IMPORTANT: WMF Vulnerability Exploited

kcnychief · 26 Jan 2006

This is a good insight on this topic as well....

How is it that OpenBSD is able to be so secure by design with so few resources and yet all of Microsoft's resources cannot stem the tide of security problems that impact everyone, including those of us who do not use Microsoft programs?

Nash: First, I should say that OpenBSD includes a relatively small subset of the functionality that is included in Windows. You could argue that Microsoft should follow the same model for Windows that the OpenBSD Org follows for their OS. The problem is that users really want an OS that includes support for rich media content and for hardware devices, etc. So while OpenBSD has done a good job of hardening their kernel, they don't seem to also audit important software that are used commonly by customers, such as PHP, Perl, etc. for security vulnerabilities. At Microsoft we're focusing on the entire software stack, from the Hardware Abstraction Layer in Windows, all the way through the memory manager, network stack, file systems, UI and shell, Internet Explorer, Internet Information Services, compilers (C/C++, .NET), Microsoft Exchange, Microsoft Office, Microsoft SQL Server and much, much more. If a software company's goal is to secure customers, you have to secure the entire stack. Simply hardening one component, regardless of how important it is, does not solve real customer problems.

Second, it is not completely accurate to say that OpenBSD is more secure. If you compare vulnerability counts just from the last 3 months, OpenBSD had 79 for November, December and January compared to 11 for Microsoft (and that includes one each for Office and Exchange - so really 9 for all versions of Windows). I encourage you to look at the numbers reported at the OpenBSD site to verify that this is true.

http://interviews.slashdot.org/article.pl?sid=06/01/26/131246&from=rss

Mastershakes · 26 Jan 2006

He forgot to mention that computers with OpenBSD installed number in the thousands, maybe hundreds.

Windows is on millions.

Interesting article. Biased, but interesting.

kcnychief · 26 Jan 2006

I never said it wasn't biased, but to an extent, so am I

The main reason why I wanted to post that blurb, was not to start another argument or anything, but was just to point out a few differences. MS was being bashed because of it's slow "response time", and this is just more of a point to why they are more prone to attacks than other OS's.

It's all about functionality.

Mastershakes · 26 Jan 2006

Oracle got bashed today for the same reason.

Oracle sux, so it's OK.

I should rephrase that.... most Oracle programmers suck.

kcnychief · 26 Jan 2006

You may think they suck, but they make mad $$$$$$$$$$$$

Mastershakes · 26 Jan 2006

Because hardly any of them can actually code it properly.

j79zlr · 27 Jan 2006

Mastershakes said:
He forgot to mention that computers with OpenBSD installed number in the thousands, maybe hundreds.

Windows is on millions.

Interesting article. Biased, but interesting.

Uh, not really. Windows has the desktop share, no argument to be made there, but if you look at the server market, you'd find apache running at around 70% of web servers and IIS at around 20%.

Besides the point is not vulnerabilities found, but vulnerabilities fixed. But I guess I can scream this out as many times as I want and you can't understand that fact. Who cares how many vulnerabilities are found [relatively speaking] as long as they are fixed, and promptly.

Look at secunia's page for OpenBSD: http://secunia.com/product/100/ 2 vulnerabilities in 2006 so for, one in perl [not OpenBSD explicitly, and fixed mind you] and one LOCAL exploit. You can't secure a PC against someone with physical access throwing it out the window.

Now look at the page for 2003 Web Server Edition, http://secunia.com/product/1176/ There are 8 unpatched. Why are there any unpatched vulnerabilities in this grand product that I paid thousands of dollars for? Why can these "free" OS keep their systems patched without that huge revenue stream, or is it because they aren't driven by profits and by security?

VenomXt · 27 Jan 2006

wwwdjrcs said:
You may think they suck, but they make mad $$$$$$$$$$$$

Since when does this matter.. for instance do you watch american idol? it makes mad $$$$$$$$$$$$$$$$ but in my opinion its killing "good" tv with help from others.

kcnychief · 27 Jan 2006

j79zlr said:
Uh, not really. Windows has the desktop share, no argument to be made there, but if you look at the server market, you'd find apache running at around 70% of web servers and IIS at around 20%.

Besides the point is not vulnerabilities found, but vulnerabilities fixed. But I guess I can scream this out as many times as I want and you can't understand that fact. Who cares how many vulnerabilities are found [relatively speaking] as long as they are fixed, and promptly.

Look at secunia's page for OpenBSD: http://secunia.com/product/100/ 2 vulnerabilities in 2006 so for, one in perl [not OpenBSD explicitly, and fixed mind you] and one LOCAL exploit. You can't secure a PC against someone with physical access throwing it out the window.

Now look at the page for 2003 Web Server Edition, http://secunia.com/product/1176/ There are 8 unpatched. Why are there any unpatched vulnerabilities in this grand product that I paid thousands of dollars for? Why can these "free" OS keep their systems patched without that huge revenue stream, or is it because they aren't driven by profits and by security?

Did you even read the article posted?

To further illustrate my earlier point on marketshare, reasons for long periods of testing and stability, I wanted to add this tidbit because it also points out no other OS comes close to ANY version of Windows in regards to functionality. If there is an OS that can turn a light switch on and off, it's easy to fix, and quick. They still go through the testing of compatability, but there isn't as much to check against.

Seriously dude, if you haven't, read that article. It's an insanely good read. No one is attacking anything, just friendly conversation. I'll admit Windows takes time to fix things, but we have been over that before. There are reasons, and they have deviated from the patching schedule when the need arises, such as with the WMF exploit.

Shamus MacNoob · 27 Jan 2006

Your banging your head against the wall with people like him, trust me its not worth your time.

IMPORTANT: WMF Vulnerability Exploited

kcnychief

??? ??? ?

Mastershakes

OSNN Veteran Addict

kcnychief

??? ??? ?

Mastershakes

OSNN Veteran Addict

kcnychief

??? ??? ?

Mastershakes

OSNN Veteran Addict

j79zlr

Glaanies script monkey

VenomXt

\

kcnychief

??? ??? ?

Shamus MacNoob

OSNN Veteran Addict

Members online

Affiliates

Latest profile posts

Forum statistics