From: Aron Roberts (aron_at_socrates.berkeley.edu)
Date: Mon Aug 25 2003 - 15:58:57 PDT
Hi Greg and Eric,
At 14:09 -0700 2003-08-25, Greg Small wrote:
>The "biggest target" argument for Windows is still the dominate reason
>for the number of attacks against Windows. You can endlessly argue
>details pro and con but "biggest target" is still the main reason.
>You rob banks because that's where the money is.
That's likely true -- I agree with both you and Craig on this point
-- and is not in dispute in this discussion.
As an aside, Ellen Simms has shared an intriguing perspective on
this phenomenon, comparing computer viruses to viruses in the natural
world:
>... there is an important point regarding the relative density of
>each type of operating system. Just as in animal or plant hosts of
>real diseases, computers of the most common "phenotype" are most
>vulnerable to viruses because they are part of the biggest target
>(the most abundant resource available to viruses). There's a huge
>literature on the epidemiology of diseases that is based on this
>density-dependence phenomomenon.
However, Craig's assertion was that, notwithstanding the number of
reported attacks, the number of reported *vulnerabilities* in Windows
is purely a function of market share.
At 14:18:13 -0800 05 Nov 2002, Craig Lant <craig_at_ack.berkeley.edu> wrote:
>Clearly the numbers [of reported vulnerabilities] simply reflect the
>number deployed systems for each platform. The more systems there
>are of a particular type out there, the more attacks you'll see and
>the more vulnerabilities will be found. Duh!
>
>I certainly don't think it's valid to conclude that SCO Unix and Mac
>OS are less vulnerable than the others. It's not that they don't
>have as many vulnerabilities. It's just that fewer people are
>looking for those vulnerabilities. So, they just aren't found (yet).
That's where I emphatically disagree.
First, it should be obvious to any objective observer that the
Classic Mac OS (Mac OS through version 9.2.2) -- for all its myriad
limitations as an operating system, compared with the Windows
NT/2000/XP family, Unix variants (including Mac OS X), Linux, and
other -- is relatively invulnerable to network attacks when compared
to that same set of competing OSes, in large part due to those
limitations. I'd be very willing to discuss this assertion further
offline ...
In addition, there have been some OSes that have been designed with
security considerations paramount from their inception. For
instance, in a opinion piece
<http://www.theinquirer.net/?article=11108> called to my attention by
Al Stangenberger, the author writes:
>OpenVMS['s ...] bug list is still in the low double digits after
>about 30 major and minor versions in its 25 years, which is a sharp
>contrast to Microsoft's 130 problems in year 2000 alone!
Microsoft introduced many of the vulnerabilities in Windows through
myriad design choices within the OS over the years, regardless of
whether these choices were induced by customer demand, resulted from
a desire to add functionality to garner additional market share, or
simply occurred due a lack of awareness of their security
consequences. While Windows' market share visibility has
indisputably led to laser-like scrutiny by crackers and authors of
worms, trojans, and viruses, that's not the exclusive, single,
solitary reason that more vulnerabilities have been -- and continue
to be -- identified in this OS, compared with other modern OSes.
Deliberate design factors have long played a part in this, as well.
For instance, beyond the Windows OS itself, a relevant example is
Microsoft's application scripting (macro) languages. More viruses
have been written in WordBasic and Visual Basic for Applications than
in any other language. Other non-Microsoft commercial office suites
have included cross-application scripting languages, but most of
these have lacked the key features that have made viruses targeting
Microsoft Word (and to a minor degree, Excel) so effective.
For instance, Corel's office suite offered a comparable scripting
language. However, CorelScript macros reside in separate files,
rather than being stored directly within word processing and
spreadsheet documents, making it more challenging for prospective
virus writers to surreptitiously deliver macro viruses. Also, while
early versions of Microsoft Word could only run macros in Word
template documents, Microsoft made it possible, beginning with Word
97, for Word to run macros in any Word document with a filename
extension of ".DOC". This made it possible for virus writers to
deliver virus-infected template files which looked like ordinary
document files, just by changing their filename extension from ".DOT"
to ".DOC".
