Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MS Traces Duqu Zero-Day To Font Parsing In Win32k

timothy posted more than 2 years ago | from the if-only-smarts-and-ethics-went-together dept.

Security 221

yuhong writes "MS has traced the Duqu zero-day to a vulnerability in font parsing in win32k. Many file formats like HTML, Office, and PDF support embedded fonts, and in NT4 and later fonts are parsed in kernel mode! Other possible attack vectors, for example, include web pages visited using web browsers that support embedded fonts without the OTS font sanitizer (which recent versions of Firefox and Chrome have adopted)." Adds reader Trailrunner7: "This is the first time that the exact location and nature of the flaw has been made public. Microsoft said that the permanent fix for the new vulnerability will not be ready in time for next week's November patch Tuesday release."

Sorry! There are no comments related to the filter you selected.

Kernel mode (1, Insightful)

Tomato42 (2416694) | more than 2 years ago | (#37956680)

And they told me that Linux is monolithic... But I'm damn sure that the kernel doesn't parse fonts.

Re:Kernel mode (2, Informative)

nepka (2501324) | more than 2 years ago | (#37956840)

In fact it does. For example fbcon is part of kernel and handles, along other things, text rendering. It's not wise to assume things.

Besides, font rendering is quite common task and needs to be fast. That's why it also needs to be so low level. Yes, you could isolate everything to higher levels, but that only results in bloat and slowness. This was especially true in NT4.0 days, which this exploit dates back from.

Re:Kernel mode (1)

Arlet (29997) | more than 2 years ago | (#37956886)

Does fbcon render true type fonts, or only simple bitmaps ?

 

Re:Kernel mode (0)

Anonymous Coward | more than 2 years ago | (#37956996)

fbcon only handles bitmap fonts in a comparatively simple format. Try again.

Re:Kernel mode (1)

Barefoot Monkey (1657313) | more than 2 years ago | (#37957000)

Parsing, not rendering. Does fbcon parse font files? Or is that done in user space?

Re:Kernel mode (0)

Anonymous Coward | more than 2 years ago | (#37957026)

That's why it also needs to be so low level.

Abstraction fail. There is no reason why speed should imply low level, and there is no reason why common should imply kernel. In fact, a process running fully in userspace is most probably faster because it needs less context switching.

On the other hand, if the NT kernel is so badly implemented that userspace is always slower than the kernel, it would explain a lot...

Re:Kernel mode (5, Informative)

marcansoft (727665) | more than 2 years ago | (#37957042)

The kernel doesn't parse fonts. A userspace program parses the fontfile (which could easily be TrueType if someone feels like supporting that, though it would have to be monospaced). The kernel only gets a raw monochrome bitmap data array for the characters, a width and height, and optionally a character map. No parsing is done in the kernel.

KDFONTOP ioctl arguments:
struct console_font_op {
                unsigned int op; /* KD_FONT_OP_* */
                unsigned int flags; /* KD_FONT_FLAG_* */
                unsigned int width, height;
                unsigned int charcount;
                unsigned char *data; /* font data with height fixed to 32 */
};

fbcon blitting rectangular blobs onto the screen doesn't even remotely qualify as "parsing fonts". Doing TrueType in the kernel, which is what Windows does here, is patently insane.

NT4 was such an abomination... (3, Interesting)

mosel-saar-ruwer (732341) | more than 2 years ago | (#37958098)

in NT4 and later fonts are parsed in kernel mode

Sometimes I feel like I must be the only geezer remaining who actually had the opportunity to use NT 3.51, so let me tell you: It was a GLORIOUS operating system.

EVERYTHING was client/server, and all the client stuff ran in Ring 3/User Mode.

Heck, you could even kill Windows, and run it as a multi-user "DOS" box.

But, of course, that meant that the video/graphics subsystem also ran as a client service, in User Mode, which [I guess] the suits perceived as being "slow", and therefore as being an impediment to the gaming experience which would come with the impending merger of code bases that we now know as Windows XP [2001].

So in 1996, some genius at MSFT decided to throw out all of the beauty and elegance and stability and security that had been NT 3.51, and to serve up, instead, the great big steaming pile of sh!t which was NT 4.0 [with its video/graphics subsystem subsumed into the kernel].

And the world was never again the same...

Re:NT4 was such an abomination... (3, Interesting)

Gr8Apes (679165) | more than 2 years ago | (#37958640)

Actually, IIRC, it was Win NT 3.1 that had the initial full security model you ascribe to Win NT 3.5. Win NT 3.5 had already slid a good portion of the way down the slippery slope of Ring 0 code, including some of the graphics drivers. (Again, IIRC, it's been a while)

NT 4 moved a lot of user space Windows GDI functionality (as defined by Win 95/98/ME) into a kernel mode GDI API, which is single threaded btw, that persisted at least through all versions Windows XP, if not beyond. (This is one of the reasons why opening a 10MB networked file or attachment in Outlook causes your entire machine to lockup until it's done)

This was in contrast to OS/2, which continued to follow the original design criteria, and hence was perceived to be slower on the same hardware as NT 4 for single tasks, although multi-tasking was much faster on OS/2. I mention this because NT's original basis was the OS/2 criteria, which was then mutated to be able to support the Win 95/98/ME gaming solutions.

Re:Kernel mode (0)

Anonymous Coward | more than 2 years ago | (#37958166)

Text rendering != text parsing you, please go back in your cave. It's not wise to speak of things you do not understand.

NoScript helps (1)

impaledsunset (1337701) | more than 2 years ago | (#37956934)

That's why NoScript disables embedded fonts along with other possible attack vectors.

Even on GNU/Linux, font rendering is not to be assumed safe. In particular, freetype was never designed with the idea to parse fonts from various untrusted sources, so security in the font parser has always been secondary up until recently, so there might be many security holes in it lurking. It also had a vulnerability lately, of course it got quickly fixed.

http://hackademix.net/2010/03/24/why-noscript-blocks-web-fonts/ [hackademix.net]

Re:NoScript helps (1)

Tomato42 (2416694) | more than 2 years ago | (#37958622)

Well, yes, X server still is run as root on many distros, but they are moving away from it.

Nearly as insane as executing code in images (1)

dbIII (701233) | more than 2 years ago | (#37956686)

NT4 and later fonts are parsed in kernel mode!

It looks like somebody was half asleep that day as well and the long "focus on security" didn't go deep enough.

Re:Nearly as insane as executing code in images (3, Informative)

The Askylist (2488908) | more than 2 years ago | (#37956710)

Nope - it was definitely a deliberate decision to make most of the GUI run in kernel mode on NT4.

If you remember what 3.5 and 3.51 were like, it's possible to have some sympathy for this, but IIRC it was highlighted at the time as a bit of a silly thing to do.

Re:Nearly as insane as executing code in images (1)

moderators_are_w*nke (571920) | more than 2 years ago | (#37956728)

I am surprised they haven't gone back to the old model now the hardware is up to it. It would make a lot of sense.

Re:Nearly as insane as executing code in images (1)

gmueckl (950314) | more than 2 years ago | (#37956978)

Well, the graphics drivers were moved out of the kernel and into a special user-space-like environment with Vista. This allows Windows to restart crashed graphics drivers on the fly (and this even works most of the time). Looks like other parts of the graphics subsystem are still where the don't belong, though.

Re:Nearly as insane as executing code in images (1)

yuhong (1378501) | more than 2 years ago | (#37958624)

Yea, partly because of the need to support old XP display drivers. The good news is support for that is eliminated in Windows 8, which may even allow the DWM to be part of the new CSRSS.

Re:Nearly as insane as executing code in images (1)

yuhong (1378501) | more than 2 years ago | (#37958612)

I once suggested to Larry Osterman of MS that this be done, now that there is a *separate CSRSS for each session* and has been since NT4 TSE. If one of them crashes, only the session is lost.

"kernel mode" (-1)

Anonymous Coward | more than 2 years ago | (#37956698)

This is why I don't use windoz

brb banging head against wall (2, Funny)

admiralranga (2007120) | more than 2 years ago | (#37956724)

FFS microsoft, I'm a highschooler and I think that a really bad idea. How do mistakes like that get through q&a?

Re:brb banging head against wall (4, Insightful)

jimicus (737525) | more than 2 years ago | (#37956762)

Very easily.

The world was a different place in the early days of NT 4 - and remember this design dates back to before then, because the design decision would have been made some time before NT 4 was released.

NT 4 was, arguably, the first version of Windows to really enjoy any sort of success in the server room. The Internet was only just starting to attract attention outside of academic circles; it would be some years before it became apparent how bad Windows was security-wise. Microsoft's priority wasn't security, it was making an OS with a sophisticated GUI you could install on a 486 with 16MB of RAM that could act as a server to a whole network. Historically it's always been somewhat quicker to run code in the kernel; NT 4 moved most of the GUI to the kernel for exactly this reason. Security? Why would that even appear on the radar?

Re:brb banging head against wall (4, Informative)

snowgirl (978879) | more than 2 years ago | (#37956794)

This right here. The world was a different place back then. One could leave their house without locking their doors, and all that nonsense.

The WMF vulnerability was borne out of the same situation. When designed, there was no consideration made for remote-code execution, because "remote" didn't really exist. Your worries were boot-sector viruses and executable viruses coming in on that floppy of Doom you "borrowed" from your friend. You didn't get viruses from the internet, heck, you were lucky if your computer connected to the internet at all!

To end all this, this design decision clearly and loudly screams: GET OFF MY LAWN!!!

Re:brb banging head against wall (0)

CODiNE (27417) | more than 2 years ago | (#37956938)

Right, and when Microsoft added ActiveX to the browser, nobody warned them it would be a security issue... why remote execution was still seen as a feature in those days.

When the browser was embedded into the OS, nobody imagined it could one day be a problem... the geeks were thrilled at the wonderful new design innovations occurring at Microsoft, security wasn't even on the radar back then.

Right.

Re:brb banging head against wall (1)

cynyr (703126) | more than 2 years ago | (#37957040)

no we weren't thrilled... lots of sites stopped working anywhere other than in IE, and certainly not in Slackware! NOW GET OF MY LAWN!!! PULL UP YOUR PANTS!

Re:brb banging head against wall (3, Insightful)

Tom (822) | more than 2 years ago | (#37956926)

The world was a different place in the early days of NT 4

No, it wasn't. NT4 was released in 1996. By that time, many people here on /. had been exploiting bugs like that for 10 or 20 years already. Granted, mostly for fun or to cheat in (single-player) games, but still...

NT4 already had a security architecture. There was a different place available (basically anywhere outside ring0) and it should have been put there, and it definitely should have been obvious to anyone with three grams of brains that stuff like this doesn't belong into ring0.

Re:brb banging head against wall (1)

gmueckl (950314) | more than 2 years ago | (#37957012)

They still supported non-x86 architectures back then. And on those, there is only a kernel mode and a user mode. Rings 1 and 2 don't exist there. So putting the graphics in ring 1 or 2 would have hurt portability. OS/2, on the other hand, actually started to put stuff in all 4 rings because it was designed to run only on 386 and up.

Re:brb banging head against wall (2)

kantos (1314519) | more than 2 years ago | (#37957176)

The world was a different place in the early days of NT 4

Arguably true... but only for the monolithic win 9x series releases, which aren't relevant to this topic since the NT kernel was developed independently within Microsoft by Dave Cutler from DEC. It was Microsoft's first truly modern operating system. As many comm enters above me have mentioned NT originally did have functions such as font rendering in userspace due to its heavy hardware abstraction. As the pending issues with 9x loomed however MS could read the writing, on the wall; porting 9x to Unicode (it was ANSI throughout, a separate "Layer for Unicode [wikimedia.org] " had to be used to run Unicode programs on 9x machines) as well as supporting newer hardware (AHCI, USB, true Plug and Play) was going to be nearly impossible (the attempt was called Windows ME). So Microsoft began with NT4 to prep for the mass migration from 9x. Since the average consumer at the time didn't want to drop $3k for a workstation that would be able to run the NT model correctly, Microsoft made some compromises to the OS for the sake of speed.

No, it wasn't. NT4 was released in 1996. By that time, many people here on /. had been exploiting bugs like that for 10 or 20 years already. Granted, mostly for fun or to cheat in (single-player) games, but still...

NT4 already had a security architecture. There was a different place available (basically anywhere outside ring0) and it should have been put there, and it definitely should have been obvious to anyone with three grams of brains that stuff like this doesn't belong into ring0.

You however are making the assumption that everybody in Microsoft talks to each other. A most incorrect assumption. The reality is most likely that WinDiv (The division responsible for the OS) made the assumption that fonts would not be loaded from insecure sources, e.g. Word documents. The Office division however faced the problem of what do you do when some user uses a font that is not on another users system? So they made the decision to allow the embedding of fonts into the file format, along with a bunch of other really bad decisions in hindsight (remember the Melissa virus [wikimedia.org] ?) that would have been caught if they had had the same security reviews as WinDiv did. To compound the problem, Office used unpublished and most likely unhardened APIs (it probably still does in parts) that allowed it the capabilities to do things like on the fly font loading something that wasn't exposed to the rest of us until Windows 2000 (NT 5.0). [microsoft.com] My point being that at the time it WAS a safe decision as far as WinDiv was concerned. Should they have been a little more careful with those unpublished APIs... yes they should have, it would have prevented a lot of anti-trust issues, but they weren't. So here we are with yet another security bug.

Re:brb banging head against wall (1)

buglista (1967502) | more than 2 years ago | (#37957214)

Bollocks. I remember saying it was a stupid idea at the time, and for stability as well as security reasons. Microkernels looked like a good way to go at the time, whereas MS were doing the exact opposite of what good design principles dictate. Have you not read Structured Computer Organisation?

Re:brb banging head against wall (2)

dbIII (701233) | more than 2 years ago | (#37957288)

The world was a different place in the early days of NT 4

It wasn't really. Things like this were well known to be a bad idea and were only done to cut corners. Stuff as mainstream as Scientific American had articles on computer viruses in the early 1970s for fuck sake and a few hacking movies let alone popular novels had come out before NT4.

Security? Why would that even appear on the radar?

It was nineteen fucking ninety six and personal computer users had been worried about computer viruses for about a decade.

Re:brb banging head against wall (1)

jimicus (737525) | more than 2 years ago | (#37957506)

It was nineteen fucking ninety six and personal computer users had been worried about computer viruses for about a decade.

They had. But this is Microsoft we're talking about here, and their ability to predict the future has always been notoriously terrible; the great majority of viruses at the time were assembler-written things that did all sorts of clever stuff bypassing the OS entirely - and they were able to do that because memory protection was scant at best on DOS/Win3.x/Win9x. Few viruses even worked in NT, and with a proper security model, how could they?

Re:brb banging head against wall (1)

dbIII (701233) | more than 2 years ago | (#37958576)

It wasn't about predicting the future - it was about learning from the lessons of the past! Unix and others had been cracked in all directions by students before NT was even thought of which is one reason why security was a consideration there, in VMS and in earlier versions of NT.

Re:brb banging head against wall (1)

MobileTatsu-NJG (946591) | more than 2 years ago | (#37958142)

Umm, yeah, so we also have no excuse for kitting our asses kicked in an alien invasion, right?

They should have known better (2)

DragonHawk (21256) | more than 2 years ago | (#37957730)

Security? Why would that even appear on the radar?

Computer security has been an issue since at least the 1960s, and it's been well-documented and understood since at least the 1980s (when the NSA Rainbow Books appeared). The Morris worm hit in 1988. None of this stuff should have come as a surprise, and there were many people talking about how Microsoft was repeating all the mistakes over and over again.

As you say, the fact is, Microsoft wasn't concerned with security. I don't give them a free pass for that. The entire world has been paying for their mistakes ever since. Their lackadaisical attitude towards security -- when they certainly could have learned from the literature and from history -- has cost the world billions, if not trillions of dollars.

Not okay.

Re:brb banging head against wall (0)

Anonymous Coward | more than 2 years ago | (#37956796)

FFS microsoft, I'm a highschooler and I think that a really bad idea. How do mistakes like that get through q&a?

NT 3.1 to NT 3.51 had a pretty nice design - very microkernel-like, portable/hardware-agnostic, win32/OS2/Unix subsystems, ...

However it was slow as a dog and with NT4 Microsoft sacrificed much of the virtues of the NT design in favor of speed gains by running as much as possible in kernel mode.

Re:brb banging head against wall (1)

Zamphatta (1760346) | more than 2 years ago | (#37956804)

It's not a mistake, it's a feature -- for Windows users & for hackers! ;-)

Re:brb banging head against wall (1)

Spazntwich (208070) | more than 2 years ago | (#37957502)

I'm a college dropout and have no idea what any of this means... so... uh... kudos to you; you have my envy, younger yet superior nerd.

Seriously. I feel like this post comes across as sarcastic but I mean it.

let me guess... (-1, Redundant)

zephvark (1812804) | more than 2 years ago | (#37956732)

Microsoft decided that fonts ought to be able to play music, video, scripts, and connect to web sites. Then they made the format executable. Oh, go ahead, mod me down, it's not like they did it with text files, help files, sound files, and video files already.

Re:let me guess... (1)

nzac (1822298) | more than 2 years ago | (#37956788)

It says it just a true type font parsing.

I don't know why but image and font file parsing and thumb-nailing is a common security problem (about once a month or so my distro has a security update for a potential hole).

I think they generally work by tricking the computer to run arbitrary code from elsewhere rather than contain the code themselves.

Re:let me guess... (0)

Anonymous Coward | more than 2 years ago | (#37957064)

Oh, go ahead, mod me down

You think people would mod you down for making fun of MS, here, of all places?

