| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: mattmurphy at kc.rr.com (Matthew Murphy) Subject: CyberInsecurity: The cost of Monopoly "Bruce Ediger" <eballen1@...st.net> wrote: > On Fri, 26 Sep 2003, Rick Kingslan wrote: > > > I'll not argue that the Windows operating systems are the target of the > > majority of virus', but that's typically what happens when a system is used > > by a known large group of people that might not be qualified to run a > > computer, much less secure it. > > Doesn't this just constitute special pleading to use Microsoft's products? > For example, this theory is totally unfalsifiable - only Microsoft products > are in such a position. > > Oh, wait. Apache has about 2 times the market share of IIS, and I'm > still getting Code Red and Nimda hits TWO YEARS after they were released. > > By contrast, I only got about 2 days worth of hits from Slapper. [snip] And, of course, this theory has complete relevance in the discussion -- oh wait, Apache runs on dozens of different OSes, and by the time you include individual distributors' binary packages, you're getting into ~100 different Apache flavors (a conservative estimate). IIS runs on OSes which are (under the hood) quite alike -- Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003. The reason you only get two hits a day from Slapper is because that worm targeted a very small portion of Apache's install base (certain versions of Apache 1.3 + mod_ssl installed + SSLv2 support + certain OpenSSL versions + certain linux distributions, ...), while the only inhibiting factor to Nimda was a vulnerable version of IIS. Similarly, Code Red didn't require any non-default settings (sadly), all it required was a vulnerable Windows 2000 Gold setup. In some cases, the exploits used in Slapper are language-dependant, whereas Code Red and Nimda were not, ... I could go on all day. When you see the first Apache exploit that works on a third or half of vulnerable Apache installs with a single target (an event I probably will not live to witness), then we can talk about disproportionate numbers of attacks against systems. When you get into discussion about system monoculture, so to speak, you have to assess the system at every level -- right down to the CPU in many cases. This is the problem with the theory of system monoculture -- variations at one level often create a tendency at another level. For instance, the reason IIS has remained limited to 30% of servers is because it runs on fewer (Microsoft) platforms. However, this makes IIS a more attractive target in terms of attack success as the OS framework underneath it (which plays a substantial role in exploitation) is similar. Had the market balance been shifted in favor of Apache even further, presumably in favor of cross-platform portability (thus requiring any number of exploit methods for one version), the attacker would then have a greater chance of guessing the correct exploit method, as a greater number of potential victims is available. Similarly, had IIS been ported to multiple platforms and became the majority server, Code Red would have perhaps seen a *decrease* in infections due to crashing many potential victims.
Powered by blists - more mailing lists