funsec mailing list archives
Re: Microsoft announce most secure OS on the planet
From: der Mouse <mouse () rodents-montreal org>
Date: Mon, 20 Apr 2009 23:27:48 -0400 (EDT)
[...] to date [Firefox] has not been subjected to anything like the same level of scrutiny for exploitable holes by the bad guys (or anyone else) largely because of its market share (and a misguided belief that because OSS code _can_ be scrutinized by millions of eyeballs, it is almost necessarily better scrutinized than non-OSS code). Thus, FF's market share means the (mostly) monetizable value of finding and exploiting vulnerabilities in FF makes doing so orders of magnitude less attractive to the bad guys
That's actually not the only reason. Another is that Firefox has a greater variety of underlying OSes, some of which go to substantially greater lengths than Windows does to make certain common classes of vulnerability (eg, classic smash-the-stack-frame overflows) harder to exploit. This means that even if you find such a bug, your exploit will work only on some indeterminate (but probably, at most, moderate) fraction of Firefox installs: even if the rest are theoretically vulnerable, you have to guess right about various things to make it work, some of which may change from invocation to invocation.
In a couple of years, as a greater and greater proportion of Windows users are forced to "better" versions of IE, these economics will likely change,
True - but then one place where open source _does_ have an advantage will show itself: the turnaround time on fixes can be _much_ shorter. I have trouble imagining Microsoft releasing an IE fix in less than a week - heck, it's often hard enough to get them to admit a problem _exists_ that fast. But I've seen fixes to OSS appear within as little as a few hours on some occasions. Not that that makes it any easier to get fixes installed....
but the next low-hanging fruit will then probably be the third-party add-ons that are common _across browsers_ and typically exploitable across browsers too (and yes, we have been seeing this for a while now), rather than "the browser with next largest market share".
There's that, too. One of the best things you can do for the security of your systems is probably to run a non-x86 CPU architecture - a lower-level version of the "Windows 3.1" security I mentioned upthread. Of course, this works only as long as the CPU you choose is chosen for only a small fraction of the machines out there. (Another reason I find the current trend to CPU monoculture depressing.) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mouse () rodents-montreal org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Microsoft announce most secure OS on the planet, (continued)
- Re: Microsoft announce most secure OS on the planet Larry Seltzer (Apr 20)
- Re: Microsoft announce most secure OS on the planet David Harley (Apr 20)
- Re: Microsoft announce most secure OS on the planet Gadi Evron (Apr 20)
- Re: Microsoft announce most secure OS on the planet David Harley (Apr 21)
- Re: Microsoft announce most secure OS on the planet Gadi Evron (Apr 20)
- Re: Microsoft announce most secure OS on the planet Valdis . Kletnieks (Apr 20)
- Re: Microsoft announce most secure OS on the planet der Mouse (Apr 20)
- Re: Microsoft announce most secure OS on the planet Rob, grandpa of Ryan, Trevor, Devon & Hannah (Apr 20)
- Re: Microsoft announce most secure OS on the planet Dragos Ruiu (Apr 20)
- Re: Microsoft announce most secure OS on the planet Nick FitzGerald (Apr 20)
- Re: Microsoft announce most secure OS on the planet der Mouse (Apr 20)
- Re: Microsoft announce most secure OS on the planet Larry Seltzer (Apr 20)
- Re: Microsoft announce most secure OS on the planet Valdis . Kletnieks (Apr 20)
- Re: Microsoft announce most secure OS on the planet David Harley (Apr 21)
- Re: Microsoft announce most secure OS on the planet Larry Seltzer (Apr 21)
- Re: Microsoft announce most secure OS on the planet David Harley (Apr 21)