Full Disclosure mailing list archives
Re: Microsoft AntiSpyware: Will it be free and Vulnerable
From: Dan Margolis <fd.lists.dmargoli () af0 net>
Date: Tue, 11 Jan 2005 20:28:26 -0500
On Tue, Jan 11, 2005 at 10:03:30PM +0100, devis wrote:
It is prooved matter that spywares do exploits IE holes ( Iframes bugs, Active X etc etc ). Do your work on a few and you will see.
Perhaps some do, but generally speaking this is unnecessary for spyware to exist, as I said before; spyware exists regardless of such vulnerabilities.
Beside, you missed the point entirely: if an user, just by clicking, can install spyware on his machine, then the OS / browser is to blame, not the actual (bad) code (exploiting it) floating around websites.
A user can install spyware with one click for the same reason he can install a *good* application with one click. Having the user run every day with install privileges is relatively irrelevant; if he owns the machine, he will have the ability to install things. Being prompted for an admin password (as in the case of OSX) hardly prevents a stupid user from installing crap.
Once again, you are missing the point completely, if M$ didn't 'slack code' their OS, spyware would : 1) not install
How do you intend to make spyware not install while still allowing the user to install other things?
2) therefore not exist in the form, numbers and variety we know them
See above.
I'll give you a clue: try to get a 'tool bar' or some 'other added bonus' automagically on bsd/unix/linux/solaris using any browser, on any site, clicking randomly.
I cannot do so from "clicking randomly," but I quite easily can simply from clicking "OK" to the download prompt. Firefox installs plugins and toolbars just as easily as IE does.
As you said, 'It's very, very difficult to prevent people from voluntarily installing spyware on their own systems.' yes indeed, because MS made it that the average joe is an admin therefore has supreme powers out of the box.
So we don't give the *owner* admin privileges? Mac does this, as does Linux. I don't know of a single OS where the machine's owner does not, by default, have admin access.
Usability costs security. Always has, always will.
Of course. But the ability to execute code is pretty much non-negotiable. I will never buy a general purpose PC on which I cannot run programs of my choosing. And if MS sold one as such, you would be here complaining about that instead. The point is, spyware does not require OS vulnerabilities to be spyware, and it likely, for a long time to come, never will. I never argued that Windows is the most secure OS, however, only that spyware does not imply bugs. And that point should, by now, be crystal clear. -- Dan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Microsoft AntiSpyware: Will it be free and Vulnerable RandallM (Jan 08)
- Re: Microsoft AntiSpyware: Will it be free and Vulnerable Matt Ostiguy (Jan 08)
- Re: Microsoft AntiSpyware: Will it be free and Vulnerable Vincent Archer (Jan 10)
- Re: Microsoft AntiSpyware: Will it be free and Vulnerable devis (Jan 11)
- Re: Microsoft AntiSpyware: Will it be free and Vulnerable Dan Margolis (Jan 11)
- Re: Microsoft AntiSpyware: Will it be free and Vulnerable devis (Jan 11)
- Re: Microsoft AntiSpyware: Will it be free and Vulnerable Dan Margolis (Jan 11)
- Re: Microsoft AntiSpyware: Will it be free and Vulnerable Matt Ostiguy (Jan 08)