Microsoft Found Another (Serious) Hole in Windows!

Will it ever end?

Interesting that the flaw was identified by "eEye Securities" in July last year although Microsoft has only yesterday got round to admitt the problem and issue a fix.

Probably not. Windows is a very complicated operating system, so it is inevitable that some glitches will occur. Also, hackers are becoming more and more sophisticated.

I read about the XP Service Pack 2 which is now it beta, and will be coming out in a few months. From what I have read, people in the know are pretty excited about it. Most of the changes have to do with security, rather than adding new bells and whistles. The firewall is supposed to be much improved, too!

Walter- I dunno. Since I have my new XP, I already have downloaded a number of critical downloads. This may be an entirely new threat that is being addressed.

scrap it all and move to linux

Husker- And just when I figured out Windows!

On a serious note - I was thinking about moving from win2000 to xpPro - but I'm going to hold off for awhile yet.

I have XP Pro. Love it. (while crossing my fingers )

Thanks Phoenix!

Phoenix,

Don't let Microsoft off the hook so easily. These security holes happen because they let them happen. The fact that the software is "complex" shouldn't matter. There are many things they could do to make their OS's a lot more secure.

Security simply hasn't been a priority for Microsoft. Their priorities seem to be maintaining a monopoly and elbowing out competition.

This is why Linux is clearly superior on this front.

ebrown_p- Some time ago, on my old computer, I was considering downloading Linux. I became a little intimidated, and decided to stick with good old, intuitive Windows. It was my decision, after I considered the pros and cons.

So as they say, "I pay my money and I take my choice".

Understood.

Many of us who do computers professionally are very upset at the many things that Microsoft does that hurt the industry. This is just one of them.

I must admit that Windows does provide a greater range of software. It also is universal which makes it easier for the casual user to get help.

But I am bitter that Microsoft keeps its position of dominance, in spite of its blunders and its purposeful attempts to hurt the (rest of the ) industry. It does this, not by becoming a better citizen in the IT world, but by maintaining it's monopoly and elbowing out its competition.

Linux is getting quite a bit of traction because of the security issue. And, we need it to counter the marketing monstrosity that is Microsoft.

Bull! Linux is not superior in security and has fewer high-profile exploits only because hackers very rarely code exploits for anything other than the most popular operating system.

Even if an exploit took down 90% of the computers using linux it would not be as big a deal as if 5% of the machines on Windows were exploited. This is why the many holes in Linux don't get much attention.

No software company in history comes close to Microsoft's proficiency in patching vulnerabilities.

The tired old mantra that moving to linux would help is absurd. When everyone uses a different operating system that will simply be the OS that is targeted.

I respectfully disagree.

Linux is a superior *technology* when it comes to security. It is not just a matter of there being less Linux hackers. Microsoft has made decisions that make it especially vulnerable to the types of worms we have seen.

Here are some specific examples.

1. The "registry" in Microsoft is invisible to most users (who are not very computer savvy), but open to programs (including malicious ones). In Linux changes done by malicious programs to the system are much easier to prevent, detect and fix.

2. Microsoft Word documents can contain "macros" which allow a document to run a program when you view it. This is a feature that is wanted by very few people. However it is turned on by default.

3. Microsoft Outlook allows embedded programs to view the address book !?!? This is just stupid, and the cause of many of the worms that spread so fast.

4. Linux is at the forefront of security (even though it does not face the level of attacks that Windows is facing.) When I download a program, it usually comes digitally signed from a trusted source. Linux user expect this.

... and there are many more.

In addition Linux offers a more robust file protections scheme. (I am not sure how recent Windows releases do on this front ). But this means that one user can not change files important to the system - even by accident.

(I wont mention Thread security)

But the biggest advantage the Linux has is that it is Open.
The Linux community works together to find the security holes, and when we do, we fix them. There are no proprietary software features deep in the OS to be exploited.

The mantra - "Moving to Linux would help" is neither tired nor absurd. Sure, there are hole sin Linux, and perhaps they will be exploited in the future.

But Linux does not have anywhere near the amount of vulnerabilities that Microsoft does. This is because Linux avoids the mad rush for marketing-driven features that causes Microsoft to do stupid things. And, Linux has a community that can be vigilent with source that is visible to all.

Eric,

When trying to note the vulnerabilities of a program it is important not to use examples from other unrelated programs. You are comparing one thing to a void.

(Edit to add "unrelated")

Why are you touting examples of Word and Outlook? That is not an operating system.

That is only fair if you then fault linux for all security flaws of all programs that run on the platform.

So when you point out a flaw in Word what Linux program are you comparing it to? The answer is none.

When you point out a flaw in Outlook Express what Linux program are you comparing it to?

The answer is none.

And forgive me if I think a comparison with an existing product to a non-existent one is a fair way of illustrating which has more security flaws.

It's like saying a castle is weak because in comparsion to one that doesn't exist it has a flaw.

One thing that irks me, we run a heterogenous environment and when the Windows machines get infected, if they happen to map a Samba/CIFS share from a Unix based system, they'll write their stupid filles there (such as .eml's). Then management and the security "experts" all start yelling that Unix box A, B and C are all infected with the new Windows virus. What a joke.

OK Craven,

I guess I was saying that the builder of the castle is weak but I accept your point.

I am making the case that there are inherent weaknesses in Windows (the operating sysem proper), such as the registry and file protections. These areas are handled in a much more secure way by Linux.

Linux culture is a huge advantage for security. I don't think that there are programs in Linux (even the ones that are copying Windows programs), that have such egregious holes. The community wouldn't accept this, and there are many people watching.

Microsoft marketing has the remarkable ability to convince people to accept things the way they are.

Oh by their own definition they are weak. But the prevalence of their software is really their greatest weakness.

It's easy to fault them for Word and Outlook. There are lots of flaws.

But those are also the programs with the greatest potential for vulnerability. And in comparison to a void I'm not sure a strong case can be made that it is inordinately flawed.

I agree that file permissions are a boon that Windows doesn't have. But then again it makes it less user-friendly. Just about every single thing done to be friendly to users is friendly to exploits.

You say that Linux programs don't have such holes and I can't understand why. Every single day I patch a Linux box.

The open source culture is a boon and a bane.

In any case I see huge differences that make it not apples to apples.

Popularity and prevalence means Microsoft is in the news for exploits more often.

It means exploits are more compatible with them.

User-friendliness is exploit-friendliness. Linux will be less exploit-friendly at the cost of user-friendliness. If Linux were the notm it would have to include more user-friendliness and the associated downside.

Linix users tend to be nerds to put it simply. And nerds themselves are a great barrier to exploits.

Lots of the things you are faulting Microsoft for are things a nerd would address quickly. Patching up Windows holes and securing a windows box is very easy.

One of the advantages to the closed source is that you can get the patches before the widespread exploit comes.

That is, once a theoretical exploit is reported and proof of concept is acheived MS usually has a patch. And it usually comes before the automated exploit (worm, vurus) is released.

With linux the patch doesn't come as quickly. And because of the open source nature of the community the quality of patching and updates varies greatly, based on the distributor.

Insofar as update distribution goes Windows is unrivalled.

Thanks Phoenix.