[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.43.0407020123400.3628-100000@parka.winternet.com>
From: dufresne at winternet.com (Ron DuFresne)
Subject: (IE/SCOB) Switching Software Because of Bugs:
Some Facts About Software and Security bugs
On Thu, 1 Jul 2004, Barry Fitzgerald wrote:
> Matthew Murphy wrote:
>
> >Actually, you're both wrong, in my opinion. :-)
> >
> >Overall market share has some to do with the success of worm propagation,
> >but the real problem is market share diversity at all levels. IIS is
> >plagued by worms because one piece of code targeting whatever version of IIS
> >is widely used can typically infect ~ 95% of the vulnerable portion of the
> >IIS market. Multi-platform products like Apache, on the other hand, have
> >the advantage of portability (i.e, variations in the underlying systems
> >within its market). A fantastic example of this is Scalper -- it targeted
> >Apache 1.3 running on BSD/IA32. A very small portion of the market for
> >Apache 1.3.
> >
> >
> >
>
> While you're right (and, in my view, the issue is even more complex and
> the possibility of a functioning worm on ANY widely used Free Software
> technology being long-lived in the wild is diminished because of it) I
> think that the marketshare argument is more psychological than anything
> else.
>
> For instance, we can safely say that approx. 25% of all webservers are
> GNU/Linux and the vast majority of those run Apache. Of those,
> approximately 50% are the latest version of Red Hat (this is an
> assumption, but I think it's probably a fairly safe one). That's 12.5%
> of all of the web servers on the web running the same version of apache
> with, presumably, a significant portion of those running on ix86 based
> machines. Assuming that the worm only utilizes Apache memory space and
> is otherwise self-contained (doesn't requite a local nc or tftp or
> anything like that) then the entire body of installed systems would be
> vulnerable to said worm, let's say it's a 0-day worm for the sake of
> argument.
>
If the numbers reflect any sense of reality, they are already flawed
though. Not all red-hat installs, even or apache are going to be alike,
even on the same OS versions. Some folks actually do cut down red-hat
installs to minimums, rather then load each and every trinket on the CD's
for prod purposes. Some that follow that or those toss in the
kitchen-sink installs might still not use the red-hat tarball for various
reasons, grab apache source and whatever side apps they need to compile
in and there you have broken from 'the standard'. not to mention that
not all linux is red-hat... And then we have modules, linux is modular,
apache is modular, configs again can be pretty diverse... I start to get
the impression the margin of error needing to be calculated in makes the
issue even more complex...unless of course one targets something key to
the linux kernel or tcp-ip stack, or the core base of apache...
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
Powered by blists - more mailing lists