Amiga.org
The "Not Quite Amiga but still computer related category" => Alternative Operating Systems => Topic started by: seer on July 11, 2004, 10:17:36 AM
-
Found this link (http://www.computerweekly.com/articles/article.asp?liArticleID=131513&li) on <> moobunny.. Seems every "big" OS has the same amount of security problems.
-
:roll: @ article
The Microsoft Windows application
It's not an application, it's an operating system.
Before I start, I'm not a Mac OS X fan, I've barely used it, but for god's sake some people really ought to get their facts straight (comment not aimed at original poster).
In their statistics they change wording when they get to Mac OS X. Previously they say "remotely exploitable", then they say "exploitable over the Internet". "Remotely exploitable" is an official term in security vulnerability circles, and "exploitable over the Internet" is not. While they both have potentially compatible meanings, it is poor journalism (and if Secunia did the same, poor of them as well) to potentially change the goalposts in such a way.
Admittedly the focus of my work is Windows security so I'm going to take more notice of Windows vulnerabilities than for other operating systems, but a remotely exploitable vuln like the DCOM vulnerabilities would definitely have got my attention, and quite frankly I have not heard of one for Mac OS X. In recent history (last few months) I have heard of one Mac OS X vuln which required user interaction on not one but two occasions to successfully exploit it.
Windows vulnerabilities tend to be in the shape of "if you use this product, you're screwed". IE vulns for example 99% of the time are "if you look at this web page, you're screwed, but if you switch off 'Active Scripting'...". In my limited experience with other operating systems, this is not usually the case. Usually the vulnerabilities are more obscure.
Windows vulnerabilities also usually stem from "this stupid component should not even be running in the first place on a default install but MS have it running, in their infinite wisdom", such as Windows networking filesharing services, DCOM, all left running. B'duh.
-
Every badly administered 'big' OS will be vulnerable.
I would be surprised if OSX has more vulnerabilities than windows. Being BSD, it is a lot more mature and the source, like Linux, is reviewed by peers.
With windows, since last years worms, most trouble now is caused by IE and malware web sites that can directly infect a PC AND leave a door open for worms like netsky.
It would be surprising if the Unixes suffered the same fate since the security model makes it much harder for browser s/w to escalate privaleges and do these things.
Still, its possible with a badly administered Unix - look how many hosting companies run mysql as root!
-
Windows as secure as OSX? No.
Windows an operating system? No. It has long been simply an "application" which runs over DOS. Even now, Windows XP has to emulate DOS for it to work.
Windows is not an OS, it never will be.
It's just a poor DOS program plagued with flaws, bugs and security holes which after bad negotiation has a prescence in many homes.
Sad, very sad.
-
It's not an application, it's an operating system.
Yeah, thought about that one to (tho with all the stuff that comes with Windows you could argue is an "OS Application").
There are other little things about the article that's a bit.. weird..
I posted this link because I think it's only fair that users of Linux/OSX are aware of problems in their security.. Most think they have none, and that only Windows has problems..
BTW, secunia has an big list (http://secunia.com/product/?menu=repo) of "tested" products..
/edit
Same goes for IE versus mozilla (http://secunia.com/advisories/12027/)
-
No. It has long been simply an "application" which runs over DOS. Even now, Windows XP has to emulate DOS for it to work.
You're describing Windows 95/98. This isn't the case for Win NT4 / 2000/ XP. There is no DOS in 2000 / XP, it's more like a UAE type of emulation (NTVDM.exe)
And don't mistake "console" programs with MS-DOS programs.
The only time you really see MS-DOS in XP is when you install it from CD as a clean install.
If XP was still running on MS-DOS (Notice MS-DOS, not just DOS, as that could be PC-DOS, Amiga DOS etc) it owuld be very easy to run old MS-DOS games/programs on XP.. While lots of them just don't run and only a few with getting the right settings..
-
Every badly administered 'big' OS will be vulnerable.
True, but that's not the point. An OS should be reasonably secure by default, not priding functionality over security.
