funsec mailing list archives
RE: Microsoft blames Vista insecurity on thirdparty applications
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 21 Dec 2006 12:44:59 +1300
Larry Seltzer to Blue Boar:
No, he's misrepresenting what Jim Allchin, the author of the blog entry says. What Allchin says is that while the malware in the study might technically execute on Vista it wouldn't, as a practical matter, get through to the point of executing because any decent mail client would block executable attachments, even in ZIP files, etc.
I think Larry has this right. _However_, even if Allchin had actually said as succinctly and possibly less-easily misrepresentably what he meant, he is _still_ (I'd say very deliberately) misrepresenting the issue... He only looked at one method of entry. Several of those "top ten" malware also spread using other means, most commonly using one or more common "share crawling" techniques (inheriting existing CIFS credentials, trawling local cached credentials, trying guest user, null and other common/weak user/pwd pairs, etc, etc). Small, informal LANs are now common in homes, and _rife_ in SMEs and you can be sure as hell that virtually none of these will be mass- upgraded (ahem) to Vista. To the extent that such LANs will become Vista-hosting LANs, they will do so by adding Vista machines, or at least by replacing some of the older machines with new, Vista-capable ones. The security of such LANs, of course, suffers from the weakest link syndrome... So even allowing that Allchin was actually saying that "while the malware in the study might technically execute on Vista it wouldn't, as a practical matter, get through to the point of executing because any decent mail client would block executable attachments, even in ZIP files, etc" he grossly misrepresents the _actual_ threat model of those "top ten" malware _AND_ Vista's exposure to that threat. So, he's deliberately talking-up Vista security and if he doesn't know it he sure as hell shouldn't be doing the job he gets paid to do... BUT, it's even worse than that. Most "anti-malware" vendors' "top X" lists actually grossly misrepresent the real threat exposure out there. Note how most of the "top X" lists are relatively heavy with "old" and/or mass-mailing malware? This reflects a bias in the way most such lists are compiled. In fact, those malware are _not_ the things that cause the most trouble any more and have not been for quite some time. Although they are still seen mailing themselves around in quite large numbers that does not reflect the real security threat exposure of most SOHO and many SME users. For about the last three (or more) years much more problematic has been the smaller-scale, but much larger in total number, bot-related malware. The authors and users of this malware work with entirely different objectives than (most of) the mass-mailing (and other very fast and massively spreading) malware authors of the past. These new miscreants spam links to their malicious executables, or links to their phishing sites, or links to their malicious, IE-vulnerability- exploiting websites that then install their malware, and so on. Out-of-the-box Vista is no (well, only marginally) more resistant to these, much, much more common _in total_ forms of attack than XP SP2, and as Vista becomes more heavily adopted and IE 7.0 more commonly installed and used by XP SP2 users, you can bet the bad guys will be using ever more IE7 exploits, etc, etc to continue their "work". Of course, telling the world this will not help Allchin talk-up Vista, and thus sell more copies of it, so why _would_ he tell us the truth? Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Microsoft blames Vista insecurity on third party applications Fergie (Dec 20)
- RE: Microsoft blames Vista insecurity on third partyapplications Blanchard_Michael (Dec 20)
- Re: Microsoft blames Vista insecurity on third party applications Blue Boar (Dec 20)
- Re: Microsoft blames Vista insecurity on third party applications Brian Loe (Dec 20)
- RE: Microsoft blames Vista insecurity on thirdparty applications Larry Seltzer (Dec 20)
- Re: Microsoft blames Vista insecurity on thirdparty applications Blue Boar (Dec 20)
- RE: Microsoft blames Vista insecurity on thirdparty applications Larry Seltzer (Dec 20)
- Re: Microsoft blames Vista insecurity on thirdparty applications Blue Boar (Dec 20)
- Re: Microsoft blames Vista insecurity on thirdparty applications Nick FitzGerald (Dec 20)
- Re: Microsoft blames Vista insecurity on thirdparty applications Blue Boar (Dec 20)
- RE: Microsoft blames Vista insecurity on thirdparty applications Nick FitzGerald (Dec 20)
- Re: Microsoft blames Vista insecurity on third party applications Brian Loe (Dec 20)
- Re: Microsoft blames Vista insecurity on third party applications Nick FitzGerald (Dec 20)