|
Posted by PC Guy on May 27, 2007, 9:55 pm
If you were Registered and logged in, you could reply and use other advanced thread options
PC Guy wrote on 26. May 2007:
>
>
>
>>> The Windows code is broken.
>
>> So we've been told. Unfortunately we've never seen any proof to
>> support this claim.
> That's why it's Closed Source one can only assume.
Since you have nothing more than an assumption I will conclude that you,
like those before you, are unable to provide proof. Therefore you're
engaging in spreading FUD.
>>> It was patched and patched again since 1995, as all recent Windows base
>>> on
>>> Windows NT from 1995. Since no one at MS has access to the complete
>>> source
>>> code they cannot just "fix" a bug as they cannot know of side
>>> effects to code
>>> they have no access to. They more or less built work arounds to a
>>> bug. A similar
>>> exploit might still be successful after "fixing".
>
>> And this is unique to Microsoft how?
> A fixed bug in other OS were not triggered by similar exploits for my
> knowledge.
I have no idea what it is you're trying to say here.
> Another thing is the "broken by design" issue. At least 2000/XP still
> came with default listening services and so responding ports (namely
> 137-139, 445). Which caused action by most of the ISPs to filter those
> ports by default for their (residential) customers.
This argument ended when SP2 was released in the summer of 2004. Almost
three years ago. Time to get something new.
> Or the Internet Explorer with countless bugs and strange behavior. Like it
> was (or still does?) check the file's header. If a file with the
> extension *.mid was to be launched it thought "Oh, MIDI isn't dangerous
> so I can start it", but then checks the file's header, let's say it is an
> executable, and since it determined *.mid isn't dangerous it would start
> it (the executable).
>
> A more harmless thing was TXT VS HTML. If you have a file.txt, and even
> if the server sends the MIME type "text/plain" but the file starts with
>
> <HTML>
>
> the IE will (or did until 6.0?) render it in HTML.
>
> This and other things are called "broken by design". No real bugs since
> intended, but still dangerous.
I don't consider IE to be relevant to Windows' security model. It may have
some odd, or even dangerous, behavior but such behavior is not a reflection
on Windows' security.
>>> While on Unix anybody has full access to all code and can determine if a
>>> bugfix has side effects to other routines. Unix code is really fixed and
>>> a similar exploit shall have no success.
>>
>> You're confusing open source with UNIX.
> UNIX is, depending on its flavor (BSD, Linux...) Open Source.
UNIX is generic. Therefore unless your statement applies to all varients it
is inaccurate.
>>> It's a matter of open source.
>>
>> Makes no difference. Open source has not been shown to be any more
>> secure than closed source.
> Bug fixes work. And are done in a very short time because anyone could do
> it, while MS has the Patch Day [TM] where you usually have to wait. And
> still not all bugs will be fixed.
>
> not fixed bugs. Guess which one. ;-)
I am not interested in bugs. What I am interested in are facts to support
the statement:
"The fact is that Mac OS X is BUILT to be FUNDAMENTALLY safer than Windows
from the kernel on up."
If you have facts to support this statement let's see them. Otherwise you're
engaging in spin.
>>> MS should throw away all code and design the coming Windows from the
>>> scratch. Which they won't. We will see much more successful exploits in
>>> Windows than in Unix. Not only because Unix isn't that far spread.
>>
>> Primarily because UNIX is not that far spread.
>
> One true thing. Still it would be interesting to see how MS and UNIX would
> compete at equal market share. But we'll never know since this won't ever
> happen.
I think we already got a taste of what would happen with the CanSecWest
challenge.
>>> For example the Apache, based on Unix/Linux web server has a bigger
>>> market
>>> share than the MS web server, but wasn't that vulnerable than the ISS
>>> was.
>>
>> From what I can tell Apache has had more vulnerabilities than
>> IIS. Especially IIS 6.0.
>
> Source of this statement?
Various articles on the Internet.
> I cannot recall a greater impact than back in 2001 when "Code Red"
> was infecting every PC with an IIS installed.
Three things:
1. The majority of infected systems were internal systems. Many of which
were not intended to be web servers but since IIS was installed and running
on a default Windows 2000 Server install they became infected. Therefore
these systems do not count in the Netcraft statistics so often quoted to
disprove the marketshare theory.
2. Even ignoring one above Apache represents a generic term referring to
many versions. For example there are three major code lines (1.x, 2.0.x,
2.2.x), each running on a different OS (OS X, Windows, Solaris, IRIX, AIX,
HP/UX, etc), and many different hardware platforms (x86, MIPS, SPARC,
Itanium, etc). Contrast this to IIS that runs primarily on a single platform
(Windows, x86, IIS 5.0/Windows x86, IIS 6.0). So when you say "Apache has a
greater marketshare than IIS" which version of Apache are you referring too?
3. I have yet to see anyone actually prove the statement that IIS is
compromised more than Apache. It's been repeated so often people take it as
true. But until such time as proof is actually provided it's a wives tale.
> But it seems the IIS works better after 6.0.
Which has been out since the summer of 2003. Almost four years ago. If the
best you can do is an example of Code Red from back in 2001 (six years ago)
then I think its safe to say that you're assertions are invalid.
| 
XML site map