Re: CyberInsecurity: The cost of Monopoly

["Matthew Murphy" <mattmurphy () kc rr com>]

"Bruce Ediger" <eballen1 () qwest net> wrote:
> On Fri, 26 Sep 2003, Rick Kingslan wrote:
>
> > I'll not argue that the Windows operating systems are the target of the
> > majority of virus', but that's typically what happens when a system is
used
> > by a known large group of people that might not be qualified to run a
> > computer, much less secure it.
>
> Doesn't this just constitute special pleading to use Microsoft's products?
> For example, this theory is totally unfalsifiable - only Microsoft
products
> are in such a position.
>
> Oh, wait.  Apache has about 2 times the market share of IIS, and I'm
> still getting Code Red and Nimda hits TWO YEARS after they were released.
>
> By contrast, I only got about 2 days worth of hits from Slapper.
[snip]

And, of course, this theory has complete relevance in the discussion -- oh
wait, Apache runs on dozens of different OSes, and by the time you include
individual distributors' binary packages, you're getting into ~100 different
Apache flavors (a conservative estimate).  IIS runs on OSes which are (under
the hood) quite alike -- Windows NT 4.0, Windows 2000, Windows XP, and
Windows Server 2003.

The reason you only get two hits a day from Slapper is because that worm
targeted a very small portion of Apache's install base (certain versions of
Apache 1.3 + mod_ssl installed + SSLv2 support + certain OpenSSL versions +
certain linux distributions, ...), while the only inhibiting factor to Nimda
was a vulnerable version of IIS.  Similarly, Code Red didn't require any
non-default settings (sadly), all it required was a vulnerable Windows 2000
Gold setup.  In some cases, the exploits used in Slapper are
language-dependant, whereas Code Red and Nimda were not, ...

I could go on all day.  When you see the first Apache exploit that works on
a third or half of vulnerable Apache installs with a single target (an event
I probably will not live to witness), then we can talk about
disproportionate numbers of attacks against systems.  When you get into
discussion about system monoculture, so to speak, you have to assess the
system at every level -- right down to the CPU in many cases.

This is the problem with the theory of system monoculture -- variations at
one level often create a tendency at another level.  For instance, the
reason IIS has remained limited to 30% of servers is because it runs on
fewer (Microsoft) platforms.  However, this makes IIS a more attractive
target in terms of attack success as the OS framework underneath it (which
plays a substantial role in exploitation) is similar.  Had the market
balance been shifted in favor of Apache even further, presumably in favor of
cross-platform portability (thus requiring any number of exploit methods for
one version), the attacker would then have a greater chance of guessing the
correct exploit method, as a greater number of potential victims is
available.  Similarly, had IIS been ported to multiple platforms and became
the majority server, Code Red would have perhaps seen a *decrease* in
infections due to crashing many potential victims.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html