Actually Apple made TTF fonts executable (0)

Anonymous Coward | more than 2 years ago | (#37957094)

But I am an AC and this is slashdot, and I am not engaging in microsoft bashing so this comment will never see the light of day.

http://en.wikipedia.org/wiki/TrueType

Re:Actually Apple made TTF fonts executable (1)

Fred Or Alive (738779) | more than 2 years ago | (#37957530)

You seem to be attempting to engage in Apple bashing, and that's fine here as well. It's a pity the article you linked to doesn't back up your assertion that TTFs contain executable code, at least not in the normal sense (it mentions code for a virtual machine to run hinting, but not normal executable code). This doesn't seem to be any issue with the True Type format itself, just an issue with Microsoft's implementation of it.

Re:Actually Apple made TTF fonts executable (0)

Anonymous Coward | more than 2 years ago | (#37957686)

http://developer.apple.com/fonts/TTRefMan/RM02/Chap2.html#environment

suck on it #738779

Re:Actually Apple made TTF fonts executable (1)

flonker (526111) | more than 2 years ago | (#37957934)

Pffft. Apple bashing is a perfectly respectable thing to do on slashdot these days.

Re:let me guess... (4, Insightful)

Raenex (947668) | more than 2 years ago | (#37957300)

Oh, go ahead, mod me down

I wish people would for your karma whoring. The "mod me down" is a standard trick to get modded up on Slashdot.

How to deactivate custom fonts in a browser? (1)

muon-catalyzed (2483394) | more than 2 years ago | (#37956756)

Any idea how to turn-off custom fonts in webpages? Can't find that setting in Firefox at the moment. You are only vulnerable if custom fonts are enabled.

Re:How to deactivate custom fonts in a browser? (1)

Anonymous Coward | more than 2 years ago | (#37956774)

install GNU/Linux

Re:How to deactivate custom fonts in a browser? (2)

thejynxed (831517) | more than 2 years ago | (#37956822)

Re:How to deactivate custom fonts in a browser? (0)

Anonymous Coward | more than 2 years ago | (#37956838)

just like javascript and flash objects on html pages, noscript in firefox blocks them all by default

Re:How to deactivate custom fonts in a browser? (0)

Anonymous Coward | more than 2 years ago | (#37957216)

Use Noscript.

WTF (4, Insightful)

arkhan_jg (618674) | more than 2 years ago | (#37956782)

Whiskey Tango Foxtrot Microsoft. What genius thought font parsing belonged in ring 0?

Re:WTF (3, Informative)

impaledsunset (1337701) | more than 2 years ago | (#37956958)

It's a questionable decision, yes. However, the vulnerability wouldn't be any less worse if it was in userspace. And Microsoft weren't exactly the first. There was a time when the X11 server parsed fonts directly, and it was running as root, perhaps with some privileges dropped along the way. It wasn't kernel mode, but you still had a font parser running as root. So, they weren't the only geniuses who thought so.

But yeah, the X11 world has improved a lot since then, font parsing and rendering by the client, in userspace, and with an unprivileged account -- all great ideas that Microsoft might want to follow.

Re:WTF (2)

larien (5608) | more than 2 years ago | (#37957010)

Wrong - if it was in userspace, it would be tied to the permissions granted the logged on user. I'm not 100% sure, but even as admin, UAC should still have blocked the worst of the behaviour. Once you're running code in the kernel, you can pretty much do whatever you want and the user's permissions and UAC become irrelevant.

Re:WTF (1)

TheRaven64 (641858) | more than 2 years ago | (#37958182)

The sane way of doing this would be to have a font service that would run as an unprivileged user, parse TrueType fonts and pass the beziers to the graphics subsystem in the kernel. This was possible with the NT security model from the start. This wouldn't even have cost anything in terms of performance - parsing the font file is not performance-critical, only rendering the resulting glyphs is.

There was a time when the X11 server parsed fonts directly, and it was running as root, perhaps with some privileges dropped along the way

Kind of. It did, but only of fonts installed on the X server. This meant that it was not parsing untrusted font data. This approach was problematic, because it meant that if you installed an office suite on a server then you needed to install all of its fonts on every thin client machine, or it needed to do all of the font rendering and then just send images to the X servers. Modern (i.e. for about the last decade) X systems have done font parsing and rendering on the client but stored the rendered glyphs on the server, where they can be composited quickly. This also has the advantage that the same rendering code can be used for any font format without the display server needing to know how it works.

Sampo Kaasila an Apple employee (0)

Anonymous Coward | more than 2 years ago | (#37957190)

Sampo Kaasila an Apple employee was the genius who designed True Type Fonts, and is also responsible for TTF's being executable files rather than some sort of parsed file. I am guessing he did it for performance reasons way back in the late 80's or very Early 90's when all we had to work with was 386/486 cpu's.

http://en.wikipedia.org/wiki/TrueType

For speed most likely (chew on this) (-1)

Anonymous Coward | more than 2 years ago | (#37957766)

Doing things @ ring 0 is usually done for speed, less message passing overheads (in fact, both Linux & Windows do their http.sys/http daemon that way, for example, nowadays @ least, but not in the past).

STILL?

Time to BLOW your "forums 'Illogic-Logic'" spinmaster crap FUD, all to hell with MORE facts & actual logic + documented facts, regarding SECURITY!

Ready? Read on & WEEP, penguins:

---

1st - Linux also doesn't have as high quality drivers or as many because board makers KNOW what is "running the show/market " out there, Windows - so, they cater to it immensely!

2nd - Nor does Linux have as many games, by FAR, either (this is mostly the home market in fact!)

3rd - Not only that. but Linux, in its KERNEL ONLY mind you? Has 4x the unpatched security vulnerabilities Windows 7 has (which IS a complete "distro" with all of its parts, not just a kernel only)!

4th - Despite all those "Open 'SORES'" eyes (most of whom couldn't code to SAVE THEIR LIVES mind you) allegedly poring over Linux code, how come it has that many more unpatched bugs than Windows 7 has, hmmm??

Closed source is HARDER for hacker/crackers to attack as well, because you're stuck either disassembling it (especially tough with kernel level debuggers) OR fuzzing it, either is tougher than searching out problems in Linux, which you just load into a compiler & step trace its "Open 'SORES'" code with to find screwups in security... hence it still has more security bugs, AND, they are unpatched (despite all the "Open 'SORES'" eyes poring over it, lol!)

Fact, period!

5th - In fact, Linux's kernel ALONE has 4x the # of unpatched bugs the ENTIRE SUITE/ARRAY OF WHAT MICROSOFT GIVES YOU TO DO BUSINESS & DEVELOPMENT WITH!

Proof? Ok:

This data's ALL from a respected source (secunia.com) for known security vulnerabilities unpatched:

---

Vulnerability Report: Microsoft SQL Server 2008: (11/05/2011)

http://secunia.com/advisories/product/21744/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (11/05/2011)

http://secunia.com/advisories/product/17543/ [secunia.com]

Unpatched 0% (0 of 6 Secunia advisories)

Vulnerability Report: Microsoft Exchange Server 2010: (11/05/2011)

http://secunia.com/advisories/product/28234/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft SharePoint Server 2010: (11/05/2011)

http://secunia.com/advisories/product/29809/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft Forefront Endpoint Protection 2010: (11/05/2011)

http://secunia.com/advisories/product/34343/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Baseline Security Analyzer 2.x: (11/05/2011):

http://secunia.com/advisories/product/6436/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft Office 2010: (11/05/2011)

http://secunia.com/advisories/product/30529/?task=advisories [secunia.com]

Unpatched 0% (0 of 9 Secunia advisories)

Vulnerability Report: Microsoft Project 2010: (11/05/2011)

http://secunia.com/advisories/product/31177/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft Windows Services for UNIX 3.x: (11/05/2011)

http://secunia.com/advisories/product/5244/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft Internet Explorer 9.x: (11/05/2011)

http://secunia.com/advisories/product/34591/ [secunia.com]

Unpatched 0% (0 of 4 Secunia advisories)

Vulnerability Report: Microsoft Virtual PC 2007: (11/05/2011)

http://secunia.com/advisories/product/14315/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Visual Studio 2010: (11/05/2011)

http://secunia.com/advisories/product/30853/?task=advisories [secunia.com]

Unpatched 0% (0 of 2 Secunia advisories)

Vulnerability Report: Microsoft DirectX 10.x:
(11/05/2011)

http://secunia.com/advisories/product/16896/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft .NET Framework 4.x
(08/02/2011)

http://secunia.com/advisories/product/29592/ [secunia.com]

Unpatched 0% (0 of 8 Secunia advisories)

Vulnerability Report: Microsoft Silverlight 4.x: (11/05/2011)

http://secunia.com/advisories/product/28947/ [secunia.com]

Unpatched 0% (0 of 2 Secunia advisories)

Vulnerability Report: Microsoft XML Core Services (MSXML) 6.x: (11/05/2011)

http://secunia.com/advisories/product/6473/ [secunia.com]

Unpatched 0% (0 of 4 Secunia advisories)

Vulnerability Report: Microsoft Windows 7: (11/05/2011)

http://secunia.com/advisories/product/27467/?task=advisories [secunia.com]

Unpatched 6% (5 of 86 Secunia advisories)

OR

Vulnerability Report: Microsoft Windows Server 2008: (11/05/2011)

http://secunia.com/advisories/product/18255/?task=advisories [secunia.com]

Unpatched 3% (4 of 154 Secunia advisories)

* Nicest part here is, that the few unpatched vulns ALL have valid easy work arounds (colorui.dll not needed in "headless/servercore" mode & this IS a server OR you can unregister the DLL + the %PATH% issue is a NON-ISSUE by simply editing the path in SYSTEM ICON/Environment in CONTROL PANEL (or doing a reg edit here -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment ), or don't apply to workstations, or can be secured for (by turning off services you don't need, especially on desktops/workstations or by securing them down rights-wise)... can Linux say the same?

Doubt it!

PLUS, what REALLY causes malware outbreaks in Windows?? JAVA, & Adobe Products MOSTLY (99.8% in fact), per this:

http://net-security.org/malware_news.php?id=1863 [net-security.org]

& this:

http://www.net-security.org/secworld.php?id=11759 [net-security.org]

---

FACT - THAT'S 4x++ LESS UNPATCHED SECURITY VULNERABILITIES ON MS NEAR ENTIRE ARRAY OF WHAT THEY GIVE YOU FOR BUSINESS & DEVELOPMENT (& I know that LAMP can't say the same & tosses on even MORE errors into the mix for Linux) , THAN IS PRESENT ON THE LINUX 2.6x KERNEL ALONE!

NOW- Toss on the rest of what goes into a Linux distro OR the "LAMP" stack, also (Linux, Apache, MySQL, PHP)?

?

That # goes "up, Up, UP & AWAY...", bigime & even moreso, "increasing that lead, that Linux has", lol, in more unpatched known security bugs present that is (a dubious honor/win, lol, to say the least).

So, that "all said & aside"?

Compare a "*NIX/Open SORES" OS in Linux's "latest/greatest"?:

---

Vulnerability Report: Linux Kernel 2.6.x (11/05/2011)

http://secunia.com/advisories/product/2719/?task=advisories [secunia.com]

Unpatched 6% (18 of 281 Secunia advisories)

---

AND YES, there are 3 remotely vulnerable unpatched security problem outstanding in Linux (one http://secunia.com/advisories/19402/ [secunia.com] is fixed in later patch builds) there too, unpatched (despite all the "Open 'SORES' eyes" out there to fix it (yea, "right", not!))

NO FIXES @ ALL ARE PRESENT HERE:

http://secunia.com/advisories/14295/ [secunia.com]

NOT A SINGLE ONE IS FIXED HERE & there's 18 OF THEM THERE IN REALITY, not just 1!

I'll even QUOTE secunia on that now:

"Secunia is currently not aware of an updated kernel version addressing the vulnerabilities."

(And, mind you - that's the LINUX 2.6 KERNEL only - the other parts of Linux of FULL Linux distros in apps & more probably add more).

AND

PARTIAL FIXES ONLY PRESENT HERE:

http://secunia.com/advisories/44754/ [secunia.com]

Still has issues #'s 8 & 9 are STILL UNRESOLVED!

* Additionally/again - so it "sinks in":

That's also more than the ENTIRE GAMUT of what MS gives folks to do business & build tools for it as well has & LAMP certainly cannot show less errors in unpatched security vulnerablities than 5 total from MS...

In fact? LAMP is the favored attack for phishers & spammers:

http://www.theregister.co.uk/2011/06/10/domains_lamped/ [theregister.co.uk]

---

PERTINENT QUOTE:

"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey.

Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers,"

---

Vulnerability Report: MySQL 5.x (11/05/2011):

http://secunia.com/advisories/product/8355/ [secunia.com]

Unpatched 4% (1 of 26 Secunia advisories)

* "GOSH" - Looks like MORE THAN SQLServer 2008 with ZERO unpatched, eh?

In fact...100% more of a lead (in bugs unpatched, lol) Yea... bigtime - Some "dubious honor" that... lol! "Big WIN" (not!).

---

Vulnerability Report: Apache 2.2.x (11/05/2011) part of LAMP, but their site runs a BSD:

http://secunia.com/advisories/product/9633/ [secunia.com]

Unpatched 8% (2 of 25 Secunia advisories)

Ah, what have we HERE now, vs. IIS 7 (again, with ZERO unpatched security vulnerabilities)?

Ah yes... yet again the "LAMP CAMP" shows its "True Colors", 200% more unpatched bugs, & with MORE UNPATCHED SECURITY BUGS! Yet another "Win" (not), eh??

---

Vulnerability Report: PHP 5.3.x (11/05/2011):

http://secunia.com/advisories/product/27504/ [secunia.com]

Unpatched 8% (1 of 13 Secunia advisories)

WHAT'S THIS? YET ANOTHER "LEAD" (lol, in unpatched security bugs) for the "LAMP CAMP"??

Another "100% lead" (loss is more like it) no less, vs. MS Visual Studio 2010 or Office 2010 (& their attendant XML, browsers in IE9 even, & MORE - per my earlier posts!)

The RESULTS (very recent mind you) of these unpatched vulnerabilities in "Open SORES/*NIX ware?"

---

KERNEL.ORG COMPROMISED:

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised [slashdot.org]

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/ [theregister.co.uk]

---

Breaching Fort Apache.org - What went wrong?

http://www.theregister.co.uk/2009/09/03/apache_website_breach_postmortem/ [theregister.co.uk]

* Part of LAMP, but their site runs a BSD

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware [slashdot.org]

---

COMPARE & CONTRAST WINDOWS RUNNING IN A HIGH-TPM ENVIRONS SERVER-WISE NOW:

Windows also has been running 24x7 since 2005 for NASDAQ, acting as its "OFFICIAL TRADE DATA DISSEMINATION SYSTEM, non-stop, via Windows Server 2003 + SQLServer 2005 in fail-over clustering on the server-front too!

NASDAQ Migrates to SQL Server 2005:

http://www.windowsfs.com/enews/nasdaq-migrates-to-sql-server-2005 [windowsfs.com]

and here:

NASDAQ Uses SQL Server 2005 - Reducing Costs through Better Data Management:

http://blog.sqlauthority.com/2007/09/17/sqlauthority-news-nasdaq-uses-sql-server-2005-reducing-costs-through-better-data-management/ [sqlauthority.com]

(For proof thereof... for coming up on a DECADE OF SOLID UPTIME uninterrupted & "bulletproof + bugfree", @ NASDAQ too, a high-tpm environs, not just a mail or webserver!)

AND, AGAIN - Do NOTE that SQLServer, IIS7, Windows Server 2008, & Visual Studio 2010 have less security bugs unpatched, BY FAR, than does the "LAMP" stack... period!

Now, as to LINUX in a stock exchange? Ok:

http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch [slashdot.org]

and

http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware [slashdot.org]

---

Linux's showing in CA's breached recently too? Ok:

http://uptime.netcraft.com/up/graph?site=StartCom.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=GlobalSign.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=Comodo.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=DigiCert.com [netcraft.com]

The majority (4/5) of what was breached RAN LINUX (StartCom, GlobalSign, DigiCert, & Comodo)...

So... You like Apples? HOW DO YOU LIKE THOSE APPLES (compared, apples to apples no less), & the stats above for Linux, kernel only? Well, again - it's also NOT the entire 'gamut/array' of what actually comes in a Linux distro as well!

(E.G.-> Such as the attendant GUI, Windows managers, browsers, etc. that ship in distros too that have bugs, and yes, THEY DO)

THAT ADDS EVEN MORE BUGS that COMPOUNDS THAT # EVEN MORE, and worse, for LINUX!!!

So, so much for "Windows is less secure than Linux" stuff you see around here on /., eh?

(It gets even WORSE for 'Linuxdom' when you toss on ANDROID (yes, it's a LINUX variant too), because it's being shredded on the security-front lately, unfortunately)

BOTTOM-LINE:

What this all comes down to, is all the "Pro-*NIX propoganda straight outta pravda" practically doesn't stand up very well against concrete, verifiable & visible facts now, does it? Nope! Your marketshare shows that also -> http://tech.slashdot.org/comments.pl?sid=2506468&threshold=-1&commentsort=0&mode=thread&pid=37929368 [slashdot.org] & the ONLY REASON LINUX GETS USED (mostly for servers, it's niche) is because it is "no cost & businesses are in business to max profits & keep overhead costs down (only problem is, when you get HIT BY A LAWSUIT for security issues, who can you hold responsible from the 'freebie' camp?)

