Windows as secure as OSX....

[mikeymike]

:roll: @ article

The Microsoft Windows application

It's not an application, it's an operating system.

Before I start, I'm not a Mac OS X fan, I've barely used it, but for god's sake some people really ought to get their facts straight (comment not aimed at original poster).

In their statistics they change wording when they get to Mac OS X.  Previously they say "remotely exploitable", then they say "exploitable over the Internet".  "Remotely exploitable" is an official term in security vulnerability circles, and "exploitable over the Internet" is not.  While they both have potentially compatible meanings, it is poor journalism (and if Secunia did the same, poor of them as well) to potentially change the goalposts in such a way.

Admittedly the focus of my work is Windows security so I'm going to take more notice of Windows vulnerabilities than for other operating systems, but a remotely exploitable vuln  like the DCOM vulnerabilities would definitely have got my attention, and quite frankly I have not heard of one for Mac OS X.  In recent history (last few months) I have heard of one Mac OS X vuln which required user interaction on not one but two occasions to successfully exploit it.

Windows vulnerabilities tend to be in the shape of "if you use this product, you're screwed".  IE vulns for example 99% of the time are "if you look at this web page, you're screwed, but if you switch off 'Active Scripting'...".  In my limited experience with other operating systems, this is not usually the case.  Usually the vulnerabilities are more obscure.

Windows vulnerabilities also usually stem from "this stupid component should not even be running in the first place on a default install but MS have it running, in their infinite wisdom", such as Windows networking filesharing services, DCOM, all left running.  B'duh.

[mikeymike]

Every badly administered 'big' OS will be vulnerable.

True, but that's not the point.  An OS should be reasonably secure by default, not priding functionality over security.

I would be surprised if OSX has more vulnerabilities than windows. Being BSD

BSD is just a kernel.  Mac OS X is a lot more on top of that.

Still, its possible with a badly administered Unix

See response to first quote.

[mikeymike]

Windows an operating system? No. It has long been simply an "application" which runs over DOS. Even now, Windows XP has to emulate DOS for it to work.

No, it, doesn't.  For the umpteenth time.

Windows NT4, 2k, XP, 2k3 are all based on the NT kernel, which has no compatibility whatsoever with MS-DOS.  Any calls by MS-DOS applications are made through an emulation layer.  Windows NTx also has an emulation layer OS/2 and POSIX-compliant code.  You can see whether any emulation is going on due to NTVDM.exe running in the process list.  Old installers sometimes need to, and old applications that can't talk win32 native properly also need it.

[mikeymike]

Yeah, thought about that one to (tho with all the stuff that comes with Windows you could argue is an "OS Application").

Hmm, it's creating an unnecessary new term.  The only exception IMO is IE, and that should be given its own category of "bastard" :-)

I posted this link because I think it's only fair that users of Linux/OSX are aware of problems in their security.. Most think they have none, and that only Windows has problems..

Oh yeah, totally.  In fact, UNIX-variant operating systems such as Linux are targetted by attackers who want to silently compromise a system for their own use, simply because those operating systems are more flexible/powerful for their needs (and no, I'm not saying Linux is more powerful than Windows, it's horses for courses).

Many Linux distros have 'quite bad' (I'd class Windows as 'awful') security by default.  I was about to say 'Linux users should', but I'll say instead "Users of all operating systems should", run through their system with a fine toothcomb, check what services are listening on what ports, any processes running that shouldn't be, any extra users set up that shouldn't be, etc.

Same goes for IE versus mozilla

Whoop-de-do, you found a Mozilla vuln.  That'll be something that happens approximately twice a year, rather than every week with IE :-)

[mikeymike]

seer wrote:
The only exception IMO is IE, and that should be given its own category of "bastard"

Well, I just figured out the best way to run IE.. Well except for not running it.. is to set the security zone for the default internet zone to highest, and put all the sites I visit in trusted sites ;-)

Suggestions:  Firefox Mozilla Opera

Opera 7.5x is IMO more usable than previous versions, though Firefox/Moz are still far more my cup of tea :-)

Whoop-de-do, you found a Mozilla vuln. That'll be something that happens approximately twice a year, rather than every week with IE :-)

Well, it's an start.. I'm sure we'll be able to find more ;-) :lol:

By all means please do.

[mikeymike]

@ HopperJF

If I statements that demonstrated ignorance on such a level as you have, I'd expect to get flamed from here to next year.  If you are going to participate in such a discussion, it is best to know your subject first (and/or at least admit points on which you don't have knowledge in).

Otherwise you just succeed in making yourself looking very, very silly.  As well as having an attitude.

[mikeymike]

seer wrote:
@mikeymike

@ HopperJF

If I statements that demonstrated ignorance on such a level as you have, I'd expect to get flamed from here to next year

Did I miss something ? You allready responded to him ??

I did, but I responded before I had read the second paragraph.  I felt it needed saying.

Wrt to finding browser vulns, I meant find the vulns yourself and publish :-)

[mikeymike]

He uses Windows, and I made him upset.

Congratulations on missing the point completely.

And you're probably the first person ever to say/imply that I'm a Windows advocate  :lol:

[mikeymike]

Sorry for the long post but it seems to be a stupid comparison - like a topic 'is the ST more vunerable than Amiga' etc etc..

Oh go on, that would be amusing :-)

Apache has the biggest market share for webservers but does it have as many vulnerabilities as IIS? No.

Erm, actually, yes.  Do the search yourself if you don't believe me, but it's a commonly known fact in the security community.  But I think (pretty sure actually :-)) Apache has been around for a bit longer than IIS.