Full Disclosure mailing list archives
Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs
From: Ron DuFresne <dufresne () winternet com>
Date: Fri, 2 Jul 2004 01:35:32 -0500 (CDT)
On Thu, 1 Jul 2004, Barry Fitzgerald wrote:
Matthew Murphy wrote:Actually, you're both wrong, in my opinion. :-) Overall market share has some to do with the success of worm propagation, but the real problem is market share diversity at all levels. IIS is plagued by worms because one piece of code targeting whatever version of IIS is widely used can typically infect ~ 95% of the vulnerable portion of the IIS market. Multi-platform products like Apache, on the other hand, have the advantage of portability (i.e, variations in the underlying systems within its market). A fantastic example of this is Scalper -- it targeted Apache 1.3 running on BSD/IA32. A very small portion of the market for Apache 1.3.While you're right (and, in my view, the issue is even more complex and the possibility of a functioning worm on ANY widely used Free Software technology being long-lived in the wild is diminished because of it) I think that the marketshare argument is more psychological than anything else. For instance, we can safely say that approx. 25% of all webservers are GNU/Linux and the vast majority of those run Apache. Of those, approximately 50% are the latest version of Red Hat (this is an assumption, but I think it's probably a fairly safe one). That's 12.5% of all of the web servers on the web running the same version of apache with, presumably, a significant portion of those running on ix86 based machines. Assuming that the worm only utilizes Apache memory space and is otherwise self-contained (doesn't requite a local nc or tftp or anything like that) then the entire body of installed systems would be vulnerable to said worm, let's say it's a 0-day worm for the sake of argument.
If the numbers reflect any sense of reality, they are already flawed though. Not all red-hat installs, even or apache are going to be alike, even on the same OS versions. Some folks actually do cut down red-hat installs to minimums, rather then load each and every trinket on the CD's for prod purposes. Some that follow that or those toss in the kitchen-sink installs might still not use the red-hat tarball for various reasons, grab apache source and whatever side apps they need to compile in and there you have broken from 'the standard'. not to mention that not all linux is red-hat... And then we have modules, linux is modular, apache is modular, configs again can be pretty diverse... I start to get the impression the margin of error needing to be calculated in makes the issue even more complex...unless of course one targets something key to the linux kernel or tcp-ip stack, or the core base of apache... Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Drew Copley (Jun 30)
- <Possible follow-ups>
- Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Georgi Guninski (Jul 01)
- Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Matthew Murphy (Jul 01)
- Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Barry Fitzgerald (Jul 01)
- Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Matthew Murphy (Jul 01)
- Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Ron DuFresne (Jul 02)
- Critical update for IE disables the ADODB.Stream object insecure (Jul 02)
- Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Matthew Murphy (Jul 01)