... apk

This is why proprietary software is bad. (0)

Anonymous Coward | more than 2 years ago | (#37956844)

If this was an open-source project (like linux), a flaw like this would have been spotted YEARS ago.

There are a lot of Microsoft shills here... (5, Insightful)

bmo (77928) | more than 2 years ago | (#37956882)

... And I want at least one of them to give a good reason why parsing fonts in kernel mode is a good idea. Speed is not a good reason. Not even on 10 year old equipment it's not.

--
BMO

Re:There are a lot of Microsoft shills here... (-1)

Anonymous Coward | more than 2 years ago | (#37956936)

And there are a lot of dick sucking Linux faggots like you here too. What's the fucking point? Both Linux and Windows parse fonts in kernel mode, so get off you high fucking horse.

Re:There are a lot of Microsoft shills here... (0)

Anonymous Coward | more than 2 years ago | (#37956982)

No linux system parses externally-provided font data in kernel mode. Are you referring to framebuffer fonts here? You can't get a web-browser to hand those to the kernel. This is by design.

Let's talk SECURITY (the topic & I'll kick ur (-1)

Anonymous Coward | more than 2 years ago | (#37958238)

Disprove these recent documented facts on security (Linux vs. Windows) -

Hell - Yesterday, I even submitted the FACT that MS has issued a fix (temp until Patch Tuesday that WORKS) & it was rejected here 2x -> http://tech.slashdot.org/comments.pl?sid=2510534&cid=37957572 [slashdot.org]

(Merely illustrating that this site, & others like it, is full of FUD spreader "penguins"... Just as Ed Bott said the other day on "penguin bullshit" to put it bluntly, right @ the outset of his article here http://www.zdnet.com/blog/bott/leading-pc-makers-confirm-no-windows-8-plot-to-lock-out-linux/4185?tag=nl.e539 [zdnet.com] )

I'll even requote his words there now:

"The campaign to spread FUD about Windows 8 is picking up momentum. In the past week, high-profile Linux advocates have tried to add fear, uncertainty, and doubt into what should be a smooth process for implementing a new next-generation security feature."

THEN, I'LL LET THE REST OF THESE FACTS ON SECURITY MOSTLY DO YOU IN, easily:

---

1st - Linux also doesn't have as high quality drivers or as many because board makers KNOW what is "running the show/market " out there, Windows - so, they cater to it immensely!

2nd - Nor does Linux have as many games, by FAR, either (this is mostly the home market in fact!)

3rd - Not only that. but Linux, in its KERNEL ONLY mind you? Has 4x the unpatched security vulnerabilities Windows 7 has (which IS a complete "distro" with all of its parts, not just a kernel only)!

4th - Despite all those "Open 'SORES'" eyes (most of whom couldn't code to SAVE THEIR LIVES mind you) allegedly poring over Linux code, how come it has that many more unpatched bugs than Windows 7 has, hmmm??

Closed source is HARDER for hacker/crackers to attack as well, because you're stuck either disassembling it (especially tough with kernel level debuggers) OR fuzzing it, either is tougher than searching out problems in Linux, which you just load into a compiler & step trace its "Open 'SORES'" code with to find screwups in security... hence it still has more security bugs, AND, they are unpatched (despite all the "Open 'SORES'" eyes poring over it, lol!)

Fact, period!

5th - In fact, Linux's kernel ALONE has 4x the # of unpatched bugs the ENTIRE SUITE/ARRAY OF WHAT MICROSOFT GIVES YOU TO DO BUSINESS & DEVELOPMENT WITH!

Proof? Ok:

This data's ALL from a respected source (secunia.com) for known security vulnerabilities unpatched:

---

Vulnerability Report: Microsoft SQL Server 2008: (11/05/2011)

http://secunia.com/advisories/product/21744/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (11/05/2011)

http://secunia.com/advisories/product/17543/ [secunia.com]

Unpatched 0% (0 of 6 Secunia advisories)

Vulnerability Report: Microsoft Exchange Server 2010: (11/05/2011)

http://secunia.com/advisories/product/28234/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft SharePoint Server 2010: (11/05/2011)

http://secunia.com/advisories/product/29809/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft Forefront Endpoint Protection 2010: (11/05/2011)

http://secunia.com/advisories/product/34343/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Baseline Security Analyzer 2.x: (11/05/2011):

http://secunia.com/advisories/product/6436/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft Office 2010: (11/05/2011)

http://secunia.com/advisories/product/30529/?task=advisories [secunia.com]

Unpatched 0% (0 of 9 Secunia advisories)

Vulnerability Report: Microsoft Project 2010: (11/05/2011)

http://secunia.com/advisories/product/31177/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft Windows Services for UNIX 3.x: (11/05/2011)

http://secunia.com/advisories/product/5244/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft Internet Explorer 9.x: (11/05/2011)

http://secunia.com/advisories/product/34591/ [secunia.com]

Unpatched 0% (0 of 4 Secunia advisories)

Vulnerability Report: Microsoft Virtual PC 2007: (11/05/2011)

http://secunia.com/advisories/product/14315/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Visual Studio 2010: (11/05/2011)

http://secunia.com/advisories/product/30853/?task=advisories [secunia.com]

Unpatched 0% (0 of 2 Secunia advisories)

Vulnerability Report: Microsoft DirectX 10.x:
(11/05/2011)

http://secunia.com/advisories/product/16896/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft .NET Framework 4.x
(08/02/2011)

http://secunia.com/advisories/product/29592/ [secunia.com]

Unpatched 0% (0 of 8 Secunia advisories)

Vulnerability Report: Microsoft Silverlight 4.x: (11/05/2011)

http://secunia.com/advisories/product/28947/ [secunia.com]

Unpatched 0% (0 of 2 Secunia advisories)

Vulnerability Report: Microsoft XML Core Services (MSXML) 6.x: (11/05/2011)

http://secunia.com/advisories/product/6473/ [secunia.com]

Unpatched 0% (0 of 4 Secunia advisories)

Vulnerability Report: Microsoft Windows 7: (11/05/2011)

http://secunia.com/advisories/product/27467/?task=advisories [secunia.com]

Unpatched 6% (5 of 86 Secunia advisories)

OR

Vulnerability Report: Microsoft Windows Server 2008: (11/05/2011)

http://secunia.com/advisories/product/18255/?task=advisories [secunia.com]

Unpatched 3% (4 of 154 Secunia advisories)

* Nicest part here is, that the few unpatched vulns ALL have valid easy work arounds (colorui.dll not needed in "headless/servercore" mode & this IS a server OR you can unregister the DLL + the %PATH% issue is a NON-ISSUE by simply editing the path in SYSTEM ICON/Environment in CONTROL PANEL (or doing a reg edit here -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment ), or don't apply to workstations, or can be secured for (by turning off services you don't need, especially on desktops/workstations or by securing them down rights-wise)... can Linux say the same?

Doubt it!

PLUS, what REALLY causes malware outbreaks in Windows?? JAVA, & Adobe Products MOSTLY (99.8% in fact), per this:

http://net-security.org/malware_news.php?id=1863 [net-security.org]

& this:

http://www.net-security.org/secworld.php?id=11759 [net-security.org]

---

FACT - THAT'S 4x++ LESS UNPATCHED SECURITY VULNERABILITIES ON MS NEAR ENTIRE ARRAY OF WHAT THEY GIVE YOU FOR BUSINESS & DEVELOPMENT (& I know that LAMP can't say the same & tosses on even MORE errors into the mix for Linux) , THAN IS PRESENT ON THE LINUX 2.6x KERNEL ALONE!

NOW- Toss on the rest of what goes into a Linux distro OR the "LAMP" stack, also (Linux, Apache, MySQL, PHP)?

?

That # goes "up, Up, UP & AWAY...", bigime & even moreso, "increasing that lead, that Linux has", lol, in more unpatched known security bugs present that is (a dubious honor/win, lol, to say the least).

So, that "all said & aside"?

Compare a "*NIX/Open SORES" OS in Linux's "latest/greatest"?:

---

Vulnerability Report: Linux Kernel 2.6.x (11/05/2011)

http://secunia.com/advisories/product/2719/?task=advisories [secunia.com]

Unpatched 6% (18 of 281 Secunia advisories)

---

AND YES, there are 3 remotely vulnerable unpatched security problem outstanding in Linux (one http://secunia.com/advisories/19402/ [secunia.com] is fixed in later patch builds) there too, unpatched (despite all the "Open 'SORES' eyes" out there to fix it (yea, "right", not!))

NO FIXES @ ALL ARE PRESENT HERE:

http://secunia.com/advisories/14295/ [secunia.com]

NOT A SINGLE ONE IS FIXED HERE & there's 18 OF THEM THERE IN REALITY, not just 1!

I'll even QUOTE secunia on that now:

"Secunia is currently not aware of an updated kernel version addressing the vulnerabilities."

(And, mind you - that's the LINUX 2.6 KERNEL only - the other parts of Linux of FULL Linux distros in apps & more probably add more).

AND

PARTIAL FIXES ONLY PRESENT HERE:

http://secunia.com/advisories/44754/ [secunia.com]

Still has issues #'s 8 & 9 are STILL UNRESOLVED!

* Additionally/again - so it "sinks in":

That's also more than the ENTIRE GAMUT of what MS gives folks to do business & build tools for it as well has & LAMP certainly cannot show less errors in unpatched security vulnerablities than 5 total from MS...

In fact? LAMP is the favored attack for phishers & spammers:

http://www.theregister.co.uk/2011/06/10/domains_lamped/ [theregister.co.uk]

---

PERTINENT QUOTE:

"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey.

Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers,"

---

Vulnerability Report: MySQL 5.x (11/05/2011):

http://secunia.com/advisories/product/8355/ [secunia.com]

Unpatched 4% (1 of 26 Secunia advisories)

* "GOSH" - Looks like MORE THAN SQLServer 2008 with ZERO unpatched, eh?

In fact...100% more of a lead (in bugs unpatched, lol) Yea... bigtime - Some "dubious honor" that... lol! "Big WIN" (not!).

---

Vulnerability Report: Apache 2.2.x (11/05/2011) part of LAMP, but their site runs a BSD:

http://secunia.com/advisories/product/9633/ [secunia.com]

Unpatched 8% (3 of 26 Secunia advisories)

Ah, what have we HERE now, vs. IIS 7 (again, with ZERO unpatched security vulnerabilities)?

Ah yes... yet again the "LAMP CAMP" shows its "True Colors", 200% more unpatched bugs, & with MORE UNPATCHED SECURITY BUGS! Yet another "Win" (not), eh??

---

Vulnerability Report: PHP 5.3.x (11/05/2011):

http://secunia.com/advisories/product/27504/ [secunia.com]

Unpatched 8% (1 of 13 Secunia advisories)

WHAT'S THIS? YET ANOTHER "LEAD" (lol, in unpatched security bugs) for the "LAMP CAMP"??

Another "100% lead" (loss is more like it) no less, vs. MS Visual Studio 2010 or Office 2010 (& their attendant XML, browsers in IE9 even, & MORE - per my earlier posts!)

The RESULTS (very recent mind you) of these unpatched vulnerabilities in "Open SORES/*NIX ware?"

---

KERNEL.ORG COMPROMISED:

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised [slashdot.org]

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/ [theregister.co.uk]

---

Breaching Fort Apache.org - What went wrong?

http://www.theregister.co.uk/2009/09/03/apache_website_breach_postmortem/ [theregister.co.uk]

* Part of LAMP, but their site runs a BSD

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware [slashdot.org]

---

COMPARE & CONTRAST WINDOWS RUNNING IN A HIGH-TPM ENVIRONS SERVER-WISE NOW:

Windows also has been running 24x7 since 2005 for NASDAQ, acting as its "OFFICIAL TRADE DATA DISSEMINATION SYSTEM, non-stop, via Windows Server 2003 + SQLServer 2005 in fail-over clustering on the server-front too!

NASDAQ Migrates to SQL Server 2005:

http://www.windowsfs.com/enews/nasdaq-migrates-to-sql-server-2005 [windowsfs.com]

and here:

NASDAQ Uses SQL Server 2005 - Reducing Costs through Better Data Management:

http://blog.sqlauthority.com/2007/09/17/sqlauthority-news-nasdaq-uses-sql-server-2005-reducing-costs-through-better-data-management/ [sqlauthority.com]

(For proof thereof... for coming up on a DECADE OF SOLID UPTIME uninterrupted & "bulletproof + bugfree", @ NASDAQ too, a high-tpm environs, not just a mail or webserver!)

AND, AGAIN - Do NOTE that SQLServer, IIS7, Windows Server 2008, & Visual Studio 2010 have less security bugs unpatched, BY FAR, than does the "LAMP" stack... period!

Now, as to LINUX in a stock exchange? Ok:

http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch [slashdot.org]

and

http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware [slashdot.org]

---

Linux's showing in CA's breached recently too? Ok:

http://uptime.netcraft.com/up/graph?site=StartCom.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=GlobalSign.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=Comodo.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=DigiCert.com [netcraft.com]

The majority (4/5) of what was breached RAN LINUX (StartCom, GlobalSign, DigiCert, & Comodo)...

So... You like Apples? HOW DO YOU LIKE THOSE APPLES (compared, apples to apples no less), & the stats above for Linux, kernel only? Well, again - it's also NOT the entire 'gamut/array' of what actually comes in a Linux distro as well!

(E.G.-> Such as the attendant GUI, Windows managers, browsers, etc. that ship in distros too that have bugs, and yes, THEY DO)

THAT ADDS EVEN MORE BUGS that COMPOUNDS THAT # EVEN MORE, and worse, for LINUX!!!

So, so much for "Windows is less secure than Linux" stuff you see around here on /., eh?

(It gets even WORSE for 'Linuxdom' when you toss on ANDROID (yes, it's a LINUX variant too), because it's being shredded on the security-front lately, unfortunately)

BOTTOM-LINE:

What this all comes down to, is all the "Pro-*NIX propoganda straight outta pravda" practically doesn't stand up very well against concrete, verifiable & visible facts now, does it? Nope! Your marketshare shows that also -> http://tech.slashdot.org/comments.pl?sid=2506468&threshold=-1&commentsort=0&mode=thread&pid=37929368 [slashdot.org] & the ONLY REASON LINUX GETS USED (mostly for servers, it's niche) is because it is "no cost" & businesses are in business to max profits & keep overhead costs down (only problem is, when you get HIT BY A LAWSUIT for security issues, who can you hold responsible from the 'freebie' camp?)

... apk

Re:There are a lot of Microsoft shills here... (1)

Old Sparky (675061) | more than 2 years ago | (#37957302)

Ooo! You must have lots of Microsoft Skin in your game, Mr Anonymous. Or should we call you Mr. Ballmer?

Kicking "oldsparky's" ass a 2nd time (-1)

Anonymous Coward | more than 2 years ago | (#37958414)

On security (the topic): This data's ALL from a respected source (secunia.com) for known security vulnerabilities unpatched:

---

Vulnerability Report: Microsoft SQL Server 2008: (11/05/2011)

http://secunia.com/advisories/product/21744/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (11/05/2011)

http://secunia.com/advisories/product/17543/ [secunia.com]

Unpatched 0% (0 of 6 Secunia advisories)

Vulnerability Report: Microsoft Exchange Server 2010: (11/05/2011)

http://secunia.com/advisories/product/28234/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft SharePoint Server 2010: (11/05/2011)

http://secunia.com/advisories/product/29809/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft Forefront Endpoint Protection 2010: (11/05/2011)

http://secunia.com/advisories/product/34343/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Baseline Security Analyzer 2.x: (11/05/2011):

http://secunia.com/advisories/product/6436/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft Office 2010: (11/05/2011)

http://secunia.com/advisories/product/30529/?task=advisories [secunia.com]

Unpatched 0% (0 of 9 Secunia advisories)

Vulnerability Report: Microsoft Project 2010: (11/05/2011)

http://secunia.com/advisories/product/31177/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft Windows Services for UNIX 3.x: (11/05/2011)

http://secunia.com/advisories/product/5244/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft Internet Explorer 9.x: (11/05/2011)

http://secunia.com/advisories/product/34591/ [secunia.com]

Unpatched 0% (0 of 4 Secunia advisories)

Vulnerability Report: Microsoft Virtual PC 2007: (11/05/2011)

http://secunia.com/advisories/product/14315/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Visual Studio 2010: (11/05/2011)

http://secunia.com/advisories/product/30853/?task=advisories [secunia.com]

Unpatched 0% (0 of 2 Secunia advisories)

Vulnerability Report: Microsoft DirectX 10.x:
(11/05/2011)

http://secunia.com/advisories/product/16896/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft .NET Framework 4.x
(08/02/2011)

http://secunia.com/advisories/product/29592/ [secunia.com]

Unpatched 0% (0 of 8 Secunia advisories)

Vulnerability Report: Microsoft Silverlight 4.x: (11/05/2011)

http://secunia.com/advisories/product/28947/ [secunia.com]

Unpatched 0% (0 of 2 Secunia advisories)

Vulnerability Report: Microsoft XML Core Services (MSXML) 6.x: (11/05/2011)

http://secunia.com/advisories/product/6473/ [secunia.com]

Unpatched 0% (0 of 4 Secunia advisories)

Vulnerability Report: Microsoft Windows 7: (11/05/2011)

http://secunia.com/advisories/product/27467/?task=advisories [secunia.com]

Unpatched 6% (5 of 86 Secunia advisories)

OR

Vulnerability Report: Microsoft Windows Server 2008: (11/05/2011)

http://secunia.com/advisories/product/18255/?task=advisories [secunia.com]

Unpatched 3% (4 of 154 Secunia advisories)

* Nicest part here is, that the few unpatched vulns ALL have valid easy work arounds (colorui.dll not needed in "headless/servercore" mode & this IS a server OR you can unregister the DLL + the %PATH% issue is a NON-ISSUE by simply editing the path in SYSTEM ICON/Environment in CONTROL PANEL (or doing a reg edit here -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment ), or don't apply to workstations, or can be secured for (by turning off services you don't need, especially on desktops/workstations or by securing them down rights-wise)... can Linux say the same?

