Virus Issue 2
ubuntu-users at crispin.cb-ss.net
Sun Mar 27 09:57:14 UTC 2005
Andre Truter wrote:
> But I still think that the design of certain parts of Windows is just
> opening up doors for virus writers, etc.
> You can use VB to write a program that can do anything on a system by
> using ActiveX controls and OCX components.
Two points here: firstly, you can only 'do anything' if the host process
is running as Administrator. That's the big problem. So the golden rule
for running Windows should be to only use Administrator when absolutely
needed; just as per root with Linux. MS *has*, I completely admit,
encouraged default use of Administrator for ordinary users. But it's not
necessary; bad policy rather than bad design.
Secondly, I don't think ActiveX components running with IE as host
(which is really where the problem lies rather than with ActiveX as
such) is part of the 'design' of Windows either. It's a bit of
smoke-and-mirrors designed to embrace and extend web browsing. It's
incredibly stupid, and probably immoral, for sure.
> Linux has been designed to not allow stuff like that. The application
> needs to be run as root to have access to any system resources, except
> if there is an exploit but in Windows you don't even need an exploit
> to do this.
I'm not sure I follow this -- in Windows (as long as permissions and
user privileges are set up correctly, which pre-Windows 2003 they were
not) Administrator is necessary to have access crucial system resources,
similarly to root with linux.
Actually Windows has quite a fine-grained security system for access to
all resources. It is probably a bit too complex for a typical windows
administrator to really handle, and the default set up has in the past
(before 2003) been crap, but it is quite capable of being run securely
in the hands of someone competent.
> I am not out to just bash Windows, I am just trying to explain why I
> think viruses has been running wild on Windows, but on no other
> operating system.
I think the reasons are really: (1) promiscuous use of RPC (most of the
early worms used this as primary transmission mechanism). (2) promotion
of irresponsible OS configuration defaults by MS (god only knows why
they haven't been sued over this) (3) Casual, over-hasty introduction of
client technologies designed to give Windows an *appearance* of fancier
features than other OS's, especially for 'commodity apps' (eg. email -
Outlook Express -- and web browsing -- IE).
Without these three 'features', I believe viruses & worms would not have
been the issue they have been. I know there are also things affecting
services (esp. buffer overruns), but the mass of problems has been on
Note that I'm not defending MS here. All three issues were foreseeable,
and are MS's fault. I am defending the engineers who built the OS
> Hopefully MS will really put an effort into security with Longhorn, as
> all thier previus attempts has proven to be futile.
> Or am I wrong here?
Their efforts have been ridiculously incremental and slow in coming, but
not quite futile. Windows server 2003 is by default much more secure
than 2000 was. MS really missed the boat with XP though. The problems
were well-known by then, but they did hardly anything about them. I
guess they knew that they needed to get a real consumer OS out of the
door because everyone was getting so mightily pissed off with the Win
'95 family. They also knew that if they got the security wrong Joe
Consumer wouldn't have the money to sue them, so they thought they'd
just be able to fix the default security config stuff later.
More information about the ubuntu-users