dang... this is bad

Story: Windows broken … I’m surprised it took this longTotal Replies: 6
Author Content
tuxchick

Aug 11, 2008
6:05 PM EST
Quoted:

...many of the vulnerabilities come down to running insecure applications. Not only does Microsoft need to up its game, it needs to get developers who are pumping out applications to do the same....

You can’t trust software to protect itself, and we need to combine hardware and software. One example - under Vista DEP (Data Execution Prevention) isn’t enforced well enough.


Please. Please. PLEASE. Don't have opinions on subjects you don't know anything about. I'm begging here, on my knees. Just shush.

Insecure applications are trouble for any OS, but not in the way the article suggests- when the operating system is a Byzantine spaghetti nightmare, and a towering ponderous edifice overwhelming its poor little ancient, feeble foundation; when the OS is friendlier to any random remote executable than it is to its actual human users, then application security is a scapegoat, not the problem. It's like trying to sail a sieve, and blaming the sailmaker when it sinks.

You most certainly can trust software to protect itself. What kind of fortified blindness does it take to miss that Unix/Linux have done exactly that for decades? Without needing some gawdawful hardware hack that ropes poor innocent CPUs into trying to cover up the defects in the operating system? The problem is not some esoteric operating system theory- the problem is Windows is punk to the core and not fixable.
tracyanne

Aug 11, 2008
6:10 PM EST
Quoted:
It's like trying to sail a sieve, and blaming the sailmaker when it sinks.


So apt.
tuxchick

Aug 11, 2008
6:57 PM EST 		Articles like this make me cry. One more nit: nobody set browser security back ten years- they uncovered these problems, they didn't create them. I read the paper, and I'm afraid a lot of it was over my head. However, the excellent Bruce Schneier is skilled at translating into plain English:

Quoted:

In a presentation at the Black Hat briefings, Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. will discuss the new methods they've found to get around Vista protections such as Address Space Layout Randomization(ASLR), Data Execution Prevention (DEP) and others by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.
By taking advantage of the way that browsers, specifically Internet Explorer, handle active scripting and .NET objects, the pair have been able to load essentially whatever content they want into a location of their choice on a user's machine.


Soooo... IE and ActiveX open giant security holes. I'm getting forgetful in my old age- doesn't that sound awfully familiar?
tracyanne

Aug 11, 2008
8:04 PM EST
Quoted:
Soooo... IE and ActiveX open giant security holes.


Our old friends, nothing has actually changed, except perhaps the paintwork.
wjl

Aug 12, 2008
5:07 AM EST 		Hm. I also read the paper only briefly, but I agree with Schneier's opinion that this one could be big. And yes, it runs down to (mostly and once more) ActiveX and the way things are designed. Too many applications, even web sites demand that this is turned on, so that's almost impossible to fix.

I wonder if these guys over in Redmond will ever learn. Maybe it really needs a major lawsuit after a big damage before they do.

The message of all this, especially to companies and enterprises should be pretty clear: use open source wherever you can. No, we're also not perfect, and yes, we're only humans as well. But at least we're open to peer review...
wjl

Aug 12, 2008
11:21 AM EST 		Funny btw:

DD Russell Coker just blogged about paxtest, memory management, and SE Linux - almost the same topic...
number6x

Aug 12, 2008
12:40 PM EST 		I know that it is not Vista, but does everyone remember the system call maps for serving a static web page:

IIS on Windows vs. Apache on Linux:
[HYPERLINK@www.basicallytech.com]

Somehow I don't think Vista made the maps simpler.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!