Doubt it!

PLUS, what REALLY causes malware outbreaks in Windows?? JAVA, & Adobe Products MOSTLY (99.8% in fact), per this:

http://net-security.org/malware_news.php?id=1863 [net-security.org]

& this:

http://www.net-security.org/secworld.php?id=11759 [net-security.org]

---

FACT - THAT'S 4x++ LESS UNPATCHED SECURITY VULNERABILITIES ON MS NEAR ENTIRE ARRAY OF WHAT THEY GIVE YOU FOR BUSINESS & DEVELOPMENT (& I know that LAMP can't say the same & tosses on even MORE errors into the mix for Linux) , THAN IS PRESENT ON THE LINUX 2.6x KERNEL ALONE!

NOW- Toss on the rest of what goes into a Linux distro OR the "LAMP" stack, also (Linux, Apache, MySQL, PHP)?

?

That # goes "up, Up, UP & AWAY...", bigime & even moreso, "increasing that lead, that Linux has", lol, in more unpatched known security bugs present that is (a dubious honor/win, lol, to say the least).

So, that "all said & aside"?

Compare a "*NIX/Open SORES" OS in Linux's "latest/greatest"?:

---

Vulnerability Report: Linux Kernel 2.6.x (11/05/2011)

http://secunia.com/advisories/product/2719/?task=advisories [secunia.com]

Unpatched 6% (18 of 281 Secunia advisories)

---

AND YES, there are 3 remotely vulnerable unpatched security problem outstanding in Linux (one http://secunia.com/advisories/19402/ [secunia.com] is fixed in later patch builds) there too, unpatched (despite all the "Open 'SORES' eyes" out there to fix it (yea, "right", not!))

NO FIXES @ ALL ARE PRESENT HERE:

http://secunia.com/advisories/14295/ [secunia.com]

NOT A SINGLE ONE IS FIXED HERE & there's 18 OF THEM THERE IN REALITY, not just 1!

I'll even QUOTE secunia on that now:

"Secunia is currently not aware of an updated kernel version addressing the vulnerabilities."

(And, mind you - that's the LINUX 2.6 KERNEL only - the other parts of Linux of FULL Linux distros in apps & more probably add more).

AND

PARTIAL FIXES ONLY PRESENT HERE:

http://secunia.com/advisories/44754/ [secunia.com]

Still has issues #'s 8 & 9 are STILL UNRESOLVED!

* Additionally/again - so it "sinks in":

That's also more than the ENTIRE GAMUT of what MS gives folks to do business & build tools for it as well has & LAMP certainly cannot show less errors in unpatched security vulnerablities than 5 total from MS...

In fact? LAMP is the favored attack for phishers & spammers:

http://www.theregister.co.uk/2011/06/10/domains_lamped/ [theregister.co.uk]

---

PERTINENT QUOTE:

"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey.

Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers,"

---

Vulnerability Report: MySQL 5.x (11/05/2011):

http://secunia.com/advisories/product/8355/ [secunia.com]

Unpatched 4% (1 of 26 Secunia advisories)

* "GOSH" - Looks like MORE THAN SQLServer 2008 with ZERO unpatched, eh?

In fact...100% more of a lead (in bugs unpatched, lol) Yea... bigtime - Some "dubious honor" that... lol! "Big WIN" (not!).

---

Vulnerability Report: Apache 2.2.x (11/05/2011) part of LAMP, but their site runs a BSD:

http://secunia.com/advisories/product/9633/ [secunia.com]

Unpatched 8% (3 of 26 Secunia advisories)

Ah, what have we HERE now, vs. IIS 7 (again, with ZERO unpatched security vulnerabilities)?

Ah yes... yet again the "LAMP CAMP" shows its "True Colors", 200% more unpatched bugs, & with MORE UNPATCHED SECURITY BUGS! Yet another "Win" (not), eh??

---

Vulnerability Report: PHP 5.3.x (11/05/2011):

http://secunia.com/advisories/product/27504/ [secunia.com]

Unpatched 8% (1 of 13 Secunia advisories)

WHAT'S THIS? YET ANOTHER "LEAD" (lol, in unpatched security bugs) for the "LAMP CAMP"??

Another "100% lead" (loss is more like it) no less, vs. MS Visual Studio 2010 or Office 2010 (& their attendant XML, browsers in IE9 even, & MORE - per my earlier posts!)

The RESULTS (very recent mind you) of these unpatched vulnerabilities in "Open SORES/*NIX ware?"

---

KERNEL.ORG COMPROMISED:

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised [slashdot.org]

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/ [theregister.co.uk]

---

Breaching Fort Apache.org - What went wrong?

http://www.theregister.co.uk/2009/09/03/apache_website_breach_postmortem/ [theregister.co.uk]

* Part of LAMP, but their site runs a BSD

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware [slashdot.org]

---

COMPARE & CONTRAST WINDOWS RUNNING IN A HIGH-TPM ENVIRONS SERVER-WISE NOW:

Windows also has been running 24x7 since 2005 for NASDAQ, acting as its "OFFICIAL TRADE DATA DISSEMINATION SYSTEM, non-stop, via Windows Server 2003 + SQLServer 2005 in fail-over clustering on the server-front too!

NASDAQ Migrates to SQL Server 2005:

http://www.windowsfs.com/enews/nasdaq-migrates-to-sql-server-2005 [windowsfs.com]

and here:

NASDAQ Uses SQL Server 2005 - Reducing Costs through Better Data Management:

http://blog.sqlauthority.com/2007/09/17/sqlauthority-news-nasdaq-uses-sql-server-2005-reducing-costs-through-better-data-management/ [sqlauthority.com]

(For proof thereof... for coming up on a DECADE OF SOLID UPTIME uninterrupted & "bulletproof + bugfree", @ NASDAQ too, a high-tpm environs, not just a mail or webserver!)

AND, AGAIN - Do NOTE that SQLServer, IIS7, Windows Server 2008, & Visual Studio 2010 have less security bugs unpatched, BY FAR, than does the "LAMP" stack... period!

Now, as to LINUX in a stock exchange? Ok:

http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch [slashdot.org]

and

http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware [slashdot.org]

---

Linux's showing in CA's breached recently too? Ok:

http://uptime.netcraft.com/up/graph?site=StartCom.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=GlobalSign.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=Comodo.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=DigiCert.com [netcraft.com]

The majority (4/5) of what was breached RAN LINUX (StartCom, GlobalSign, DigiCert, & Comodo)...

So... You like Apples? HOW DO YOU LIKE THOSE APPLES (compared, apples to apples no less), & the stats above for Linux, kernel only? Well, again - it's also NOT the entire 'gamut/array' of what actually comes in a Linux distro as well!

(E.G.-> Such as the attendant GUI, Windows managers, browsers, etc. that ship in distros too that have bugs, and yes, THEY DO)

THAT ADDS EVEN MORE BUGS that COMPOUNDS THAT # EVEN MORE, and worse, for LINUX!!!

So, so much for "Windows is less secure than Linux" stuff you see around here on /., eh?

(It gets even WORSE for 'Linuxdom' when you toss on ANDROID (yes, it's a LINUX variant too), because it's being shredded on the security-front lately, unfortunately)

BOTTOM-LINE:

What this all comes down to, is all the "Pro-*NIX propoganda straight outta pravda" practically doesn't stand up very well against concrete, verifiable & visible facts now, does it? Nope! Your marketshare shows that also -> http://tech.slashdot.org/comments.pl?sid=2506468&threshold=-1&commentsort=0&mode=thread&pid=37929368 [slashdot.org] & the ONLY REASON LINUX GETS USED (mostly for servers, it's niche) is because it is "no cost" & businesses are in business to max profits & keep overhead costs down (only problem is, when you get HIT BY A LAWSUIT for security issues, who can you hold responsible from the 'freebie' camp?)

... apk

Let the Penguins "chew on this" (-1)

Anonymous Coward | more than 2 years ago | (#37957654)

In fact? Time to BLOW your "forums 'Illogic-Logic'" spinmaster crap to hell with MORE facts & actual logic + documented facts! Ready? Read on:

---

1st - Linux also doesn't have as high quality drivers or as many because board makers KNOW what is "running the show/market " out there, Windows - so, they cater to it immensely!

2nd - Nor does Linux have as many games, by FAR, either (this is mostly the home market in fact!)

3rd - Not only that. but Linux, in its KERNEL ONLY mind you? Has 4x the unpatched security vulnerabilities Windows 7 has (which IS a complete "distro" with all of its parts, not just a kernel only)!

4th - Despite all those "Open 'SORES'" eyes (most of whom couldn't code to SAVE THEIR LIVES mind you) allegedly poring over Linux code, how come it has that many more unpatched bugs than Windows 7 has, hmmm??

Closed source is HARDER for hacker/crackers to attack as well, because you're stuck either disassembling it (especially tough with kernel level debuggers) OR fuzzing it, either is tougher than searching out problems in Linux, which you just load into a compiler & step trace its "Open 'SORES'" code with to find screwups in security... hence it still has more security bugs, AND, they are unpatched (despite all the "Open 'SORES'" eyes poring over it, lol!)

Fact, period!

5th - In fact, Linux's kernel ALONE has 4x the # of unpatched bugs the ENTIRE SUITE/ARRAY OF WHAT MICROSOFT GIVES YOU TO DO BUSINESS & DEVELOPMENT WITH!

Proof? Ok:

This data's ALL from a respected source (secunia.com) for known security vulnerabilities unpatched:

---

Vulnerability Report: Microsoft SQL Server 2008: (10/30/2011)

http://secunia.com/advisories/product/21744/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (10/30/2011)

http://secunia.com/advisories/product/17543/ [secunia.com]

Unpatched 0% (0 of 6 Secunia advisories)

Vulnerability Report: Microsoft Exchange Server 2010: (10/30/2011)

http://secunia.com/advisories/product/28234/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft SharePoint Server 2010: (10/30/2011)

http://secunia.com/advisories/product/29809/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft Forefront Endpoint Protection 2010: (10/30/2011)

http://secunia.com/advisories/product/34343/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Baseline Security Analyzer 2.x: (10/30/2011):

http://secunia.com/advisories/product/6436/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft Office 2010: (10/30/2011)

http://secunia.com/advisories/product/30529/?task=advisories [secunia.com]

Unpatched 0% (0 of 9 Secunia advisories)

Vulnerability Report: Microsoft Project 2010: (10/30/2011)

http://secunia.com/advisories/product/31177/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft Windows Services for UNIX 3.x: (10/30/2011)

http://secunia.com/advisories/product/5244/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft Internet Explorer 9.x: (10/30/2011)

http://secunia.com/advisories/product/34591/ [secunia.com]

Unpatched 0% (0 of 4 Secunia advisories)

Vulnerability Report: Microsoft Virtual PC 2007: (10/30/2011)

http://secunia.com/advisories/product/14315/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Visual Studio 2010: (10/30/2011)

http://secunia.com/advisories/product/30853/?task=advisories [secunia.com]

Unpatched 0% (0 of 2 Secunia advisories)

Vulnerability Report: Microsoft DirectX 10.x:
(10/30/2011)

http://secunia.com/advisories/product/16896/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft .NET Framework 4.x
(08/02/2011)

http://secunia.com/advisories/product/29592/ [secunia.com]

Unpatched 0% (0 of 8 Secunia advisories)

Vulnerability Report: Microsoft Silverlight 4.x: (10/30/2011)

http://secunia.com/advisories/product/28947/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft XML Core Services (MSXML) 6.x: (10/30/2011)

http://secunia.com/advisories/product/6473/ [secunia.com]

Unpatched 0% (0 of 4 Secunia advisories)

Vulnerability Report: Microsoft Windows 7: (10/30/2011)

http://secunia.com/advisories/product/27467/?task=advisories [secunia.com]

Unpatched 6% (5 of 85 Secunia advisories)

OR

Vulnerability Report: Microsoft Windows Server 2008: (10/30/2011)

http://secunia.com/advisories/product/18255/?task=advisories [secunia.com]

Unpatched 3% (4 of 153 Secunia advisories)

* Nicest part here is, that the few unpatched vulns ALL have valid easy work arounds (colorui.dll not needed in "headless/servercore" mode & this IS a server OR you can unregister the DLL + the %PATH% issue is a NON-ISSUE by simply editing the path in SYSTEM ICON/Environment in CONTROL PANEL (or doing a reg edit here -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment ), or don't apply to workstations, or can be secured for (by turning off services you don't need, especially on desktops/workstations or by securing them down rights-wise)... can Linux say the same?

Doubt it!

PLUS, what REALLY causes malware outbreaks in Windows?? JAVA, & Adobe Products MOSTLY (99.8% in fact), per this:

http://net-security.org/malware_news.php?id=1863 [net-security.org]

& this:

http://www.net-security.org/secworld.php?id=11759 [net-security.org]

---

FACT - THAT'S 4x++ LESS UNPATCHED SECURITY VULNERABILITIES ON MS NEAR ENTIRE ARRAY OF WHAT THEY GIVE YOU FOR BUSINESS & DEVELOPMENT (& I know that LAMP can't say the same & tosses on even MORE errors into the mix for Linux) , THAN IS PRESENT ON THE LINUX 2.6x KERNEL ALONE!

NOW- Toss on the rest of what goes into a Linux distro OR the "LAMP" stack, also (Linux, Apache, MySQL, PHP)?

?

That # goes "up, Up, UP & AWAY...", bigime & even moreso, "increasing that lead, that Linux has", lol, in more unpatched known security bugs present that is (a dubious honor/win, lol, to say the least).

So, that "all said & aside"?

Compare a "*NIX/Open SORES" OS in Linux's "latest/greatest"?:

---

Vulnerability Report: Linux Kernel 2.6.x (10/30/2011)

http://secunia.com/advisories/product/2719/?task=advisories [secunia.com]

Unpatched 6% (18 of 281 Secunia advisories)

---

AND YES, there are 3 remotely vulnerable unpatched security problem outstanding in Linux (one http://secunia.com/advisories/19402/ [secunia.com] is fixed in later patch builds) there too, unpatched (despite all the "Open 'SORES' eyes" out there to fix it (yea, "right", not!))

NO FIXES @ ALL ARE PRESENT HERE:

http://secunia.com/advisories/14295/ [secunia.com] [secunia.com]

NOT A SINGLE ONE IS FIXED HERE (& there's 18 OF THEM!) & I'll even QUOTE secunia on that now:

"Secunia is currently not aware of an updated kernel version addressing the vulnerabilities."

(And, mind you - that's the LINUX 2.6 KERNEL only - the other parts of Linux of FULL Linux distros in apps & more probably add more).

AND

PARTIAL FIXES ONLY PRESENT HERE:

http://secunia.com/advisories/44754/ [secunia.com] [secunia.com]

Still has issues #'s 8& 9 are STILL UNRESOLVED - you SCREWED UP LARGE!

* Additionally/again - so it "sinks in":

That's also more than the ENTIRE GAMUT of what MS gives folks to do business & build tools for it as well has & LAMP certainly cannot show less errors in unpatched security vulnerablities than 5 total from MS...

In fact? LAMP is the favored attack for phishers & spammers:

http://www.theregister.co.uk/2011/06/10/domains_lamped/ [theregister.co.uk]

---

PERTINENT QUOTE:

"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey.

Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers,"

---

Vulnerability Report: MySQL 5.x (10/30/2011):

http://secunia.com/advisories/product/8355/ [secunia.com]

Unpatched 4% (1 of 26 Secunia advisories)

* "GOSH" - Looks like MORE THAN SQLServer 2008 with ZERO unpatched, eh?

In fact...100% more of a lead (in bugs unpatched, lol) Yea... bigtime - Some "dubious honor" that... lol! "Big WIN" (not!).

---

Vulnerability Report: Apache 2.2.x (10/30/2011):

http://secunia.com/advisories/product/9633/ [secunia.com]

Unpatched 8% (2 of 25 Secunia advisories)

Ah, what have we HERE now, vs. IIS 7 (again, with ZERO unpatched security vulnerabilities)?

Ah yes... yet again the "LAMP CAMP" shows its "True Colors", 200% more unpatched bugs, & with MORE UNPATCHED SECURITY BUGS! Yet another "Win" (not), eh??

---

Vulnerability Report: PHP 5.3.x (10/30/2011):

http://secunia.com/advisories/product/27504/ [secunia.com]

Unpatched 8% (1 of 13 Secunia advisories)

WHAT'S THIS? YET ANOTHER "LEAD" (lol, in unpatched security bugs) for the "LAMP CAMP"??

Another "100% lead" (loss is more like it) no less, vs. MS Visual Studio 2010 or Office 2010 (& their attendant XML, browsers in IE9 even, & MORE - per my earlier posts!)

The RESULTS (very recent mind you) of these unpatched vulnerabilities in "Open SORES/*NIX ware?"

---

KERNEL.ORG COMPROMISED:

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised [slashdot.org]

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/ [theregister.co.uk]

---

Breaching Fort Apache.org - What went wrong?

http://www.theregister.co.uk/2009/09/03/apache_website_breach_postmortem/ [theregister.co.uk]

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware [slashdot.org]

---

COMPARE & CONTRAST WINDOWS RUNNING IN A HIGH-TPM ENVIRONS SERVER-WISE NOW:

Windows also has been running 24x7 since 2005 for NASDAQ, acting as its "OFFICIAL TRADE DATA DISSEMINATION SYSTEM, non-stop, via Windows Server 2003 + SQLServer 2005 in fail-over clustering on the server-front too!

