OpenSUSE Linux Rants

OpenSUSE Linux Tips, tricks, how-tos, opinions, and news

My Resume  -  My LinkedIn Profile

September 21, 2006

Windows Security is a Myth (and here’s proof)

by @ 9:50 am. Filed under General Linux, My Opinion, War

All those rumors you heard about me getting abducted by a Mini Cooper full of four dozen circus clowns are simply not true.

School, though greatly edifying, is a resource hog (kind of like Windows).

Speaking of Windows, I haven’t gotten my punches in yet, this month. Well, I haven’t done much of anything this month with the blog, but I’ll tell you what, I’ve been super busy with 40 hrs/week at work and 16 credit hours at school. Night before last, I did 5 1/2 hours of homework, and now I’m all caught up. Go me.

Alrighty, I had better get to the point here before I get sidetracked yet again.

I was reading my daily RSS feeds when I came across this article called “IE Vulnerability Spreads To Email.” This article describes, in a nutshell, one of the major reasons that you’ll never see Windows on any of my machines. Here are a few of my favorite quotes:

“The VML exploit found earlier this week could prove to be a severe problem because it can take initiative without requiring any action on the part of the user. But so far Microsoft does not appear to be a big rush to fix the problem.”

Imagine that. Microsoft doesn’t care. I cannot install an operating system created by a company I don’t trust (and research has found that almost no one does).

“A security update is now being finalized, but at this point, Microsoft plans to release it as part of its October security updates on October 10, three weeks away. A Microsoft spokesperson confirmed late Wednesday when asked by internetnews.com that the fix would come next month, not sooner.”

“Microsoft has dragged its feet on exploits before. When the WMF virus was found in late December, Microsoft was initially slow to release a fix but eventually did so ahead of schedule due to customer pressure.”

So what do people do until then? Essentially, Microsoft is just saying that you’ll just have to run around with your pants down, with your wrists handcuffed to your ankles.

This is a perfect example of why Microsoft is only interested in revenue, and not the well-being of their customers. They don’t like to do anything that will cost them money (such as developing fixes for security holes in their software) unless it will cost them more money (lost revenue because they get a horrible reputation) not to.

“I expect over the next week there will be an exponential growth in the number of Web sites using this to push malware (define) on people,” he said. “It can be worse than the WMF virus because you couldn’t exploit WMF through email. All it takes is a couple guys with spam and the bad guys have a very efficient delivery system with these bots.”

Windows users are SCREWED.

“Originally, the virus was found on porn Web sites, but the iDefense team at VeriSign has found code that can be executed within an email client; all you have to do is use the preview function in an email client, you don’t even have to open the letter or click on a link, the most common means of infecting a computer.”

“According to Ken Dunham, director of the Rapid Response Team at iDefense, email is rendered in Outlook with Internet Explorer. That’s how it handles scripts and embedded code, like HTML. When you preview it, the hostile code can execute and hit the VML problem.”

Zero user interaction, huh? All you have to do is read your email? Better call everyone you know and tell them not to use their email for the next month (unless they’re on Linux or Mac). This type of vulnerability is the very definition of poorly-written software. This kind of exploit has absolutely no reason for existing. Please, if anyone knows of a vulnerability that is of this degree that is as easy to exploit as this one is that has been found in Linux, please leave me a comment and point me to the bulletin for it or something. This is a perfect example of when I say that Linux is more secure than Windows, that’s because it is.

“And Dunham said this code is spreading among underground virus sites quickly. ‘The exploit code is out there for people to copy, paste and start using. It’s trivial to leverage and reproduce. When it’s popularized and easy to do, it’s trouble,’ he said.”

“The VML exploit is a buffer overflow that allows for remote code execution, and in this case, it’s being used to download multi-stage, multi-chain attacks using a program called WebAttacker toolkit.”>

“Dunham said in one case, WebAttacker installed 73 files, including 15 executables, taking up 12 megabytes in size. It installed everything from proxies to dialers to keyloggers to spyware.”

“Sites also thinks this virus could be as nasty as WMF, if not worse. ‘Just looking at an email means you can be exploited. So things can escalate very quickly,’ he said.”

“The WebAttacker toolkit was created by the same hackers that found the VML exploit, said Sites, and now more than 1,000 use this kit.”

Windows users are SCREWED.

The article points to the Sunbelt blog for a way to fix it. Basically this entails removing the part of the operating system responsible for the security black hole.

Please encourage people to use Linux when possible. This kind of crap just doesn’t happen in Linux.

8 Responses to “Windows Security is a Myth (and here’s proof)”

  1. Scott Morris Says:

    Heh, I will be surprised. That said, you have a good point.

  2. Jason Bunting Says:

    “This kind of crap just doesn’t happen in Linux.”

    Oh, but when it does, I hope you are not surprised. Don’t underestimate the ability of those that wish to do harm to others, they always seem to find a way of getting around things…

  3. St. Louis CofCC Blogmeister Says:

    When someone cracked Microsoft’s DRM, Microsoft had a patch/fix in THREE DAYS. When you said Microsoft is more interested in revenue than anything, the fact that MS got out a DRM patch in 3 days, when it takes months for them to patch IE/OE/Windows, is b/c they don’t want to hurt their financial dealings with record labels/RIAA/media giants.

  4. Viktor Says:

    “That kind of crap just doesn’t happen in Linux”

    Even if it does happen in Linux, the entire system will not be compromised. The only damage that can happen is up to what the current running user has priviliges to do – good luck installing!

    Why on earth would you be running IE and Outlook on Linux? And really, don’t you have better things to do than look at porn sites? 😛

    But I completely agree with Microsoft’s deliberate slow reaction – and I dare say, in the open source community, that would have been fixed within hours. It just reminds me of Microsoft’s “Get the Facts” and how Windows systems had (supposedly) lower TCO with security, timing patch times from Microsoft and . . . . I actually don’t know WHO was meant to be the ‘one-vendor’ for this particular Linux system.

  5. Archeious Says:

    “Even if it does happen in Linux, the entire system will not be compromised. The only damage that can happen is up to what the current running user has priviliges to do – good luck installing!”

    I hate to be the one who defends MSFT but it is the same with this exploit. Granted most people run as a local admistrator. This exploit does not elevate priviledges. This is the reason I don’t allow my users to be local admins. If you beleive all products in a linux distro are totally secure is foolhardy. FYI MSFT has also given a list of workarounds.

  6. Voglia di Linux Says:

    Petto nudo per tre settimane…

    Una nuova chefalla di sicurezza denominata VML exploit colpisce Interner Explorer ma anche Outlook Express. Microsoft per tappare preferisce di aspettare il famoso secondo Martedì del mese. Di Ottobre. Aumenterà la voglia di linux. (Nel primo link un…

  7. Viktor Says:

    The main reason why about, a guess, 90% of all current Windows users that run in Administrator all the time is – hardly anything works if your not.

    Try running Unreal Tournament 2004. Try Battlefield 2. Infact, any modern game simply does not run unless you are an administrator. (I can only think of games for now 😛 )

    But regardless of how this exploit is used, waiting 3 weeks for a fix is not reasonable. Any update on this?

  8. Jeshua Says:

    I completely aggre, I got Vista RC1, it is a piece of junk, and yet next year everyone will buy it!

OpenSUSE Linux Rants
Official OpenSUSE Linux Site

internal links:

categories:

SUSE Resources

search blog:

archives:

August 2022
S M T W T F S
« Feb    
 123456
78910111213
14151617181920
21222324252627
28293031  

60 queries. 0.359 seconds