux, OS-X, etc. all apply to Windows. The choice of whether to run as root/admin/whatever is the same. It is a choice made for convenience, but in organized environments such as businesses the convenience equation is different. End-users do not typically run as local admin.

However, regardless... local admin doesn't give you network domain admin rights, and the security risk isn't that great.

If a virus infects a machine, having local admin won't make the virus any more powerful, it just means that in addition to blowing away the local user files, it can also destroy the OS.

For an end-user, destroying the local user files, which may constitute say 7 years of financial history in Quicken is disasterous. Blowing away the OS can be restored in a few hours.

So this argument is really quite nonsensical.

#12 By 3339 (66.219.95.6) at 10/8/2003 3:08:43 PM
bluvg and soda, I don't see how my comments are not in accord with the issue. Yes, Outlook 2002 does take it into account (executables without reading) but you can still enable it. Linux and OS X do not allow this at all. And my comment was primarily aimed at RMD's comment that it was a bug that was fixed. This is not so at all--it was an intended feature and it is still an enable-able feature despite the fact that it is primarily a security flaw.

Bluvg, thanks for correcting me on the Run as being in 2000, but this doesn't negate my point. When creating connections there is no prompt that you do not have the right permissions nor is there a prompt after creating a FALSE connection because you do not have the correct rights. And there are a number of WIndows installs which begin before asking for permission.

As for OS X or Red Hat, no, not at all can you run installs with non-admin accounts. Moreover, you will always be prompted before the installation begins. This was the point. Their approach is better. It is based on a model where all such operations require and expect admin accounts whereas the MS model actually hopes and assumes you are already running an account with administrative rights. Which was why I was responding to bluvg's comment that 3rd party vendors do not have the right mindset -- either does MS.

#13 By 1845 (12.209.152.69) at 10/8/2003 3:20:08 PM
"Their approach is better. It is based on a model where all such operations require and expect admin accounts whereas the MS model actually hopes and assumes you are already running an account with administrative rights."

Um, so where the check occurs determines whether the programmer was hoping and assuming vs. requiring and expecting? You are reading just a tad too much into this, I think. No, in fact, you are making it up. You have no idea what was being hoped for or assumed. You don't know that it was just the lazy act of a programmer that caused the check to be where it is. You don't know that the programmer didn't expect the user to read the readme info which says you must be an admin to install. You, in fact, don't know. Moreoever, the application procedure for a single application does not necessarily reflect that direction of the entire company.

#14 By 7754 (216.160.8.41) at 10/8/2003 3:39:36 PM
sodajerk, re Outlook 2002 (and previous versions with the security update), you can't enable it if you don't have the correct rights and permissions. In a business, you would likely disable this. At home, if the person has gone to the trouble of figuring out how to disable it, they almost surely know why they are doing it and understand the consequences. In certain scenarios, you would want to enable .vbs files for execution, for example, but you'd have to enable it. Good firewalls work the same way--they're closed by default, then you decide what you open. That's not a security flaw.

As for the Run as issue, I think you're right that it should prompt you that the connection has not been created. However, I can't think of too many end users that would go into the ODBC applet. What really should have been done in your environment is to hide it for non-administrators via Group Policy.

As for the right mindset with Microsoft towards admin accounts, I disagree, and I think your comments disagree with you as well. You CAN'T run Windows Update, you CAN'T create ODBC connections, etc.--unless you're an administrator. Those functions require and expect admin accounts. It is the same approach. But, it's much more flexible and easy to administer with Group Policy, which allows you to restrict or allow with significant granularity according to your environment and your needs. The problem I'm talking about is not with administrative applications--which are blocked and rightly blocked--but end user apps that require administrative rights and permissions. Microsoft has the correct idea, but the 3rd parties often do not.

#15 By 1845 (12.209.152.69) at 10/8/2003 4:27:32 PM
kernel32, so far as I am aware the only way to auto invoke an attachment is via some IE/OE/OL exploit. If it is possible, it is a bug.

#16 By 3339 (66.219.95.6) at 10/8/2003 4:43:14 PM
"Um, so where the check occurs determines whether the programmer was hoping and assuming vs. requiring and expecting?"

No, what I am saying is that I have never seen an app in Linux or Mac OS X that doesn't request the password before installing whereas I routinely come across Wintel apps, including many of Microsoft's own apps, that begin the installation process whether or not the right permissions are available. I think this very simply is MS assuming that local rights are available.