NASDAQ Migrates to SQL Server 2005:

http://www.windowsfs.com/enews/nasdaq-migrates-to-sql-server-2005 [windowsfs.com]

and here:

NASDAQ Uses SQL Server 2005 - Reducing Costs through Better Data Management:

http://blog.sqlauthority.com/2007/09/17/sqlauthority-news-nasdaq-uses-sql-server-2005-reducing-costs-through-better-data-management/ [sqlauthority.com]

(For proof thereof... for coming up on a DECADE OF SOLID UPTIME uninterrupted & "bulletproof + bugfree", @ NASDAQ too, a high-tpm environs, not just a mail or webserver!)

AND, AGAIN - Do NOTE that SQLServer, IIS7, Windows Server 2008, & Visual Studio 2010 have less security bugs unpatched, BY FAR, than does the "LAMP" stack... period!

Now, as to LINUX in a stock exchange? Ok:

http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch [slashdot.org]

and

http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware [slashdot.org]

---

Linux's showing in CA's breached recently too? Ok:

http://uptime.netcraft.com/up/graph?site=StartCom.com [netcraft.com] [netcraft.com]

http://uptime.netcraft.com/up/graph?site=GlobalSign.com [netcraft.com] [netcraft.com]

http://uptime.netcraft.com/up/graph?site=Comodo.com [netcraft.com] [netcraft.com]

http://uptime.netcraft.com/up/graph?site=DigiCert.com%5Bslashdot.org%5D [netcraft.com]

The majority (4/5) of what was breached RAN LINUX (StartCom, GlobalSign, DigiCert, & Comodo)...

So... You like Apples? HOW DO YOU LIKE THOSE APPLES (compared, apples to apples no less), & the stats above for Linux, kernel only? Well, again - it's also NOT the entire 'gamut/array' of what actually comes in a Linux distro as well!

(E.G.-> Such as the attendant GUI, Windows managers, browsers, etc. that ship in distros too that have bugs, and yes, THEY DO)

THAT ADDS EVEN MORE BUGS that COMPOUNDS THAT # EVEN MORE, and worse, for LINUX!!!

So, so much for "Windows is less secure than Linux" stuff you see around here on /., eh?

(It gets even WORSE for 'Linuxdom' when you toss on ANDROID (yes, it's a LINUX variant too), because it's being shredded on the security-front lately, unfortunately)

BOTTOM-LINE:

What this all comes down to, is all the "Pro-*NIX propoganda straight outta pravda" practically doesn't stand up very well against concrete, verifiable & visible facts now, does it? Nope! Your marketshare shows that also -> http://tech.slashdot.org/comments.pl?sid=2506468&threshold=-1&commentsort=0&mode=thread&pid=37929368 [slashdot.org] & the ONLY REASON LINUX GETS USED (mostly for servers, it's niche) is because it is "no cost & businesses are in business to max profits & keep overhead costs down (only problem is, when you get HIT BY A LAWSUIT for security issues, who can you hold responsible from the 'freebie' camp?)

... apk

Re:Let the Penguins "chew on this" (1)

Old Sparky (675061) | more than 2 years ago | (#37957918)

Hey Mr Anonymous - you sound more like Ballmer every minute. And hold Microsoft accountable for security issues? Hyuk! That's FUNeee raht thar!!!

Illogical off topic adhominem attacks? (-1)

Anonymous Coward | more than 2 years ago | (#37957996)

Those need NOT apply vs. facts, where myself, "Mr. Anonymous" has KICKED YOUR ASS with facts (& with mostly VERY RECENT DATA on security & more) right here-> http://tech.slashdot.org/comments.pl?sid=2510534&cid=37957838 [slashdot.org]

Yea... Ed Bott's COMPLETELY RIGHT about Linux Penguin FUD & said it @ the start of his article here the other day (which I will requote it in fact):

"The campaign to spread FUD about Windows 8 is picking up momentum. In the past week, high-profile Linux advocates have tried to add fear, uncertainty, and doubt into what should be a smooth process for implementing a new next-generation security feature." Ed Bott - ZDNet from -> http://www.zdnet.com/blog/bott/leading-pc-makers-confirm-no-windows-8-plot-to-lock-out-linux/4185?tag=nl.e539 [zdnet.com]

* Your EFFETE & WEAK illogical off topic adhominem attack FAILS HUGELY in light of that, & the documented, concrete, visible & verifiable FACTS about security (mostly) in the 1st URL link above...

APK

P.S.=> So, "read 'em & weep" you FUD spreading little bullshit artist "penguins", especially in the 1st link above

Face it - you made the WRONG choice & you're nearly extinct as is in marketshare and YOU KNOW IT!

(However, every reply to those facts here? I saw NOTHING but resorting first to FUD, & then when you're shot-down as I have yourself & others here? Well, we see how you respond with illogical off topic adhominem attacks instead... not disproving my facts, that's NOT possible, but instead acting like GOSSIPING HAGS & FUD SPREADERS!)... you all make me LAUGH!

... apk

Re:There are a lot of Microsoft shills here... (2)

Fred Or Alive (738779) | more than 2 years ago | (#37957006)

Seeing as speed (on 15+ year old equipment) was the reason they did it, you're not going to get an answer you like.

People said Windows NT was too slow on their 486s, so one of the things Microsoft did to try and fix that was to move the GDI into the kernel. They didn't think the security and stability side through however, and I doubt if many people are going to call it the greatest decision ever made in the design of an OS.

Re:There are a lot of Microsoft shills here... (3, Insightful)

TheRaven64 (641858) | more than 2 years ago | (#37958200)

Seeing as speed (on 15+ year old equipment) was the reason they did it, you're not going to get an answer you like.

Sorry, but that reason is bullshit. Rendering fonts is performance-critical. Parsing the fonts is not. The vulnerability is in the code responsible for turning a font file into a set of bezier paths that the display subsystem can render. This code is not performance critical, nor does it need to run with any privileges other than the ability to read the font file (or read font data from a pipe or memory buffer) and write the bezier paths somewhere.

Moving the code that takes the output from this bit of code into the kernel makes sense, because that really is performance critical. Rendering text is one of the most CPU-intensive things a modern windowing system does. Parsing font files is not.

Moving code into RPL0/Ring 0/kernelmode... (-1)

Anonymous Coward | more than 2 years ago | (#37958292)

Increases speed, due to less message passing overheads & less CPU contexts to "hop over" (putting it loosely). This is why BOTH Linux &/or Windows have their http daemon/http.sys in that ring of privelege of operations...

APK

P.S.=> Critical or not, YES - that is GENERALLY why it's done, for speed/efficiency

E.G. #1 of 2-> Windows NT 3.x - 3.51 did do GUI in RPL3/Ring 0/kernel mode, & it was moved into RPL0/Ring 0 for speed in NT 4.x onward up thru XP/Server 2003 - which COULD AFFECT STABILITY...

In fact, Mr. Dave Cutler threatened to QUIT MS over it, but didn't!

(That was done, for gaming, which IS a HUGE market segment is the home users is why... & DirectX helped there later on)

HOWEVER?

E.G. #2 of 2 -> It's now BACK in RPL3/Ring3/usermode now in VISTA onwards, because the device driver DDK has stable examples (& vidcard vendors have a stable generic template to work with)

The same thing went on with Linux http daemon/Windows' http.sys - SPEED OF OPERATION, more efficiency, less message passing overheads results from going to kernel mode... apk

Small correction of a typo (-1)

Anonymous Coward | more than 2 years ago | (#37958620)

E.G. #1 of 2-> Windows NT 3.x - 3.51 did do GUI in RPL3/

"Ring 0/kernel mode, & it was moved into RPL0/Ring 0 for speed in NT 4.x onward up thru XP/Server 2003 - which COULD AFFECT STABILITY..." - by Anonymous Coward on Saturday November 05, @11:48AM (#37958292)

CORRECTION EDIT BELOW:

E.G. #1 of 2-> Windows NT 3.x - 3.51 did do GUI in RPL3/Ring 3/USER mode, & it was moved into RPL0/Ring 0 for speed in NT 4.x onward up thru XP/Server 2003 - which COULD AFFECT STABILITY...

(Bolded parts indicate my corrections)

That's right: I can't let the "nitpickers" around here gain 1 inch of ground on me here in this thread, even with their off topic illogical adhominem attacks galore all thru it - it'd be about ALL they'd have on me, because they're sure not disproving my other points here!

http://slashdot.org/submission/1838854/microsoft-releases-fix-it-tool-for-duqu-true-type [slashdot.org] [slashdot.org]

&

http://slashdot.org/submission/1838882/microsoft-releases-duqu-font-parsing-vulnerability [slashdot.org] [slashdot.org]

* In fact, Yesterday> I SUBMITTED IT TWICE, & yet the /. "Pro-*NIX/Pro-Penguin" crew around here rejected it twice...

(Yea, I submitted it for news in the recent section, but no - anything that makes MS look like they doing their job around here gets REJECTED from being posted here on /. apparently!)

Funniest part is, when I posted about that rejection here TODAY? All I got was off topic illogical adhominem attacks & mod downs... but NO disproving facts I posted though!

Poor showing FUD spreading penguins... absolutely POOR.

(Man... what a bunch of FUD spreading BULLSHIT ARTISTS this forums' full of, including the editorial staff around here obviously based on those rejections I noted!)

AND?

Yes - That temp fix works, & "patch tuesday" is RIGHT around the bend as well...

(So much for YOUR typical "linux FUD" & that goes DOUBLE for the editorial staff here not posting what I put up that has concrete, visible & verifiable data behind it, from TheRegister AND MS themselves!))

APK

P.S.=> It's been a REAL PLEASURE kicking the snot out of BMO & "old sparky" the most though, lol... & yes, I just GOTTA SAY IT, as-is-per-my-usual-style:

THIS? This was just "too, Too, TOO EASY - just '2EZ'" as usual vs. FUD spreading "penguins" that abound here!

Especially when they rejected valid information I posted 2x regarding MS doing their job on the security front vs. Duqu here shown above in the 2 links

As to the rest?

Heh - Read the replies thru this in response to the bullshit artist "BMO" & weep, penguins... lol!

... apk

Re:There are a lot of Microsoft shills here... (1)

Old Sparky (675061) | more than 2 years ago | (#37957286)

I've been bitching about the Microsoft Shill Takeover of Slashdot for awhile now.
Glad to see someone else "gets it".
And again, we see that Microsoft doesn't.

You're a FUD spreading bullshit artist (-1)

Anonymous Coward | more than 2 years ago | (#37957624)

http://tech.slashdot.org/comments.pl?sid=2510534&cid=37957572 [slashdot.org]

"Eat your words" & don't wonder WHY Linux is in "last place" amongst the "big 3" OS out there and why /.'s losing readers

* Yes... it's largely because folks are WISE TO YOUR FUD SPREADING BULLSHIT!

(Slashdot's known to have been losing readership, & fud spreading dorks like you ARE the cause of it!)

APK

P.S.=> Little dickweeds like you make me ill... & small wonder /.'s losing readers - others are more informed too & are realizing the FUD campaigns you losers are resorting to, like Ed Bott said here -> http://www.zdnet.com/blog/bott/leading-pc-makers-confirm-no-windows-8-plot-to-lock-out-linux/4185?tag=nl.e539 [zdnet.com] & I will quote him on it:

"The campaign to spread FUD about Windows 8 is picking up momentum. In the past week, high-profile Linux advocates have tried to add fear, uncertainty, and doubt into what should be a smooth process for implementing a new next-generation security feature."

You exemplify his point there, right @ the outset of his article, to a tee...

... apk

Time to KICK "OldSparky's" ASS more (-1)

Anonymous Coward | more than 2 years ago | (#37958172)

Disprove these RECENTLY documented facts on security douchebag, ok? They're all (mostly) verifiable & from respected + reliable sources, especially regarding security:

---

1st - Linux also doesn't have as high quality drivers or as many because board makers KNOW what is "running the show/market " out there, Windows - so, they cater to it immensely!

2nd - Nor does Linux have as many games, by FAR, either (this is mostly the home market in fact!)

3rd - Not only that. but Linux, in its KERNEL ONLY mind you? Has 4x the unpatched security vulnerabilities Windows 7 has (which IS a complete "distro" with all of its parts, not just a kernel only)!

4th - Despite all those "Open 'SORES'" eyes (most of whom couldn't code to SAVE THEIR LIVES mind you) allegedly poring over Linux code, how come it has that many more unpatched bugs than Windows 7 has, hmmm??

Closed source is HARDER for hacker/crackers to attack as well, because you're stuck either disassembling it (especially tough with kernel level debuggers) OR fuzzing it, either is tougher than searching out problems in Linux, which you just load into a compiler & step trace its "Open 'SORES'" code with to find screwups in security... hence it still has more security bugs, AND, they are unpatched (despite all the "Open 'SORES'" eyes poring over it, lol!)

Fact, period!

5th - In fact, Linux's kernel ALONE has 4x the # of unpatched bugs the ENTIRE SUITE/ARRAY OF WHAT MICROSOFT GIVES YOU TO DO BUSINESS & DEVELOPMENT WITH!

Proof? Ok:

This data's ALL from a respected source (secunia.com) for known security vulnerabilities unpatched:

---

Vulnerability Report: Microsoft SQL Server 2008: (11/05/2011)

http://secunia.com/advisories/product/21744/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (11/05/2011)

http://secunia.com/advisories/product/17543/ [secunia.com]

Unpatched 0% (0 of 6 Secunia advisories)

Vulnerability Report: Microsoft Exchange Server 2010: (11/05/2011)

http://secunia.com/advisories/product/28234/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft SharePoint Server 2010: (11/05/2011)

http://secunia.com/advisories/product/29809/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft Forefront Endpoint Protection 2010: (11/05/2011)

http://secunia.com/advisories/product/34343/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Baseline Security Analyzer 2.x: (11/05/2011):

http://secunia.com/advisories/product/6436/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft Office 2010: (11/05/2011)

http://secunia.com/advisories/product/30529/?task=advisories [secunia.com]

Unpatched 0% (0 of 9 Secunia advisories)

Vulnerability Report: Microsoft Project 2010: (11/05/2011)

http://secunia.com/advisories/product/31177/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft Windows Services for UNIX 3.x: (11/05/2011)

http://secunia.com/advisories/product/5244/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft Internet Explorer 9.x: (11/05/2011)

http://secunia.com/advisories/product/34591/ [secunia.com]

Unpatched 0% (0 of 4 Secunia advisories)

Vulnerability Report: Microsoft Virtual PC 2007: (11/05/2011)

http://secunia.com/advisories/product/14315/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Visual Studio 2010: (11/05/2011)

http://secunia.com/advisories/product/30853/?task=advisories [secunia.com]

Unpatched 0% (0 of 2 Secunia advisories)

Vulnerability Report: Microsoft DirectX 10.x:
(11/05/2011)

http://secunia.com/advisories/product/16896/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft .NET Framework 4.x
(08/02/2011)

http://secunia.com/advisories/product/29592/ [secunia.com]

Unpatched 0% (0 of 8 Secunia advisories)

Vulnerability Report: Microsoft Silverlight 4.x: (11/05/2011)

http://secunia.com/advisories/product/28947/ [secunia.com]

Unpatched 0% (0 of 2 Secunia advisories)

Vulnerability Report: Microsoft XML Core Services (MSXML) 6.x: (11/05/2011)

http://secunia.com/advisories/product/6473/ [secunia.com]

Unpatched 0% (0 of 4 Secunia advisories)

Vulnerability Report: Microsoft Windows 7: (11/05/2011)

http://secunia.com/advisories/product/27467/?task=advisories [secunia.com]

Unpatched 6% (5 of 86 Secunia advisories)

OR

Vulnerability Report: Microsoft Windows Server 2008: (11/05/2011)

http://secunia.com/advisories/product/18255/?task=advisories [secunia.com]

Unpatched 3% (4 of 154 Secunia advisories)

* Nicest part here is, that the few unpatched vulns ALL have valid easy work arounds (colorui.dll not needed in "headless/servercore" mode & this IS a server OR you can unregister the DLL + the %PATH% issue is a NON-ISSUE by simply editing the path in SYSTEM ICON/Environment in CONTROL PANEL (or doing a reg edit here -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment ), or don't apply to workstations, or can be secured for (by turning off services you don't need, especially on desktops/workstations or by securing them down rights-wise)... can Linux say the same?

Doubt it!

PLUS, what REALLY causes malware outbreaks in Windows?? JAVA, & Adobe Products MOSTLY (99.8% in fact), per this:

http://net-security.org/malware_news.php?id=1863 [net-security.org]

& this:

http://www.net-security.org/secworld.php?id=11759 [net-security.org]

---

FACT - THAT'S 4x++ LESS UNPATCHED SECURITY VULNERABILITIES ON MS NEAR ENTIRE ARRAY OF WHAT THEY GIVE YOU FOR BUSINESS & DEVELOPMENT (& I know that LAMP can't say the same & tosses on even MORE errors into the mix for Linux) , THAN IS PRESENT ON THE LINUX 2.6x KERNEL ALONE!

NOW- Toss on the rest of what goes into a Linux distro OR the "LAMP" stack, also (Linux, Apache, MySQL, PHP)?

?