I would be surprised if OSX has more vulnerabilities than windows. Being BSD
BSD is just a kernel. Mac OS X is a lot more on top of that.
Still, its possible with a badly administered Unix
See response to first quote.
-
Windows an operating system? No. It has long been simply an "application" which runs over DOS. Even now, Windows XP has to emulate DOS for it to work.
No, it, doesn't. For the umpteenth time.
Windows NT4, 2k, XP, 2k3 are all based on the NT kernel, which has no compatibility whatsoever with MS-DOS. Any calls by MS-DOS applications are made through an emulation layer. Windows NTx also has an emulation layer OS/2 and POSIX-compliant code. You can see whether any emulation is going on due to NTVDM.exe running in the process list. Old installers sometimes need to, and old applications that can't talk win32 native properly also need it.
-
True, but that's not the point. An OS should be reasonably secure by default, not priding functionality over security.
Indeed. SP2 for XP does seem to set things right in that respect (a little), but then, the default settings would make acces to a XP/SP2 PC on an home network (workgroup) impossible without adjusting it..
Looking at it from a normal home user, having the least security options set is the easiest to get it up and running.. (NTFS and share permissions isn't everybodies cup of..)
-
Yeah, thought about that one to (tho with all the stuff that comes with Windows you could argue is an "OS Application").
Hmm, it's creating an unnecessary new term. The only exception IMO is IE, and that should be given its own category of "bastard" :-)
I posted this link because I think it's only fair that users of Linux/OSX are aware of problems in their security.. Most think they have none, and that only Windows has problems..
Oh yeah, totally. In fact, UNIX-variant operating systems such as Linux are targetted by attackers who want to silently compromise a system for their own use, simply because those operating systems are more flexible/powerful for their needs (and no, I'm not saying Linux is more powerful than Windows, it's horses for courses).
Many Linux distros have 'quite bad' (I'd class Windows as 'awful') security by default. I was about to say 'Linux users should', but I'll say instead "Users of all operating systems should", run through their system with a fine toothcomb, check what services are listening on what ports, any processes running that shouldn't be, any extra users set up that shouldn't be, etc.
Same goes for IE versus mozilla
Whoop-de-do, you found a Mozilla vuln. That'll be something that happens approximately twice a year, rather than every week with IE :-)
-
The only exception IMO is IE, and that should be given its own category of "bastard"
Well, I just figured out the best way to run IE.. Well except for not running it.. is to set the security zone for the default internet zone to highest, and put all the sites I visit in trusted sites ;-)
Whoop-de-do, you found a Mozilla vuln. That'll be something that happens approximately twice a year, rather than every week with IE :-)
Well, it's an start.. I'm sure we'll be able to find more ;-) :lol:
-
seer wrote:
The only exception IMO is IE, and that should be given its own category of "bastard"
Well, I just figured out the best way to run IE.. Well except for not running it.. is to set the security zone for the default internet zone to highest, and put all the sites I visit in trusted sites ;-)
Suggestions: Firefox (http://www.mozilla.org/products/firefox/) Mozilla (http://www.mozilla.org/products/mozilla1.x/) Opera (http://www.opera.com/)
Opera 7.5x is IMO more usable than previous versions, though Firefox/Moz are still far more my cup of tea :-)
Whoop-de-do, you found a Mozilla vuln. That'll be something that happens approximately twice a year, rather than every week with IE :-)
Well, it's an start.. I'm sure we'll be able to find more ;-) :lol:
By all means please do.
-
@ HopperJF
If I statements that demonstrated ignorance on such a level as you have, I'd expect to get flamed from here to next year. If you are going to participate in such a discussion, it is best to know your subject first (and/or at least admit points on which you don't have knowledge in).
Otherwise you just succeed in making yourself looking very, very silly. As well as having an attitude.
-
@mikeymike
@ HopperJF
If I statements that demonstrated ignorance on such a level as you have, I'd expect to get flamed from here to next year
Did I miss something ? You allready responded to him ??