This is another example of deliberate choices made in the past by
Microsoft which, by giving more power and convenience to programmers
and scripters (both commercial and in-house), also concomitantly gave
this same power and convenience to virus writers.
At 13:39 -0700 2003-08-25, Eric Chamberlain, CISSP wrote:
>I don't think you are making accurate comparisons by comparing a variety
>of Microsoft products to specific non-Microsoft operating systems.
The point by point comparisons in Rob Pegoraro's article, citing
the number of network ports open to the Internet in default
configurations of Windows XP Home Edition and Mac OS X; the default
privileges granted to admin and non-admin users in XP Home, OS X, and
Linux; and how the integral software firewall comes configured, and
how easy it is to enable, in those three OSes; are as accurate and
specific as they come. They illustrate discrete design decisions
which have a direct impact on the security of an unmanaged system in
its default configuration.
Eric continued:
>Slammer exploited a database, Blaster exploited the OS, and SoBig
>exploited users.
This illustrates how extensively vulnerabilities are present
throughout the Windows OSes.
The vulnerabilities that Slammer exploited were present not only in
an easily identified application, Microsoft's SQL Server database,
but also in some low-level Windows database components, created by
Microsoft to make life easier for programmers at the expense of
introducing security vulnerabilities, that were installed by various
Microsoft and third-party applications. As one report on this worm
noted, "Analysts also point out that many home users are running SQL
on their machines and don't even realize it. The software often comes
bundled in third-party software packages, including games."
SoBig was able to exploit users, in part, due to a default feature
of most Windows OSes which, if not changed, allows the ".pif"
filename extension to be hidden in the names of files attached to
e-mail messages. A user may believe they're opening a Word document
or an audio file sent to them as an attachment, when in fact they're
launching a shortcut that will cause code to be executed. This was
another design decision by Microsoft, which has made "social
engineering" attacks considerably more effective.
Eric pointed out:
>Each of these exploits have had minimal impact on
>systems that are properly managed. In all the mentioned cases,
>administrators have had ample warning to patch their machines.
The key phrase here is "properly managed." In this, Eric and I are
in accord. As we both know, a sufficient number of Windows systems
didn't fall into this camp, on campus and particularly in the world
at large, so as to cause significant deleterious impacts on many
individuals and institutions and (in the case of Slammer) on the
Internet as a whole.
However these two messages might be interpreted, my intent is not
to bash Microsoft as an operating system vendor -- it is clear
they've made a major commitment to mend their ways -- or to suggest
that Windows operating systems are unsuitable for campus use,
especially in a managed environment. But it struck me as odd -- as
though no one has been willing to talk about the proverbial "elephant
in the room" -- that these issues don't appear to have been raised
during the flurry of recent messages about the RPC DCOM vulnerability.
This discussion underscores the points that many people, including
(I believe) Craig, Greg, and Eric, have made over the years -- modern
operating systems have gotten sufficiently complex and powerful as to
greatly benefit by, perhaps even require, expert administration.
While I've put the spotlight on decisions made by Microsoft, the
Mac OS X workstation on my desk no doubt harbors vulnerabilities
which, if hackers decided to shift their focus to my OS, might well
be exploitable to serious effect. And these are not just limited to
vulnerabilities in various Unix applications bundled with Mac OS X,
which crop up with some frequency. As an example, in Mac OS 10.2 X,
Apple introduced a new API which opens access to the system-wide
Address Book to other applications. This may potentially make it
easier for self-mailing worms to mail themselves to addresses in a
user's Address Book, akin to the many worms which have exploited
similar capabilities in Outlook and Exchange mailboxes under Windows.
Aron Roberts
Workstation Software Support Group
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Mon Aug 25 2003 - 16:02:04 PDT