That # goes "up, Up, UP & AWAY...", bigime & even moreso, "increasing that lead, that Linux has", lol, in more unpatched known security bugs present that is (a dubious honor/win, lol, to say the least).

So, that "all said & aside"?

Compare a "*NIX/Open SORES" OS in Linux's "latest/greatest"?:

---

Vulnerability Report: Linux Kernel 2.6.x (11/05/2011)

http://secunia.com/advisories/product/2719/?task=advisories [secunia.com]

Unpatched 6% (18 of 281 Secunia advisories)

---

AND YES, there are 3 remotely vulnerable unpatched security problem outstanding in Linux (one http://secunia.com/advisories/19402/ [secunia.com] is fixed in later patch builds) there too, unpatched (despite all the "Open 'SORES' eyes" out there to fix it (yea, "right", not!))

NO FIXES @ ALL ARE PRESENT HERE:

http://secunia.com/advisories/14295/ [secunia.com]

NOT A SINGLE ONE IS FIXED HERE & there's 18 OF THEM THERE IN REALITY, not just 1!

I'll even QUOTE secunia on that now:

"Secunia is currently not aware of an updated kernel version addressing the vulnerabilities."

(And, mind you - that's the LINUX 2.6 KERNEL only - the other parts of Linux of FULL Linux distros in apps & more probably add more).

AND

PARTIAL FIXES ONLY PRESENT HERE:

http://secunia.com/advisories/44754/ [secunia.com]

Still has issues #'s 8 & 9 are STILL UNRESOLVED!

* Additionally/again - so it "sinks in":

That's also more than the ENTIRE GAMUT of what MS gives folks to do business & build tools for it as well has & LAMP certainly cannot show less errors in unpatched security vulnerablities than 5 total from MS...

In fact? LAMP is the favored attack for phishers & spammers:

http://www.theregister.co.uk/2011/06/10/domains_lamped/ [theregister.co.uk]

---

PERTINENT QUOTE:

"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey.

Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers,"

---

Vulnerability Report: MySQL 5.x (11/05/2011):

http://secunia.com/advisories/product/8355/ [secunia.com]

Unpatched 4% (1 of 26 Secunia advisories)

* "GOSH" - Looks like MORE THAN SQLServer 2008 with ZERO unpatched, eh?

In fact...100% more of a lead (in bugs unpatched, lol) Yea... bigtime - Some "dubious honor" that... lol! "Big WIN" (not!).

---

Vulnerability Report: Apache 2.2.x (11/05/2011) part of LAMP, but their site runs a BSD:

http://secunia.com/advisories/product/9633/ [secunia.com]

Unpatched 8% (3 of 26 Secunia advisories)

Ah, what have we HERE now, vs. IIS 7 (again, with ZERO unpatched security vulnerabilities)?

Ah yes... yet again the "LAMP CAMP" shows its "True Colors", 200% more unpatched bugs, & with MORE UNPATCHED SECURITY BUGS! Yet another "Win" (not), eh??

---

Vulnerability Report: PHP 5.3.x (11/05/2011):

http://secunia.com/advisories/product/27504/ [secunia.com]

Unpatched 8% (1 of 13 Secunia advisories)

WHAT'S THIS? YET ANOTHER "LEAD" (lol, in unpatched security bugs) for the "LAMP CAMP"??

Another "100% lead" (loss is more like it) no less, vs. MS Visual Studio 2010 or Office 2010 (& their attendant XML, browsers in IE9 even, & MORE - per my earlier posts!)

The RESULTS (very recent mind you) of these unpatched vulnerabilities in "Open SORES/*NIX ware?"

---

KERNEL.ORG COMPROMISED:

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised [slashdot.org]

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/ [theregister.co.uk]

---

Breaching Fort Apache.org - What went wrong?

http://www.theregister.co.uk/2009/09/03/apache_website_breach_postmortem/ [theregister.co.uk]

* Part of LAMP, but their site runs a BSD

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware [slashdot.org]

---

COMPARE & CONTRAST WINDOWS RUNNING IN A HIGH-TPM ENVIRONS SERVER-WISE NOW:

Windows also has been running 24x7 since 2005 for NASDAQ, acting as its "OFFICIAL TRADE DATA DISSEMINATION SYSTEM, non-stop, via Windows Server 2003 + SQLServer 2005 in fail-over clustering on the server-front too!

NASDAQ Migrates to SQL Server 2005:

http://www.windowsfs.com/enews/nasdaq-migrates-to-sql-server-2005 [windowsfs.com]

and here:

NASDAQ Uses SQL Server 2005 - Reducing Costs through Better Data Management:

http://blog.sqlauthority.com/2007/09/17/sqlauthority-news-nasdaq-uses-sql-server-2005-reducing-costs-through-better-data-management/ [sqlauthority.com]

(For proof thereof... for coming up on a DECADE OF SOLID UPTIME uninterrupted & "bulletproof + bugfree", @ NASDAQ too, a high-tpm environs, not just a mail or webserver!)

AND, AGAIN - Do NOTE that SQLServer, IIS7, Windows Server 2008, & Visual Studio 2010 have less security bugs unpatched, BY FAR, than does the "LAMP" stack... period!

Now, as to LINUX in a stock exchange? Ok:

http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch [slashdot.org]

and

http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware [slashdot.org]

---

Linux's showing in CA's breached recently too? Ok:

http://uptime.netcraft.com/up/graph?site=StartCom.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=GlobalSign.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=Comodo.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=DigiCert.com [netcraft.com]

The majority (4/5) of what was breached RAN LINUX (StartCom, GlobalSign, DigiCert, & Comodo)...

So... You like Apples? HOW DO YOU LIKE THOSE APPLES (compared, apples to apples no less), & the stats above for Linux, kernel only? Well, again - it's also NOT the entire 'gamut/array' of what actually comes in a Linux distro as well!

(E.G.-> Such as the attendant GUI, Windows managers, browsers, etc. that ship in distros too that have bugs, and yes, THEY DO)

THAT ADDS EVEN MORE BUGS that COMPOUNDS THAT # EVEN MORE, and worse, for LINUX!!!

So, so much for "Windows is less secure than Linux" stuff you see around here on /., eh?

(It gets even WORSE for 'Linuxdom' when you toss on ANDROID (yes, it's a LINUX variant too), because it's being shredded on the security-front lately, unfortunately)

BOTTOM-LINE:

What this all comes down to, is all the "Pro-*NIX propoganda straight outta pravda" practically doesn't stand up very well against concrete, verifiable & visible facts now, does it? Nope! Your marketshare shows that also -> http://tech.slashdot.org/comments.pl?sid=2506468&threshold=-1&commentsort=0&mode=thread&pid=37929368 [slashdot.org] & the ONLY REASON LINUX GETS USED (mostly for servers, it's niche) is because it is "no cost" & businesses are in business to max profits & keep overhead costs down (only problem is, when you get HIT BY A LAWSUIT for security issues, who can you hold responsible from the 'freebie' camp?)

... apk

Re:There are a lot of Microsoft shills here... (0)

Anonymous Coward | more than 2 years ago | (#37958402)

I regret to inform you your tinfoil hat has been delayed but should arrive sometime next week.

Microsoft's already issued a FIX (-1)

Anonymous Coward | more than 2 years ago | (#37957572)

http://slashdot.org/submission/1838854/microsoft-releases-fix-it-tool-for-duqu-true-type [slashdot.org]

&

http://slashdot.org/submission/1838882/microsoft-releases-duqu-font-parsing-vulnerability [slashdot.org]

* In fact, Yesterday> I SUBMITTED IT TWICE, & yet the /. "Pro-*NIX/Pro-Penguin" crew around here rejected it twice...

(Yea, I submitted it for news in the recent section, but no - anything that makes MS look like they doing their job around here gets REJECTED from being posted... what a bunch of FUD spreading BULLSHIT ARTISTS this forums' full of, including the editorial staff around here obviously based on those rejections I noted!)

AND?

Yes - That temp fix works, & "patch tuesday" is RIGHT around the bend as well...

(So much for YOUR typical "linux FUD" & that goes DOUBLE for the editorial staff here not posting what I put up that has concrete, visible & verifiable data behind it, from TheRegister AND MS themselves!))

APK

P.S.=>

"There are a lot of Microsoft shills here... - by bmo (77928) on Saturday November 05, @08:02AM (#37956882)

Listen you damn BULLSHIT artist FUD spreader - see the above, & tell us another one, ok?

... apk

Re:Microsoft's already issued a FIX (1)

bmo (77928) | more than 2 years ago | (#37957792)

Come at me, bro.

After you take your fucking meds.

--
BMO

FACTS vs. your "FUD" (that the "best you've got"?) (-1)

Anonymous Coward | more than 2 years ago | (#37957838)

Illogical off topic adhominem attacks? Ok: Here's FACTS (on security) in response to THAT type of "Penguin FUD":

In fact? Time to BLOW your "forums 'Illogic-Logic'" spinmaster crap to hell with MORE facts & actual logic + documented facts! Ready? Read on:

---

1st - Linux also doesn't have as high quality drivers or as many because board makers KNOW what is "running the show/market " out there, Windows - so, they cater to it immensely!

2nd - Nor does Linux have as many games, by FAR, either (this is mostly the home market in fact!)

3rd - Not only that. but Linux, in its KERNEL ONLY mind you? Has 4x the unpatched security vulnerabilities Windows 7 has (which IS a complete "distro" with all of its parts, not just a kernel only)!

4th - Despite all those "Open 'SORES'" eyes (most of whom couldn't code to SAVE THEIR LIVES mind you) allegedly poring over Linux code, how come it has that many more unpatched bugs than Windows 7 has, hmmm??

Closed source is HARDER for hacker/crackers to attack as well, because you're stuck either disassembling it (especially tough with kernel level debuggers) OR fuzzing it, either is tougher than searching out problems in Linux, which you just load into a compiler & step trace its "Open 'SORES'" code with to find screwups in security... hence it still has more security bugs, AND, they are unpatched (despite all the "Open 'SORES'" eyes poring over it, lol!)

Fact, period!

5th - In fact, Linux's kernel ALONE has 4x the # of unpatched bugs the ENTIRE SUITE/ARRAY OF WHAT MICROSOFT GIVES YOU TO DO BUSINESS & DEVELOPMENT WITH!

Proof? Ok:

This data's ALL from a respected source (secunia.com) for known security vulnerabilities unpatched:

---

Vulnerability Report: Microsoft SQL Server 2008: (11/05/2011)

http://secunia.com/advisories/product/21744/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (11/05/2011)

http://secunia.com/advisories/product/17543/ [secunia.com]

Unpatched 0% (0 of 6 Secunia advisories)

Vulnerability Report: Microsoft Exchange Server 2010: (11/05/2011)

http://secunia.com/advisories/product/28234/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft SharePoint Server 2010: (11/05/2011)

http://secunia.com/advisories/product/29809/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft Forefront Endpoint Protection 2010: (11/05/2011)

http://secunia.com/advisories/product/34343/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Baseline Security Analyzer 2.x: (11/05/2011):

http://secunia.com/advisories/product/6436/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft Office 2010: (11/05/2011)

http://secunia.com/advisories/product/30529/?task=advisories [secunia.com]

Unpatched 0% (0 of 9 Secunia advisories)

Vulnerability Report: Microsoft Project 2010: (11/05/2011)

http://secunia.com/advisories/product/31177/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft Windows Services for UNIX 3.x: (11/05/2011)

http://secunia.com/advisories/product/5244/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft Internet Explorer 9.x: (11/05/2011)

http://secunia.com/advisories/product/34591/ [secunia.com]

Unpatched 0% (0 of 4 Secunia advisories)

Vulnerability Report: Microsoft Virtual PC 2007: (11/05/2011)

http://secunia.com/advisories/product/14315/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Visual Studio 2010: (11/05/2011)

http://secunia.com/advisories/product/30853/?task=advisories [secunia.com]

Unpatched 0% (0 of 2 Secunia advisories)

Vulnerability Report: Microsoft DirectX 10.x:
(11/05/2011)

http://secunia.com/advisories/product/16896/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft .NET Framework 4.x
(08/02/2011)

http://secunia.com/advisories/product/29592/ [secunia.com]

Unpatched 0% (0 of 8 Secunia advisories)

Vulnerability Report: Microsoft Silverlight 4.x: (11/05/2011)

http://secunia.com/advisories/product/28947/ [secunia.com]

Unpatched 0% (0 of 2 Secunia advisories)

Vulnerability Report: Microsoft XML Core Services (MSXML) 6.x: (11/05/2011)

http://secunia.com/advisories/product/6473/ [secunia.com]

Unpatched 0% (0 of 4 Secunia advisories)

Vulnerability Report: Microsoft Windows 7: (11/05/2011)

http://secunia.com/advisories/product/27467/?task=advisories [secunia.com]

Unpatched 6% (5 of 86 Secunia advisories)

OR

Vulnerability Report: Microsoft Windows Server 2008: (11/05/2011)

http://secunia.com/advisories/product/18255/?task=advisories [secunia.com]

Unpatched 3% (4 of 154 Secunia advisories)

* Nicest part here is, that the few unpatched vulns ALL have valid easy work arounds (colorui.dll not needed in "headless/servercore" mode & this IS a server OR you can unregister the DLL + the %PATH% issue is a NON-ISSUE by simply editing the path in SYSTEM ICON/Environment in CONTROL PANEL (or doing a reg edit here -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment ), or don't apply to workstations, or can be secured for (by turning off services you don't need, especially on desktops/workstations or by securing them down rights-wise)... can Linux say the same?

Doubt it!

PLUS, what REALLY causes malware outbreaks in Windows?? JAVA, & Adobe Products MOSTLY (99.8% in fact), per this:

http://net-security.org/malware_news.php?id=1863 [net-security.org]

& this:

http://www.net-security.org/secworld.php?id=11759 [net-security.org]

---

FACT - THAT'S 4x++ LESS UNPATCHED SECURITY VULNERABILITIES ON MS NEAR ENTIRE ARRAY OF WHAT THEY GIVE YOU FOR BUSINESS & DEVELOPMENT (& I know that LAMP can't say the same & tosses on even MORE errors into the mix for Linux) , THAN IS PRESENT ON THE LINUX 2.6x KERNEL ALONE!

NOW- Toss on the rest of what goes into a Linux distro OR the "LAMP" stack, also (Linux, Apache, MySQL, PHP)?

?

That # goes "up, Up, UP & AWAY...", bigime & even moreso, "increasing that lead, that Linux has", lol, in more unpatched known security bugs present that is (a dubious honor/win, lol, to say the least).

So, that "all said & aside"?

Compare a "*NIX/Open SORES" OS in Linux's "latest/greatest"?:

---

Vulnerability Report: Linux Kernel 2.6.x (11/05/2011)

http://secunia.com/advisories/product/2719/?task=advisories [secunia.com]

Unpatched 6% (18 of 281 Secunia advisories)

---

AND YES, there are 3 remotely vulnerable unpatched security problem outstanding in Linux (one http://secunia.com/advisories/19402/ [secunia.com] is fixed in later patch builds) there too, unpatched (despite all the "Open 'SORES' eyes" out there to fix it (yea, "right", not!))

NO FIXES @ ALL ARE PRESENT HERE:

http://secunia.com/advisories/14295/ [secunia.com]

NOT A SINGLE ONE IS FIXED HERE & there's 18 OF THEM THERE IN REALITY, not just 1!

I'll even QUOTE secunia on that now:

"Secunia is currently not aware of an updated kernel version addressing the vulnerabilities."

(And, mind you - that's the LINUX 2.6 KERNEL only - the other parts of Linux of FULL Linux distros in apps & more probably add more).

AND

PARTIAL FIXES ONLY PRESENT HERE:

http://secunia.com/advisories/44754/ [secunia.com]

Still has issues #'s 8 & 9 are STILL UNRESOLVED!

* Additionally/again - so it "sinks in":

That's also more than the ENTIRE GAMUT of what MS gives folks to do business & build tools for it as well has & LAMP certainly cannot show less errors in unpatched security vulnerablities than 5 total from MS...

In fact? LAMP is the favored attack for phishers & spammers:

http://www.theregister.co.uk/2011/06/10/domains_lamped/ [theregister.co.uk]

---

PERTINENT QUOTE:

"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey.

Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers,"

---

Vulnerability Report: MySQL 5.x (11/05/2011):

http://secunia.com/advisories/product/8355/ [secunia.com]

Unpatched 4% (1 of 26 Secunia advisories)

* "GOSH" - Looks like MORE THAN SQLServer 2008 with ZERO unpatched, eh?

In fact...100% more of a lead (in bugs unpatched, lol) Yea... bigtime - Some "dubious honor" that... lol! "Big WIN" (not!).

---

Vulnerability Report: Apache 2.2.x (11/05/2011) part of LAMP, but their site runs a BSD:

http://secunia.com/advisories/product/9633/ [secunia.com]

Unpatched 8% (2 of 25 Secunia advisories)

Ah, what have we HERE now, vs. IIS 7 (again, with ZERO unpatched security vulnerabilities)?

Ah yes... yet again the "LAMP CAMP" shows its "True Colors", 200% more unpatched bugs, & with MORE UNPATCHED SECURITY BUGS! Yet another "Win" (not), eh??

---

Vulnerability Report: PHP 5.3.x (11/05/2011):

http://secunia.com/advisories/product/27504/ [secunia.com]

Unpatched 8% (1 of 13 Secunia advisories)

WHAT'S THIS? YET ANOTHER "LEAD" (lol, in unpatched security bugs) for the "LAMP CAMP"??

Another "100% lead" (loss is more like it) no less, vs. MS Visual Studio 2010 or Office 2010 (& their attendant XML, browsers in IE9 even, & MORE - per my earlier posts!)

