lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <40E47944.8010305@sdf.lonestar.org>
From: bkfsec at sdf.lonestar.org (Barry Fitzgerald)
Subject: (IE/SCOB) Switching Software Because of Bugs:
 Some Facts About Software and Security bugs

Matthew Murphy wrote:

>Actually, you're both wrong, in my opinion. :-)
>
>Overall market share has some to do with the success of worm propagation,
>but the real problem is market share diversity at all levels.  IIS is
>plagued by worms because one piece of code targeting whatever version of IIS
>is widely used can typically infect ~ 95% of the vulnerable portion of the
>IIS market.  Multi-platform products like Apache, on the other hand, have
>the advantage of portability (i.e, variations in the underlying systems
>within its market).  A fantastic example of this is Scalper -- it targeted
>Apache 1.3 running on BSD/IA32.  A very small portion of the market for
>Apache 1.3.
>
>  
>

While you're right (and, in my view, the issue is even more complex and 
the possibility of a functioning worm on ANY widely used Free Software 
technology being long-lived in the wild is diminished because of it) I 
think that the marketshare argument is more psychological than anything 
else.

For instance, we can safely say that approx. 25% of all webservers are 
GNU/Linux and the vast majority of those run Apache.  Of those, 
approximately 50% are the latest version of Red Hat (this is an 
assumption, but I think it's probably a fairly safe one).   That's 12.5% 
of all of the web servers on the web running the same version of apache 
with, presumably, a significant portion of those running on ix86 based 
machines.   Assuming that the worm only utilizes Apache memory space and 
is otherwise self-contained (doesn't requite a local nc or tftp or 
anything like that) then the entire body of installed systems would be 
vulnerable to said worm, let's say it's a 0-day worm for the sake of 
argument.

That's certainly a large enough body of systems for a worm to take hold 
on.  The Morris worm did it with far fewer hosts and look at the spread 
of the witty worm for another example.

So, technically, while there's something to what you're saying, Apache 
still has a large enough market share to make it a juicy target for 
worms and exploits.

The marketshare argument that's being bounced around is actually more of 
a psychological one dealing with the amount of percieved compromisable 
hosts and the glory of the target being attacked.

I personally think that it's futile to try to generalize the motivations 
of the black hat community.  There are as many reasons for them to do 
something as there are reasons to think of.  Marketshare DOES factor 
into the equation, it just isn't the only factor, and often isn't the 
primary factory.

The existance of exploits for software that is not so heavily used 
proves this point.

Relying on the security of using something because fewer people use it 
is tantemount to security through obscurity, to me.  Having said that, 
right now the most used browser is architecturally flawed, and it just 
so happens that the underdog browsers are better designed.

In the near future, that may not be the case.  If all of this advice is 
heeded and Mozilla is adopted en masse, we may be talking about IE being 
the underdog browser and - my prediction - we'll still see people 
exploiting it because it will still be more exploitable than Mozilla.  
That is, of course, unless Microsoft makes massive changes to it's OS 
and rips OS code out of IE, completely redesigning it's security model 
-- but I don't see that happening for at least five years.

Microsoft's supporters like to say that they turned the Titanic on a 
dime when they embraced the internet.

The rest of us realize that they never really got what the internet was 
in the first place - and that's where IE's problems come from. 

That's not bashing Microsoft, it's just the fact of how they work as a 
corporation, and a fact of how most large corporations work.  It's 
internally difficult to change the philosophy of a large corporation.  
It's also difficult for them to make major changes like that because 
program designers/users demand a certain amount of backward 
compatibility.  Unlike with Free Software systems, you can't recompile 
windows with autoconf switches to change it's behavior.  Therefore, any 
significant changes to IE are unlikely for the time being.

                -Barry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