Full Disclosure mailing list archives
Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Thu, 01 Jul 2004 16:51:16 -0400
Matthew Murphy wrote:
Actually, you're both wrong, in my opinion. :-) Overall market share has some to do with the success of worm propagation, but the real problem is market share diversity at all levels. IIS is plagued by worms because one piece of code targeting whatever version of IIS is widely used can typically infect ~ 95% of the vulnerable portion of the IIS market. Multi-platform products like Apache, on the other hand, have the advantage of portability (i.e, variations in the underlying systems within its market). A fantastic example of this is Scalper -- it targeted Apache 1.3 running on BSD/IA32. A very small portion of the market for Apache 1.3.
While you're right (and, in my view, the issue is even more complex and the possibility of a functioning worm on ANY widely used Free Software technology being long-lived in the wild is diminished because of it) I think that the marketshare argument is more psychological than anything else.
For instance, we can safely say that approx. 25% of all webservers are GNU/Linux and the vast majority of those run Apache. Of those, approximately 50% are the latest version of Red Hat (this is an assumption, but I think it's probably a fairly safe one). That's 12.5% of all of the web servers on the web running the same version of apache with, presumably, a significant portion of those running on ix86 based machines. Assuming that the worm only utilizes Apache memory space and is otherwise self-contained (doesn't requite a local nc or tftp or anything like that) then the entire body of installed systems would be vulnerable to said worm, let's say it's a 0-day worm for the sake of argument.
That's certainly a large enough body of systems for a worm to take hold on. The Morris worm did it with far fewer hosts and look at the spread of the witty worm for another example.
So, technically, while there's something to what you're saying, Apache still has a large enough market share to make it a juicy target for worms and exploits.
The marketshare argument that's being bounced around is actually more of a psychological one dealing with the amount of percieved compromisable hosts and the glory of the target being attacked.
I personally think that it's futile to try to generalize the motivations of the black hat community. There are as many reasons for them to do something as there are reasons to think of. Marketshare DOES factor into the equation, it just isn't the only factor, and often isn't the primary factory.
The existance of exploits for software that is not so heavily used proves this point.
Relying on the security of using something because fewer people use it is tantemount to security through obscurity, to me. Having said that, right now the most used browser is architecturally flawed, and it just so happens that the underdog browsers are better designed.
In the near future, that may not be the case. If all of this advice is heeded and Mozilla is adopted en masse, we may be talking about IE being the underdog browser and - my prediction - we'll still see people exploiting it because it will still be more exploitable than Mozilla. That is, of course, unless Microsoft makes massive changes to it's OS and rips OS code out of IE, completely redesigning it's security model -- but I don't see that happening for at least five years.
Microsoft's supporters like to say that they turned the Titanic on a dime when they embraced the internet.
The rest of us realize that they never really got what the internet was in the first place - and that's where IE's problems come from. That's not bashing Microsoft, it's just the fact of how they work as a corporation, and a fact of how most large corporations work. It's internally difficult to change the philosophy of a large corporation. It's also difficult for them to make major changes like that because program designers/users demand a certain amount of backward compatibility. Unlike with Free Software systems, you can't recompile windows with autoconf switches to change it's behavior. Therefore, any significant changes to IE are unlikely for the time being.
-Barry _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Drew Copley (Jun 30)
- <Possible follow-ups>
- Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Georgi Guninski (Jul 01)
- Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Matthew Murphy (Jul 01)
- Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Barry Fitzgerald (Jul 01)
- Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Matthew Murphy (Jul 01)
- Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Ron DuFresne (Jul 02)
- Critical update for IE disables the ADODB.Stream object insecure (Jul 02)
- Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Matthew Murphy (Jul 01)