The RESULTS (very recent mind you) of these unpatched vulnerabilities in "Open SORES/*NIX ware?"

---

KERNEL.ORG COMPROMISED:

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised [slashdot.org]

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/ [theregister.co.uk]

---

Breaching Fort Apache.org - What went wrong?

http://www.theregister.co.uk/2009/09/03/apache_website_breach_postmortem/ [theregister.co.uk]

* Part of LAMP, but their site runs a BSD

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware [slashdot.org]

---

COMPARE & CONTRAST WINDOWS RUNNING IN A HIGH-TPM ENVIRONS SERVER-WISE NOW:

Windows also has been running 24x7 since 2005 for NASDAQ, acting as its "OFFICIAL TRADE DATA DISSEMINATION SYSTEM, non-stop, via Windows Server 2003 + SQLServer 2005 in fail-over clustering on the server-front too!

NASDAQ Migrates to SQL Server 2005:

http://www.windowsfs.com/enews/nasdaq-migrates-to-sql-server-2005 [windowsfs.com]

and here:

NASDAQ Uses SQL Server 2005 - Reducing Costs through Better Data Management:

http://blog.sqlauthority.com/2007/09/17/sqlauthority-news-nasdaq-uses-sql-server-2005-reducing-costs-through-better-data-management/ [sqlauthority.com]

(For proof thereof... for coming up on a DECADE OF SOLID UPTIME uninterrupted & "bulletproof + bugfree", @ NASDAQ too, a high-tpm environs, not just a mail or webserver!)

AND, AGAIN - Do NOTE that SQLServer, IIS7, Windows Server 2008, & Visual Studio 2010 have less security bugs unpatched, BY FAR, than does the "LAMP" stack... period!

Now, as to LINUX in a stock exchange? Ok:

http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch [slashdot.org]

and

http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware [slashdot.org]

---

Linux's showing in CA's breached recently too? Ok:

http://uptime.netcraft.com/up/graph?site=StartCom.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=GlobalSign.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=Comodo.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=DigiCert.com [netcraft.com]

The majority (4/5) of what was breached RAN LINUX (StartCom, GlobalSign, DigiCert, & Comodo)...

So... You like Apples? HOW DO YOU LIKE THOSE APPLES (compared, apples to apples no less), & the stats above for Linux, kernel only? Well, again - it's also NOT the entire 'gamut/array' of what actually comes in a Linux distro as well!

(E.G.-> Such as the attendant GUI, Windows managers, browsers, etc. that ship in distros too that have bugs, and yes, THEY DO)

THAT ADDS EVEN MORE BUGS that COMPOUNDS THAT # EVEN MORE, and worse, for LINUX!!!

So, so much for "Windows is less secure than Linux" stuff you see around here on /., eh?

(It gets even WORSE for 'Linuxdom' when you toss on ANDROID (yes, it's a LINUX variant too), because it's being shredded on the security-front lately, unfortunately)

BOTTOM-LINE:

What this all comes down to, is all the "Pro-*NIX propoganda straight outta pravda" practically doesn't stand up very well against concrete, verifiable & visible facts now, does it? Nope! Your marketshare shows that also -> http://tech.slashdot.org/comments.pl?sid=2506468&threshold=-1&commentsort=0&mode=thread&pid=37929368 [slashdot.org] & the ONLY REASON LINUX GETS USED (mostly for servers, it's niche) is because it is "no cost & businesses are in business to max profits & keep overhead costs down (only problem is, when you get HIT BY A LAWSUIT for security issues, who can you hold responsible from the 'freebie' camp?)

... apk

Re:Microsoft's already issued a FIX (0)

Anonymous Coward | more than 2 years ago | (#37957824)

They did not publish a fix; they published a workaround that reduces the functionality of the apps running on the machine. This may be a good tradeoff for people who are especially worried about this particular attack, but even Microsoft doesn't try to spin it as a fix. They also announced that they will NOT have a patch for this out on the November patch Tuesday. That should actually be pretty obvious due to their test cycles and when this particular issue became known. At this point we don't know if they will issue an out of band patch later in November or wait for the December patch cycle.

MS = doing their job, but not LINUX (on security) (-1)

Anonymous Coward | more than 2 years ago | (#37957884)

The temp fix, works, & MS is doing their job... is Linux? Well, let's see about that!

In fact? Time to BLOW your "forums 'Illogic-Logic'" spinmaster crap to hell with MORE facts & actual logic + documented facts! Ready? Read on:

---

1st - Linux also doesn't have as high quality drivers or as many because board makers KNOW what is "running the show/market " out there, Windows - so, they cater to it immensely!

2nd - Nor does Linux have as many games, by FAR, either (this is mostly the home market in fact!)

3rd - Not only that. but Linux, in its KERNEL ONLY mind you? Has 4x the unpatched security vulnerabilities Windows 7 has (which IS a complete "distro" with all of its parts, not just a kernel only)!

4th - Despite all those "Open 'SORES'" eyes (most of whom couldn't code to SAVE THEIR LIVES mind you) allegedly poring over Linux code, how come it has that many more unpatched bugs than Windows 7 has, hmmm??

Closed source is HARDER for hacker/crackers to attack as well, because you're stuck either disassembling it (especially tough with kernel level debuggers) OR fuzzing it, either is tougher than searching out problems in Linux, which you just load into a compiler & step trace its "Open 'SORES'" code with to find screwups in security... hence it still has more security bugs, AND, they are unpatched (despite all the "Open 'SORES'" eyes poring over it, lol!)

Fact, period!

5th - In fact, Linux's kernel ALONE has 4x the # of unpatched bugs the ENTIRE SUITE/ARRAY OF WHAT MICROSOFT GIVES YOU TO DO BUSINESS & DEVELOPMENT WITH!

Proof? Ok:

This data's ALL from a respected source (secunia.com) for known security vulnerabilities unpatched:

---

Vulnerability Report: Microsoft SQL Server 2008: (11/05/2011)

http://secunia.com/advisories/product/21744/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (11/05/2011)

http://secunia.com/advisories/product/17543/ [secunia.com]

Unpatched 0% (0 of 6 Secunia advisories)

Vulnerability Report: Microsoft Exchange Server 2010: (11/05/2011)

http://secunia.com/advisories/product/28234/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft SharePoint Server 2010: (11/05/2011)

http://secunia.com/advisories/product/29809/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft Forefront Endpoint Protection 2010: (11/05/2011)

http://secunia.com/advisories/product/34343/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Baseline Security Analyzer 2.x: (11/05/2011):

http://secunia.com/advisories/product/6436/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft Office 2010: (11/05/2011)

http://secunia.com/advisories/product/30529/?task=advisories [secunia.com]

Unpatched 0% (0 of 9 Secunia advisories)

Vulnerability Report: Microsoft Project 2010: (11/05/2011)

http://secunia.com/advisories/product/31177/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft Windows Services for UNIX 3.x: (11/05/2011)

http://secunia.com/advisories/product/5244/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft Internet Explorer 9.x: (11/05/2011)

http://secunia.com/advisories/product/34591/ [secunia.com]

Unpatched 0% (0 of 4 Secunia advisories)

Vulnerability Report: Microsoft Virtual PC 2007: (11/05/2011)

http://secunia.com/advisories/product/14315/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Visual Studio 2010: (11/05/2011)

http://secunia.com/advisories/product/30853/?task=advisories [secunia.com]

Unpatched 0% (0 of 2 Secunia advisories)

Vulnerability Report: Microsoft DirectX 10.x:
(11/05/2011)

http://secunia.com/advisories/product/16896/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft .NET Framework 4.x
(08/02/2011)

http://secunia.com/advisories/product/29592/ [secunia.com]

Unpatched 0% (0 of 8 Secunia advisories)

Vulnerability Report: Microsoft Silverlight 4.x: (11/05/2011)

http://secunia.com/advisories/product/28947/ [secunia.com]

Unpatched 0% (0 of 2 Secunia advisories)

Vulnerability Report: Microsoft XML Core Services (MSXML) 6.x: (11/05/2011)

http://secunia.com/advisories/product/6473/ [secunia.com]

Unpatched 0% (0 of 4 Secunia advisories)

Vulnerability Report: Microsoft Windows 7: (11/05/2011)

http://secunia.com/advisories/product/27467/?task=advisories [secunia.com]

Unpatched 6% (5 of 86 Secunia advisories)

OR

Vulnerability Report: Microsoft Windows Server 2008: (11/05/2011)

http://secunia.com/advisories/product/18255/?task=advisories [secunia.com]

Unpatched 3% (4 of 154 Secunia advisories)

* Nicest part here is, that the few unpatched vulns ALL have valid easy work arounds (colorui.dll not needed in "headless/servercore" mode & this IS a server OR you can unregister the DLL + the %PATH% issue is a NON-ISSUE by simply editing the path in SYSTEM ICON/Environment in CONTROL PANEL (or doing a reg edit here -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment ), or don't apply to workstations, or can be secured for (by turning off services you don't need, especially on desktops/workstations or by securing them down rights-wise)... can Linux say the same?

Doubt it!

PLUS, what REALLY causes malware outbreaks in Windows?? JAVA, & Adobe Products MOSTLY (99.8% in fact), per this:

http://net-security.org/malware_news.php?id=1863 [net-security.org]

& this:

http://www.net-security.org/secworld.php?id=11759 [net-security.org]

---

FACT - THAT'S 4x++ LESS UNPATCHED SECURITY VULNERABILITIES ON MS NEAR ENTIRE ARRAY OF WHAT THEY GIVE YOU FOR BUSINESS & DEVELOPMENT (& I know that LAMP can't say the same & tosses on even MORE errors into the mix for Linux) , THAN IS PRESENT ON THE LINUX 2.6x KERNEL ALONE!

NOW- Toss on the rest of what goes into a Linux distro OR the "LAMP" stack, also (Linux, Apache, MySQL, PHP)?

?

That # goes "up, Up, UP & AWAY...", bigime & even moreso, "increasing that lead, that Linux has", lol, in more unpatched known security bugs present that is (a dubious honor/win, lol, to say the least).

So, that "all said & aside"?

Compare a "*NIX/Open SORES" OS in Linux's "latest/greatest"?:

---

Vulnerability Report: Linux Kernel 2.6.x (11/05/2011)

http://secunia.com/advisories/product/2719/?task=advisories [secunia.com]

Unpatched 6% (18 of 281 Secunia advisories)

---

AND YES, there are 3 remotely vulnerable unpatched security problem outstanding in Linux (one http://secunia.com/advisories/19402/ [secunia.com] is fixed in later patch builds) there too, unpatched (despite all the "Open 'SORES' eyes" out there to fix it (yea, "right", not!))

NO FIXES @ ALL ARE PRESENT HERE:

http://secunia.com/advisories/14295/ [secunia.com]

NOT A SINGLE ONE IS FIXED HERE & there's 18 OF THEM THERE IN REALITY, not just 1!

I'll even QUOTE secunia on that now:

"Secunia is currently not aware of an updated kernel version addressing the vulnerabilities."

(And, mind you - that's the LINUX 2.6 KERNEL only - the other parts of Linux of FULL Linux distros in apps & more probably add more).

AND

PARTIAL FIXES ONLY PRESENT HERE:

http://secunia.com/advisories/44754/ [secunia.com]

Still has issues #'s 8 & 9 are STILL UNRESOLVED!

* Additionally/again - so it "sinks in":

That's also more than the ENTIRE GAMUT of what MS gives folks to do business & build tools for it as well has & LAMP certainly cannot show less errors in unpatched security vulnerablities than 5 total from MS...

In fact? LAMP is the favored attack for phishers & spammers:

http://www.theregister.co.uk/2011/06/10/domains_lamped/ [theregister.co.uk]

---

PERTINENT QUOTE:

"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey.

Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers,"

---

Vulnerability Report: MySQL 5.x (11/05/2011):

http://secunia.com/advisories/product/8355/ [secunia.com]

Unpatched 4% (1 of 26 Secunia advisories)

* "GOSH" - Looks like MORE THAN SQLServer 2008 with ZERO unpatched, eh?

In fact...100% more of a lead (in bugs unpatched, lol) Yea... bigtime - Some "dubious honor" that... lol! "Big WIN" (not!).

---

Vulnerability Report: Apache 2.2.x (11/05/2011) part of LAMP, but their site runs a BSD:

http://secunia.com/advisories/product/9633/ [secunia.com]

Unpatched 8% (2 of 25 Secunia advisories)

Ah, what have we HERE now, vs. IIS 7 (again, with ZERO unpatched security vulnerabilities)?

Ah yes... yet again the "LAMP CAMP" shows its "True Colors", 200% more unpatched bugs, & with MORE UNPATCHED SECURITY BUGS! Yet another "Win" (not), eh??

---

Vulnerability Report: PHP 5.3.x (11/05/2011):

http://secunia.com/advisories/product/27504/ [secunia.com]

Unpatched 8% (1 of 13 Secunia advisories)

WHAT'S THIS? YET ANOTHER "LEAD" (lol, in unpatched security bugs) for the "LAMP CAMP"??

Another "100% lead" (loss is more like it) no less, vs. MS Visual Studio 2010 or Office 2010 (& their attendant XML, browsers in IE9 even, & MORE - per my earlier posts!)

The RESULTS (very recent mind you) of these unpatched vulnerabilities in "Open SORES/*NIX ware?"

---

KERNEL.ORG COMPROMISED:

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised [slashdot.org]

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/ [theregister.co.uk]

---

Breaching Fort Apache.org - What went wrong?

http://www.theregister.co.uk/2009/09/03/apache_website_breach_postmortem/ [theregister.co.uk]

* Part of LAMP, but their site runs a BSD

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware [slashdot.org]

---

COMPARE & CONTRAST WINDOWS RUNNING IN A HIGH-TPM ENVIRONS SERVER-WISE NOW:

Windows also has been running 24x7 since 2005 for NASDAQ, acting as its "OFFICIAL TRADE DATA DISSEMINATION SYSTEM, non-stop, via Windows Server 2003 + SQLServer 2005 in fail-over clustering on the server-front too!

NASDAQ Migrates to SQL Server 2005:

http://www.windowsfs.com/enews/nasdaq-migrates-to-sql-server-2005 [windowsfs.com]

and here:

NASDAQ Uses SQL Server 2005 - Reducing Costs through Better Data Management:

http://blog.sqlauthority.com/2007/09/17/sqlauthority-news-nasdaq-uses-sql-server-2005-reducing-costs-through-better-data-management/ [sqlauthority.com]

(For proof thereof... for coming up on a DECADE OF SOLID UPTIME uninterrupted & "bulletproof + bugfree", @ NASDAQ too, a high-tpm environs, not just a mail or webserver!)

AND, AGAIN - Do NOTE that SQLServer, IIS7, Windows Server 2008, & Visual Studio 2010 have less security bugs unpatched, BY FAR, than does the "LAMP" stack... period!

Now, as to LINUX in a stock exchange? Ok:

http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch [slashdot.org]

and

http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware [slashdot.org]

---

Linux's showing in CA's breached recently too? Ok:

http://uptime.netcraft.com/up/graph?site=StartCom.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=GlobalSign.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=Comodo.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=DigiCert.com [netcraft.com]

The majority (4/5) of what was breached RAN LINUX (StartCom, GlobalSign, DigiCert, & Comodo)...

So... You like Apples? HOW DO YOU LIKE THOSE APPLES (compared, apples to apples no less), & the stats above for Linux, kernel only? Well, again - it's also NOT the entire 'gamut/array' of what actually comes in a Linux distro as well!

(E.G.-> Such as the attendant GUI, Windows managers, browsers, etc. that ship in distros too that have bugs, and yes, THEY DO)

THAT ADDS EVEN MORE BUGS that COMPOUNDS THAT # EVEN MORE, and worse, for LINUX!!!

So, so much for "Windows is less secure than Linux" stuff you see around here on /., eh?

(It gets even WORSE for 'Linuxdom' when you toss on ANDROID (yes, it's a LINUX variant too), because it's being shredded on the security-front lately, unfortunately)

BOTTOM-LINE:

What this all comes down to, is all the "Pro-*NIX propoganda straight outta pravda" practically doesn't stand up very well against concrete, verifiable & visible facts now, does it? Nope! Your marketshare shows that also -> http://tech.slashdot.org/comments.pl?sid=2506468&threshold=-1&commentsort=0&mode=thread&pid=37929368 [slashdot.org] & the ONLY REASON LINUX GETS USED (mostly for servers, it's niche) is because it is "no cost & businesses are in business to max profits & keep overhead costs down (only problem is, when you get HIT BY A LAWSUIT for security issues, who can you hold responsible from the 'freebie' camp?)

... apk

Kick their ass APK (all they have is moddowns) (0)

Anonymous Coward | more than 2 years ago | (#37958118)

They can't fight ur facts on security where "feeble freebie Linux" utterly BLOWS here http://tech.slashdot.org/comments.pl?sid=2510534&cid=37957838 [slashdot.org]

Re:There are a lot of Microsoft shills here... (1)

SCVirus (774240) | more than 2 years ago | (#37957922)

10 year old equipment? No. But NT4 was released 15 years ago, and was expected to work on hardware considerably older than that. In the mid 90s, security was a joke. Every operating system had a plethora of unpatched, often public, remote root vulnerabilities.

The real question is, "Is there any good reason this was never changed?".

VISTA onwards runs GUI in Ring3/usermode (-1)

Anonymous Coward | more than 2 years ago | (#37958364)

VISTA/Windows7/Server 2008 run their GUI in Ring3/RPL3/usermode... guess again!