-
Suggestions: Firefox Mozilla Opera
I know them all, not sure which one I prefer tho.. I do find myslef starting IE more tho.. It's easier and I'm lazy..
By all means please do.
I doubt that I will find any, I usualy don't go to weird sites.. (Why would anybody anyway, only by accident or searching for cracks I suppose ?)
-
seer wrote:
@mikeymike
@ HopperJF
If I statements that demonstrated ignorance on such a level as you have, I'd expect to get flamed from here to next year
Did I miss something ? You allready responded to him ??
I did, but I responded before I had read the second paragraph. I felt it needed saying.
Wrt to finding browser vulns, I meant find the vulns yourself and publish :-)
-
If this is the same story a shown on OSNews and Slashdot it's just FUD, they count the vulnerabilities in different ways conveniently missing quite a number of them for Windows, they also didn't count those in IE (which I consider to be part of the OS).
In other words they can't count.
-
seer wrote:
@mikeymike
@ HopperJF
If I statements that demonstrated ignorance on such a level as you have, I'd expect to get flamed from here to next year
Did I miss something ? You allready responded to him ??
He uses Windows, and I made him upset.
-
He uses Windows, and I made him upset.
Congratulations on missing the point completely.
And you're probably the first person ever to say/imply that I'm a Windows advocate :lol:
-
I feel special :-)
-
Getting back to the topic, simply this: If you use Windows and IE sooner or later yo will get a virus or trojan and get hacked or your sysem will get screwed up. I have yet to come accross anything in OSX that even comes close to the scary stuff I see in Windows boxes. I cant remember the last time I got a real virus in any MacOS or AmigaOS system I have. The only ones I do see are from email and are Windows versions.
-
Absolutely!
They have addressed some of the issues with default services in XPsp1 but the security model is still weak.
This means that if you are running a browser in NT+ (especially IE) you are gambling with your security.
At home, I'm behind a firewall/router, patched to the hilt, run stinger/adaware every week and only use IE on crappy ASP or M$Java sites.
As for the windows runs on DOS folk - try telling that to the ex digital VMS dudes who developed NT. The last DOS/Windows combi was the dreadful millenium - now who runs that?
-
Acill wrote:
Getting back to the topic, simply this: If you use Windows and IE sooner or later yo will get a virus or trojan and get hacked or your sysem will get screwed up. I have yet to come accross anything in OSX that even comes close to the scary stuff I see in Windows boxes. I cant remember the last time I got a real virus in any MacOS or AmigaOS system I have. The only ones I do see are from email and are Windows versions.
Agreed 100%.
So the simple answer to the subject of this thread, is No.
-
This is all interesting. IMHO, the only reason Windows is exploited more is because it is hated more. Myself, I have a love/hate relationship with my Windows XP boxen and thinking a little more about it, I always have. If Windows did not make me money, it would be easy to dismiss it, but the fact remains that it is necessary because big business does not want (or can not afford) an infrastructure change on the magnitude it would take to drop Microsoft. No company wants to be the first to go against status quo :-)
I am dropping Windows on my home system because I am tired of focusing on vulns and viruses and having to spend money on products that I need to keep my computing environment safe. I have looked into Linux and I have owned and still own a Macintosh system... the one I currently have is an old 7600 running OS 8.6 (circa mid 1990s). I was a FreeBSD user for a long time and MacOS X is a very big advancement for Apple! That doesn't mean it is secure though.
Someone mentioned that BSD is just a kernel... MacOS X (not sure about the current Panther/Tiger) was all FreeBSD with a lot of new utils and a pretty GUI put on top... the utils are indeed what separates "Darwin" from FreeBSD, but you can run most of the same commands at the prompt and it is still FreeBSD under the hood. That having been said, the same exploits that may be in FreeBSD (not secured) will be present in OSX.
It USED to be that Windows was the only system to have viruses and Macintoshes and *NIX systems could be carriers but not infected (ie: send an email from your mac to your buddy with a PC and you could infect him if you carried a virus)... Spyware of course is a big problem, but given time, it will be a problem on other platforms too.