#17 By 135 (209.180.28.6) at 10/8/2003 4:48:35 PM
sodajerk - "I don't see how my comments are not in accord with the issue. Yes, Outlook 2002 does take it into account (executables without reading) but you can still enable it. Linux and OS X do not allow this at all."

What do you mean Linux and OS X do not allow this at all?

Do you have any bloody clue how Unix works? I could EASILY write an email program in either Linux or OS X which would allow a user to open an executable sent to them an execute it. There is NOTHING inherent to Unix which prohibits this. It's simple... save to disk, chmod +x on the file, and launch. That's it.

"As for OS X or Red Hat, no, not at all can you run installs with non-admin accounts. Moreover, you will always be prompted before the installation begins. This was the point. Their approach is better."

What? You don't think I can install software as non-root? Have you never used Unix? How many Unix experts do you know that don't have a ~/bin directory with their favorite utilities in it?

Again, I think you are beating a dead horse. You're complaining about social issues, not technological and the reason the social issues exist in Windows is for the same reason why Windows is used by more people than Linux.

You want Linux to be adopted... well you implement the same choices, as Lindows has done. Once you've done that, your vaunted Linux security argument falls to the wayside.

#18 By 3339 (66.219.95.6) at 10/8/2003 4:54:36 PM
"Do you have any bloody clue how Unix works?" Name the fckin email program that allows this? We are talking about REAL products, aren't we? Not hypotheticals! Hypothetically Microsoft could build an app that was secure too! Name the program that features this FEATURE! Name the email application that has actually been VICTIMIZED by this FEATURE! Don't say someone could write an application that has security that is just as pathetic as MS's. That's pretty fckin obvious. The point is: on these two platforms, people don't write or use pathetically designed software.

"What? You don't think I can install software as non-root?" Do you remember what we are talking about. Linux and OS X will not allow infections to spread to root which could affect the system whereas Windows does, right? Any applications not installed as root aren't going to affect root.

"You're complaining about social issues, not technological and the reason the social issues exist in Windows is for the same reason why Windows is used by more people than Linux." What social issues have I raised? I've pointed out the different installation methods, different user privileges, different application features. Sorry, buddy, but these are technical issues and are not social issues.

#19 By 3339 (66.219.95.6) at 10/8/2003 5:07:43 PM
"You've missed the point. The same security concepts as are used in Linux, OS-X, etc. all apply to Windows." No, they are quite different. Even OS X and Linux vary quite a bit.

"The choice of whether to run as root/admin/whatever is the same." No, it is quite different.

"If a virus infects a machine, having local admin won't make the virus any more powerful, it just means that in addition to blowing away the local user files, it can also destroy the OS." Which is substantially more powerful. It can not only affect your files, but the system files, applications, and other users' files. This is not the case in the Linux/OS X model at all. I thought they were the same?

"For an end-user, destroying the local user files, which may constitute say 7 years of financial history in Quicken is disasterous. Blowing away the OS can be restored in a few hours." That's your argument? For real? Ahh, the softies love doing their full reinstalls! What about apps not installed on your ghosted system? Or other system components? What if you don't have a ghost because you're a home user? What about the other users' documents?

In one case, you can only take out one user's docs. In the other, you can take out applications, the system, the user's docs, and other users' docs. Generally speaking, that is less secure. Qualifying with all sorts of bullshit hypotheticals and corporate policies is a pathetic joke.


This post was edited by sodajerk on Wednesday, October 08, 2003 at 18:06.

#20 By 13997 (68.7.81.55) at 10/8/2003 8:10:39 PM
#15 -X-
In my Windows XP Pro, I justed renamed and deleted some dlls in \windows\system32.

If your changes stuck, then they are third party DLLs. Period

If they were Windows System DLLs or files, you may have thought you deleted them, renamed them or copied older version over them, but WindowsXP would have automatically just copied the 'correct' versions back to the System folder. Period.

Read up on the security mechanisms of DLL isolation and protection in WindowsXP. WindowsXP will not let you change system core components, programs or DLLS, period.

The reason it lets you 'think' you can delete the files or replace them is many 'poorly' written third party applications go in and change System DLLs and components. Rather than break the installation or these third party programs, XP employs a system that lets the application(or user in your case) think it was able to delete, copy or rename core files. They just are simply repaired - automatically.