This is EASILY provable too, by the end user: How? Install your vidcard drivers nowadays on those OS, you do NOT NEED A REBOOT (the DirectX driven AeroGlass display doesn't need it is why, pure usermode being why)

Heck - even with Windows "classic mode" (which I use over AEROGLASS here) doesn't NEED a reboot... even though it doesn't run the 2-3 services (themes & others) associated with AEROGLASS anymore... which IS more "proof thereof" to what I am saying here.

NOW, on security, Windows vs. Linux currently? OK (ALL penguins need to 'chew on this', & disprove my documented facts on my points below):

This data's ALL from a respected source (secunia.com) for known security vulnerabilities unpatched:

---

Vulnerability Report: Microsoft SQL Server 2008: (11/05/2011)

http://secunia.com/advisories/product/21744/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (11/05/2011)

http://secunia.com/advisories/product/17543/ [secunia.com]

Unpatched 0% (0 of 6 Secunia advisories)

Vulnerability Report: Microsoft Exchange Server 2010: (11/05/2011)

http://secunia.com/advisories/product/28234/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft SharePoint Server 2010: (11/05/2011)

http://secunia.com/advisories/product/29809/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft Forefront Endpoint Protection 2010: (11/05/2011)

http://secunia.com/advisories/product/34343/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Baseline Security Analyzer 2.x: (11/05/2011):

http://secunia.com/advisories/product/6436/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft Office 2010: (11/05/2011)

http://secunia.com/advisories/product/30529/?task=advisories [secunia.com]

Unpatched 0% (0 of 9 Secunia advisories)

Vulnerability Report: Microsoft Project 2010: (11/05/2011)

http://secunia.com/advisories/product/31177/ [secunia.com]

Unpatched 0% (0 of 0 Secunia advisories)

Vulnerability Report: Microsoft Windows Services for UNIX 3.x: (11/05/2011)

http://secunia.com/advisories/product/5244/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft Internet Explorer 9.x: (11/05/2011)

http://secunia.com/advisories/product/34591/ [secunia.com]

Unpatched 0% (0 of 4 Secunia advisories)

Vulnerability Report: Microsoft Virtual PC 2007: (11/05/2011)

http://secunia.com/advisories/product/14315/ [secunia.com]

Unpatched 0% (0 of 1 Secunia advisories)

Vulnerability Report: Microsoft Visual Studio 2010: (11/05/2011)

http://secunia.com/advisories/product/30853/?task=advisories [secunia.com]

Unpatched 0% (0 of 2 Secunia advisories)

Vulnerability Report: Microsoft DirectX 10.x:
(11/05/2011)

http://secunia.com/advisories/product/16896/ [secunia.com]

Unpatched 0% (0 of 3 Secunia advisories)

Vulnerability Report: Microsoft .NET Framework 4.x
(08/02/2011)

http://secunia.com/advisories/product/29592/ [secunia.com]

Unpatched 0% (0 of 8 Secunia advisories)

Vulnerability Report: Microsoft Silverlight 4.x: (11/05/2011)

http://secunia.com/advisories/product/28947/ [secunia.com]

Unpatched 0% (0 of 2 Secunia advisories)

Vulnerability Report: Microsoft XML Core Services (MSXML) 6.x: (11/05/2011)

http://secunia.com/advisories/product/6473/ [secunia.com]

Unpatched 0% (0 of 4 Secunia advisories)

Vulnerability Report: Microsoft Windows 7: (11/05/2011)

http://secunia.com/advisories/product/27467/?task=advisories [secunia.com]

Unpatched 6% (5 of 86 Secunia advisories)

OR

Vulnerability Report: Microsoft Windows Server 2008: (11/05/2011)

http://secunia.com/advisories/product/18255/?task=advisories [secunia.com]

Unpatched 3% (4 of 154 Secunia advisories)

* Nicest part here is, that the few unpatched vulns ALL have valid easy work arounds (colorui.dll not needed in "headless/servercore" mode & this IS a server OR you can unregister the DLL + the %PATH% issue is a NON-ISSUE by simply editing the path in SYSTEM ICON/Environment in CONTROL PANEL (or doing a reg edit here -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment ), or don't apply to workstations, or can be secured for (by turning off services you don't need, especially on desktops/workstations or by securing them down rights-wise)... can Linux say the same?

Doubt it!

PLUS, what REALLY causes malware outbreaks in Windows?? JAVA, & Adobe Products MOSTLY (99.8% in fact), per this:

http://net-security.org/malware_news.php?id=1863 [net-security.org]

& this:

http://www.net-security.org/secworld.php?id=11759 [net-security.org]

---

FACT - THAT'S 4x++ LESS UNPATCHED SECURITY VULNERABILITIES ON MS NEAR ENTIRE ARRAY OF WHAT THEY GIVE YOU FOR BUSINESS & DEVELOPMENT (& I know that LAMP can't say the same & tosses on even MORE errors into the mix for Linux) , THAN IS PRESENT ON THE LINUX 2.6x KERNEL ALONE!

NOW- Toss on the rest of what goes into a Linux distro OR the "LAMP" stack, also (Linux, Apache, MySQL, PHP)?

?

That # goes "up, Up, UP & AWAY...", bigime & even moreso, "increasing that lead, that Linux has", lol, in more unpatched known security bugs present that is (a dubious honor/win, lol, to say the least).

So, that "all said & aside"?

Compare a "*NIX/Open SORES" OS in Linux's "latest/greatest"?:

---

Vulnerability Report: Linux Kernel 2.6.x (11/05/2011)

http://secunia.com/advisories/product/2719/?task=advisories [secunia.com]

Unpatched 6% (18 of 281 Secunia advisories)

---

AND YES, there are 3 remotely vulnerable unpatched security problem outstanding in Linux (one http://secunia.com/advisories/19402/ [secunia.com] is fixed in later patch builds) there too, unpatched (despite all the "Open 'SORES' eyes" out there to fix it (yea, "right", not!))

NO FIXES @ ALL ARE PRESENT HERE:

http://secunia.com/advisories/14295/ [secunia.com]

NOT A SINGLE ONE IS FIXED HERE & there's 18 OF THEM THERE IN REALITY, not just 1!

I'll even QUOTE secunia on that now:

"Secunia is currently not aware of an updated kernel version addressing the vulnerabilities."

(And, mind you - that's the LINUX 2.6 KERNEL only - the other parts of Linux of FULL Linux distros in apps & more probably add more).

AND

PARTIAL FIXES ONLY PRESENT HERE:

http://secunia.com/advisories/44754/ [secunia.com]

Still has issues #'s 8 & 9 are STILL UNRESOLVED!

* Additionally/again - so it "sinks in":

That's also more than the ENTIRE GAMUT of what MS gives folks to do business & build tools for it as well has & LAMP certainly cannot show less errors in unpatched security vulnerablities than 5 total from MS...

In fact? LAMP is the favored attack for phishers & spammers:

http://www.theregister.co.uk/2011/06/10/domains_lamped/ [theregister.co.uk]

---

PERTINENT QUOTE:

"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey.

Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers,"

---

Vulnerability Report: MySQL 5.x (11/05/2011):

http://secunia.com/advisories/product/8355/ [secunia.com]

Unpatched 4% (1 of 26 Secunia advisories)

* "GOSH" - Looks like MORE THAN SQLServer 2008 with ZERO unpatched, eh?

In fact...100% more of a lead (in bugs unpatched, lol) Yea... bigtime - Some "dubious honor" that... lol! "Big WIN" (not!).

---

Vulnerability Report: Apache 2.2.x (11/05/2011) part of LAMP, but their site runs a BSD:

http://secunia.com/advisories/product/9633/ [secunia.com]

Unpatched 8% (3 of 26 Secunia advisories)

Ah, what have we HERE now, vs. IIS 7 (again, with ZERO unpatched security vulnerabilities)?

Ah yes... yet again the "LAMP CAMP" shows its "True Colors", 200% more unpatched bugs, & with MORE UNPATCHED SECURITY BUGS! Yet another "Win" (not), eh??

---

Vulnerability Report: PHP 5.3.x (11/05/2011):

http://secunia.com/advisories/product/27504/ [secunia.com]

Unpatched 8% (1 of 13 Secunia advisories)

WHAT'S THIS? YET ANOTHER "LEAD" (lol, in unpatched security bugs) for the "LAMP CAMP"??

Another "100% lead" (loss is more like it) no less, vs. MS Visual Studio 2010 or Office 2010 (& their attendant XML, browsers in IE9 even, & MORE - per my earlier posts!)

The RESULTS (very recent mind you) of these unpatched vulnerabilities in "Open SORES/*NIX ware?"

---

KERNEL.ORG COMPROMISED:

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised [slashdot.org]

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/ [theregister.co.uk]

---

Breaching Fort Apache.org - What went wrong?

http://www.theregister.co.uk/2009/09/03/apache_website_breach_postmortem/ [theregister.co.uk]

* Part of LAMP, but their site runs a BSD

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware [slashdot.org]

---

COMPARE & CONTRAST WINDOWS RUNNING IN A HIGH-TPM ENVIRONS SERVER-WISE NOW:

Windows also has been running 24x7 since 2005 for NASDAQ, acting as its "OFFICIAL TRADE DATA DISSEMINATION SYSTEM, non-stop, via Windows Server 2003 + SQLServer 2005 in fail-over clustering on the server-front too!

NASDAQ Migrates to SQL Server 2005:

http://www.windowsfs.com/enews/nasdaq-migrates-to-sql-server-2005 [windowsfs.com]

and here:

NASDAQ Uses SQL Server 2005 - Reducing Costs through Better Data Management:

http://blog.sqlauthority.com/2007/09/17/sqlauthority-news-nasdaq-uses-sql-server-2005-reducing-costs-through-better-data-management/ [sqlauthority.com]

(For proof thereof... for coming up on a DECADE OF SOLID UPTIME uninterrupted & "bulletproof + bugfree", @ NASDAQ too, a high-tpm environs, not just a mail or webserver!)

AND, AGAIN - Do NOTE that SQLServer, IIS7, Windows Server 2008, & Visual Studio 2010 have less security bugs unpatched, BY FAR, than does the "LAMP" stack... period!

Now, as to LINUX in a stock exchange? Ok:

http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch [slashdot.org]

and

http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware [slashdot.org]

---

Linux's showing in CA's breached recently too? Ok:

http://uptime.netcraft.com/up/graph?site=StartCom.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=GlobalSign.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=Comodo.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=DigiCert.com [netcraft.com]

The majority (4/5) of what was breached RAN LINUX (StartCom, GlobalSign, DigiCert, & Comodo)...

So... You like Apples? HOW DO YOU LIKE THOSE APPLES (compared, apples to apples no less), & the stats above for Linux, kernel only? Well, again - it's also NOT the entire 'gamut/array' of what actually comes in a Linux distro as well!

(E.G.-> Such as the attendant GUI, Windows managers, browsers, etc. that ship in distros too that have bugs, and yes, THEY DO)

THAT ADDS EVEN MORE BUGS that COMPOUNDS THAT # EVEN MORE, and worse, for LINUX!!!

So, so much for "Windows is less secure than Linux" stuff you see around here on /., eh?

(It gets even WORSE for 'Linuxdom' when you toss on ANDROID (yes, it's a LINUX variant too), because it's being shredded on the security-front lately, unfortunately)

BOTTOM-LINE:

What this all comes down to, is all the "Pro-*NIX propoganda straight outta pravda" practically doesn't stand up very well against concrete, verifiable & visible facts now, does it? Nope! Your marketshare shows that also -> http://tech.slashdot.org/comments.pl?sid=2506468&threshold=-1&commentsort=0&mode=thread&pid=37929368 [slashdot.org] & the ONLY REASON LINUX GETS USED (mostly for servers, it's niche) is because it is "no cost" & businesses are in business to max profits & keep overhead costs down (only problem is, when you get HIT BY A LAWSUIT for security issues, who can you hold responsible from the 'freebie' camp?)

... apk

I guess so.. (1)

CFBMoo1 (157453) | more than 2 years ago | (#37956892)

"This is the first time that the exact location and nature of the flaw has been made public."

They want to push Metro out as the replacement. Anything that knocks down older technologies that even they sold at one time helps. Great way to push people off another possible Internet Explorer 6 so to speak for Windows 8.

deserved (2)

Tom (822) | more than 2 years ago | (#37956900)

in NT4 and later fonts are parsed in kernel mode!

anyone who doesn't immediately realize this is a recipe for trouble? Parsing externally-supplied data in kernel mode. Yeah, like that never got anyone...

For all the really, really smart people that MS employes, why do they keep on making the dumbest mistakes one could come up with if it were a "dumb idea of the month" challenge?

Re:deserved (1)

Rockoon (1252108) | more than 2 years ago | (#37956924)

Hello Mr Low ID number.

I'll bet you anything that this code was in the kernel before you signed up here at slashdot. What does that say about your pretense that this was recently thought up?

I await your snarky reply.

Re:deserved (0)

Anonymous Coward | more than 2 years ago | (#37957020)

yeah, maybe thats the low-digit UID /. auctioned for charity on its tenth birthday?

---- just a wild guess ---- :)

Re:deserved (1)

dbIII (701233) | more than 2 years ago | (#37957360)

What does that say about your pretense that this was recently thought up?

You've lost me. Where outside some dark corner of your own mind with possible chemical assistance is that suggested? Please quote it.

Re:deserved (0)

Anonymous Coward | more than 2 years ago | (#37957384)

Around here:

why do they keep on making the dumbest mistakes

Re:deserved (2)

rocket rancher (447670) | more than 2 years ago | (#37957710)

What does that say about your pretense that this was recently thought up?

You've lost me. Where outside some dark corner of your own mind with possible chemical assistance is that suggested? Please quote it.

Dude, you are the one huffing glue. "keep on making" and "dumb idea of the month" imply a level of immediacy and concurrency that is absolutely unwarranted. The guy is hiding behind a 3 digit ID, thinking it shields him when he makes an asinine remark. It doesn't.

Re:deserved (0)

Anonymous Coward | more than 2 years ago | (#37958004)

What kind of bullshit, inverted Appeal to Authority argument is this?
People with low IDs suddenly have to watch their mouths or else get accused of hiding behind them? Why exactly does having a 3-digit ID suddenly hold you to a higher standard than every other pseudonymous fucknut with an opinion on Slashdot?

Re:deserved (1)

Tom (822) | more than 2 years ago | (#37958588)

"keep on making" and "dumb idea of the month" imply a level of immediacy and concurrency that is absolutely unwarranted.

Ah, I see the misunderstanding.

No concurrency was intended. "keep on making" was intended to cover basically the entire existence of MS, who have been doing stupid mistakes like this for as long as I can remember. And the "dumb idea of the month" is a figure of speech not referring to any specific month, neither present nor past.

The guy is hiding behind a 3 digit ID

No, the ID is too short to hide behind. :-)

Re:deserved (1)

Waffle Iron (339739) | more than 2 years ago | (#37958030)

I'll bet you anything that this code was in the kernel before you signed up here at slashdot..

What was supposed to have happened during Microsoft's security "rebirth", where they put Longhorn development on ice for about a year so they could overhaul XP for Internet-worthy security robustness? What about since that time where they've supposedly been using the most advanced code verification tools on the planet to verify their OS?

Shouldn't they have reimplemented this feature in userspace at some point during that long process?

Re:deserved (1)

Tom (822) | more than 2 years ago | (#37958550)

I'll bet you anything that this code was in the kernel before you signed up here at slashdot. What does that say about your pretense that this was recently thought up?

I didn't say anywhere this was recent. Adding something like that to kernel code was an obviously stupid idea even at that time.

And yes, it is probably about two years older than my /. membership.

win32000? What? (-1)

Anonymous Coward | more than 2 years ago | (#37956942)

Oh, you ment kernel32.dll, or what? For all the techieness here, being precise is apparently Just Too Hard for the windows crowd.

Re:win32000? What? (1)

rossdee (243626) | more than 2 years ago | (#37957318)

I was wondering if it was Windows Version 32768 - and since they are only up to Win 8 now that has to be way in the future.
It will probably need a googolplex of RAM to run, and while it is booting up, you can go have lunch at Milliways

Re:win32000? What? (0)

Anonymous Coward | more than 2 years ago | (#37957426)

Windows crowd here -- no, we didn't. The referenced file is, in fact, a driver called win32k.sys.

A lot of MS bashing going on in here.. (0)

Anonymous Coward | more than 2 years ago | (#37956980)

If anyone is interested why MS does a lot of things in the kernel mode and how that isn't a bad thing I suggest him/ her to read Windows Internals 4th edition, chapter Operating system model. Of course you can screw up quite easily in k-mode and that's apparently what some unfortunate dev at MS did, but it doesn't mean that the whole design is flawed. That's for all those "omg bbq kernel mode is bad mmmkay" blokes.

Xbox (2)

crdotson (224356) | more than 2 years ago | (#37957206)

Isn't this how people hacked the original xbox so many years ago (a font vulnerability)? It's not like they haven't been warned...

Pretty sure I was a victim (0)

msobkow (48369) | more than 2 years ago | (#37958532)

The past week or so, my WIndows XP boot partition started behaving strangely. I had problems with Firefox and other applications that had never had problems before, and which had not been upgraded, and noticed a significant impact on download speeds.

Avast didn't detect whatever it was, even with a boot-scan.

Rather than play around trying to get rid of an unidentified virus, I nuked the XP boot partition completely and switched over to Linux full-time for now.

On the bright side, it was over 8 years since the last time I got infected with an XP box, so I don't think it did too badly for it's time.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?