- MICROSOFT tries to correct security breach in Windows
- Posted by Au79 on January 7th, 2006
TMCnet - USA
.... "Microsoft's delay is inexcusable," said Alan Paller, director of
research at the SANS ... But it's one more Windows vulnerability -- one of
many, many, many over ...
<http://www.tmcnet.com/usubmit/-microsoft-tries-correct-security-breach-windows-/2006/jan/1260208.htm>
--
--
http://www.vanwensveen.nl/rants/microsoft/IhateMS.html
- Posted by Fuzzy Logic on January 9th, 2006
Au79 <au79@null.net> wrote in news:uxEvf.19202$7Y7.10183@newsfe07.phx:
Fortunately the alternatives don't fair any better. Here is an excerpt from
the CERT year end summary:
There were 5198 reported vulnerabilities: 812 Windows operating system
vulnerabilities; 2328 Unix/Linux operating vulnerabilities; and 2058
Multiple operating system vulnerabilities.
More here <http://www.us-cert.gov/cas/bulletins/SB2005.html>
- Posted by Seatoller on January 9th, 2006
It was on Mon, 09 Jan 2006 22:51:12 +0000, that Fuzzy Logic wrote:
Well, that's one of the stupidest things I've seen!
It's like saying: In 2005, General Motors had 800 vehicles recalled
for faults, but the others (Ford, Toyota, Nissan, Honda, Mercedes, Saab,
plus; The Volkswagen Group [Volkswagen, Seat, Skoda etc]) had 4,500
faults! You cannot make any direct comparison between faults on GM
vehicles, & the faults listed on the other vehicle makers because they are
all lumped together! All it tells me is, that someone compiled the list
who did NOT know WTF they were doing, & that it was published by another
clueless pratt.
- Posted by Fuzzy Logic on January 10th, 2006
Seatoller <st@securelinux.me> wrote in
news
an.2006.01.09.23.14.24.583697@securelinux.me :
Yeah CERT doesn't know what they are talking about:
http://www.us-cert.gov/aboutus.html
I made no comparisons between actuals faults. I posted the relevant link
so anyone can determine which vulnerabilities are applicable to them. The
fact is there are numerous faults in both Windows and *nix.
..
- Posted by Seatoller on January 10th, 2006
It was on Tue, 10 Jan 2006 18:46:33 +0000, that Fuzzy Logic wrote:
Absolutely, that's what I said. Also said by /many/ others who /do/ know
what they're talking about.
That is /assuming/ they know what they're looking at, & can tell /which/
vulnerbilities are attributed to /which/ OS. As US-Cert have lumped AIX
Apple, FreeBSD, Solaris, Linux, SCO OpenServer & UnixWare under the
Unix/Linux Operating System vulnerabilities, it is /impossible/ to compare
directly with MicroSoft windows. For a start, Apple is no more FreeBSD
that windows is. Because the different OSs are lumped together, you cannot
even make a direct comparison between Microsoft & linux, or FreeBSD, or
OpenBSD, or Apple, any other OS that's listed.
Also, the Unix/Linux list duplicates items, counting a vulnerability
more than once in the list. For an example, note that it lists Eric
Raymond Fetchmail POP3 Client Buffer Overflow (Updated). However, the
/same/ vulnerability is listed, under the same title, four times! Worse,
for any comparison purposes, the same vulnerability is also reported as
Fetchmail POP3 Client Buffer Overflow, so in reality one vulnerability is
listed 5 times, making the total of 2328 meaningless unless you carefully
comb through it to weed out duplications.
Except there are less linux ones, & in genreal they aren't as serious.
Anyone reading about the list, should take note that /no/ straight
comparisons are actually possible, /unless/ they wish to take the
time & check /very/ carefully through the /entire/ list.
- Posted by Fuzzy Logic on January 11th, 2006
Seatoller <st@securelinux.me> wrote in
newsan.2006.01.10.23.35.26.75114@securelinux.me:
I was being facetious. CERT is a central clearing house for security
issues and generally doesn't post anything but well documented exploits.
You apparently missed my point. All OS's have vulnerabilities and their
relative security varies from day to day, patch to patch. What's secure
today can be a sieve tomorrow as new vulnerabilities are found and
addressed. I am not saying one OS is better than another only that
security is a process not a piece of hardware or software and regardless
of the OS/Software you use you must be diligent in applying patches as
well as learning and using the security features of the OS you use.
- Posted by Seatoller on January 11th, 2006
It was on Wed, 11 Jan 2006 23:26:34 +0000, that Fuzzy Logic wrote:
<snip>
True.
Yes, very true. However, by their very nature, some OSs are inherently
more secure than another because of the way they are made & used.
"Honeypot Project Finds Unpatched Linux PCs Stay Secure Online For Months"
http://nwc.serverpipeline.com/56200435
- Posted by Mara on January 11th, 2006
On Wed, 11 Jan 2006 23:26:34 GMT, Fuzzy Logic <bob@arc.ab.caREMOVETHIS> wrote:
<snip>
That's true enough, but you can't apply the patches if they aren't there.
I just love this bit:
EEYEB-20050801 Windows Embedded Open Type (EOT) Font Heap Overflow
Vulnerability
Release Date:
January 10, 2006
Date Reported:
July 31, 2005
Time to Patch:
163 Days
Severity:
High (Code Execution)
Systems Affected:
Windows ME
Windows 98
Windows NT
Windows 2000
Windows XP SP1 / SP2
Windows Server 2003 SP0 / SP1
--
If you think technology can solve your security problems, then you
don't understand the problems and you don't understand the technology.
-- Bruce Schneider
- Posted by Fuzzy Logic on January 12th, 2006
Seatoller <st@securelinux.me> wrote in newsan.2006.01.11.23.45.51.816500
@securelinux.me:
May well be true but that doesn't help Windows users. Here's are a couple of
interesting reads:
<http://searchopensource.techtarget.c...0,289142,sid39
_gci1157378,00.html>
<http://linux.oneandoneis2.org/LNW.htm>