As MacOS X gains market, vulns will be found and exploited because everyone wants to unseat the king of the hill, again this is my opinion only :-)
My personal choice... Go with Amiga and specifically get to A1... that will be the platform to watch... and at least for now, I will be free of headaches outside of work.
an aside, The benefit of working for a company is they provide another win box for me to use anyhow, so it is safe to change my home platform.
Anyhow, all platforms have potential to be exploited.
-
I cant remember the last time I got a real virus in any MacOS or AmigaOS system I have. The only ones I do see are from email and are Windows versions.
So the simple answer to the subject of this thread, is No.
That's not what's this is about, it's about no OS is as secure as we need/want it to be.
If you think you are safe from virus or other attacks just because you don't use windows, well, it's your loss..
-
This is all interesting. IMHO, the only reason Windows is exploited more is because it is hated more.
I'd put it the other way around, I'd say those do the exploiting *love* the fact it's so insecure.
As MacOS X gains market, vulns will be found and exploited because everyone wants to unseat the king of the hill, again this is my opinion only
I'd agree more attempts will be made on the more popular systems but that in itself does not mean it is less secure.
I think it is something of a myth that Windows is considered insecure because it has the biggest market share.
Apache has the biggest market share for webservers but does it have as many vulnerabilities as IIS? No.
Someone mentioned that BSD is just a kernel...
Linux is technically a kernel though most people use the term to refer to the entire OS, BSD is an Operating System (actually a family of them).
MacOS X (not sure about the current Panther/Tiger) was all FreeBSD with a lot of new utils and a pretty GUI put on top... the utils are indeed what separates "Darwin" from FreeBSD, but you can run most of the same commands at the prompt and it is still FreeBSD under the hood. That having been said, the same exploits that may be in FreeBSD (not secured) will be present in OSX.
Not quite...
OS X includes a chunk of FreeBSD in the kernel along with MACH along with a load of stuff from FreeBSD, OpenBSD, GNU etc. on top.
That having been said, the same exploits that may be in FreeBSD (not secured) will be present in OSX.
Assuming the part in question is present and hasn't been changed.
Anyhow, all platforms have potential to be exploited.
That I agree with 100%
-
This topic again...
Every operating system has it's weaknesses. At least with Windows XP and other variants of Windows you have the ability to patch it - you can even run a scheduled update - so you can just forget about everything...
The reason why Mac OS / Amiga OS isn't exploited as much is because it's not used as much... I'm also pretty sure I can remember lots of virus's for the Amiga as well...
Now take linux - Red Hat actually makes you pay for the patches - great..
The operating system is only as good as the user - if you take care and patch it / use a firewall then you won't have many problems... however if you don't take care of it, like everything else, it will be crap...
Normally most problems with operating systems are down to user errors - Bill Gates for making lots of money has become hated... yet when there's a problem with anything it is quickly patched...
And for all of you who say 'well it should have been patched in the first place' even with the best testing it's still possible to miss something - and if you do it's much better to release a patch than try and cover it up...
Sorry for the long post but it seems to be a stupid comparison - like a topic 'is the ST more vunerable than Amiga' etc etc..
Macca.
-
Colin_Camper wrote:
As for the windows runs on DOS folk - try telling that to the ex digital VMS dudes who developed NT. The last DOS/Windows combi was the dreadful millenium - now who runs that?
I can remember clearly that I ran Sopwith (a very old 8086 game) under Windows NT4
-
Sorry for the long post but it seems to be a stupid comparison - like a topic 'is the ST more vunerable than Amiga' etc etc..
Oh go on, that would be amusing :-)
Apache has the biggest market share for webservers but does it have as many vulnerabilities as IIS? No.
Erm, actually, yes. Do the search yourself if you don't believe me, but it's a commonly known fact in the security community. But I think (pretty sure actually :-)) Apache has been around for a bit longer than IIS.