#21 By 13997 (68.7.81.55) at 10/8/2003 8:18:22 PM
sodajerk

Running executables without even opening an email is not a BUG. It was a great big FEATURE!! It has everything to do with Windows security because the feature requires Windows FUNCTIONALITY to exist.

"Ah, ok. So it's fine that Linux makes it hard to run programs. That extra step makes Linux more secure. But when Microsoft forces you to take extra steps to open executable attachments, steps that are much more difficult than they are on Linux, it's still not good enough. "Linux is more secure because it's harder to use." I got an idea, let's make it so that people have to do calculus to get a program to run! That will make Windows really secure!"


Never, and I repeat NEVER has there been an option, or feature to make an executable run inside an email message, whether it is open or not in Windows Outlook Express or Outlook.

Where do you get this crazy FUD?

The only way to activate an executable via email is to 'open an attachment that is an executable' which the USER has to do. And in Outlook 2000/XP/2003, any 'executable file extension is blocked (unless an administrator specifically modified the registry or system policy to allow it).

No, the point is: you can't take extra steps in Mail (OS X) and the standard Linux mail apps to allow executables to execute on their own. There is no option to turn it on. MS got burned by this several times and still wants to offer it as a feature.


Funny, I can think of SEVERAL email applications for both Linux and OSX and System 9 that allow you to open file attachments, whether they are pictures, documents, or executable applications. Again, the USER has to select to launch the attachment.

The final note is that Microsoft Outlook Express was NOT the first Email program to Offer the ability to open attachments from within the email client. In fact, I can find email programs that date back to more than 5 years before Outlook or Outlook Express were ever released that allowed attachments to be opened and access from within the email client.

So take your ignorant bloviating rhetoric somewhere else, people here know better.

#22 By 3339 (66.219.95.6) at 10/8/2003 8:27:38 PM
netavenger, Outlook Express AND Outlook certainly allowed the running of executables without opening the attachment. Admittedly, this has been altered now and I by no means use this example to say that it is still a problem; I mention it to demonstrate that there are differences to security models and that MS's has had problems that have never and would never occur on other platforms. (By the way, there are plenty of circumstances it can still occur in Outlook 2002, but since they were clearly trying to prevent the problem this time around, I'll refer to it as a bug rather than as a feature.)

This is not the same thing for Linux or Mac. Certainly you can open an attachment. But that was never the objection I raised, was it?

This post was edited by sodajerk on Wednesday, October 08, 2003 at 20:37.

#23 By 1845 (12.209.152.69) at 10/8/2003 8:45:15 PM
Bugs aside, when did OL or OE allow the running of executable attachments without the user opening it?

#24 By 135 (208.186.90.91) at 10/8/2003 8:55:06 PM
sodajerk - "I mention it to demonstrate that there are differences to security models and that MS's has had problems that have never and would never occur on other platforms."

There is nothing in the Unix security model which prevents a program running in user space from saving a file to disk, changing the execute bit on the file descriptor and then executing that program.

If you are going to continue to claim otherwise, I want some proof. I have my Stevens APUE book here, and I'm willing to look up any API function you care to name to see if it has these restrictions.

Face it, you are just plain wrong.

#25 By 3339 (66.219.95.6) at 10/8/2003 9:06:03 PM
soda, we are talking about companies and the way they design and build their software. Name me Apple's mail program or any Linux mail program shipped by a major vendor that allows this exploit. Please.

As I said, of course, any idiot can design idiotic software. I also said no one does because they consider the security risk. In your little proposal... how does the application begin running in user space in the first place? An application must exist first that indiscriminately runs apps. Could you build such an app? Yes. Would you be an idiot for doing so? Yes. Has Apple or a Linux vendor ever done so? No.

I do not know what the fck you think your point is in saying: "I could write some software for Linux that was so bad that it would have similar exploits to the ones that are known to affect Windows." No sh1t, Sherlock. Now ask the question: why don't people do this (security maybe) AND if they did, would anyone use it AND why are the developers at Microsoft doing it over and over again?

This post was edited by sodajerk on Wednesday, October 08, 2003 at 21:13.

Write Comment
Return to News
  Displaying Comments 1 through 25 of 249
Last Page | Next Page
  The time now is 11:35:39 AM ET.
Any comment problems or spammers? E-mail us
Spammers: Your posts will be deleted - do not waste your time!
Please Enter Your User name and password:

Sign Up For A User Name

 

  *  
  *   *
 
replica watches