Re: Microsoft announce most secure OS on the planet

[Nick FitzGerald <nick () virus-l demon co uk>]

Larry Seltzer to der Mouse:

> > I know someone who until recently (~1yr ago?) was running Windows 3.1
> >
> > For all its lack of inherent security, it was substantially stronger
> > against today's carpet-bombed attacks than lots of more modern stuff,
> > simply because most malware wouldn't run on it at all.
>
> Facinating. Think of how secure DOS and CP/M are by this standard.

That is "pragmatic security".

It's the main reason I use Firefox rather than IE.  It's a good bet that by 
objective coding quality standards, etc FF is much less secure than contemporary 
versions of IE, but to date FF has not been subjected to anything like the same 
level of scrutiny for exploitable holes by the bad guys (or anyone else) largely 
because of its market share (and a misguided belief that because OSS code _can_ 
be scrutinized by millions of eyeballs, it is almost necessarily better 
scrutinized than non-OSS code).  Thus, FF's market share means the (mostly) 
monetizable value of finding and exploiting vulnerabilities in FF makes doing so 
orders of magnitude less attractive to the bad guys (and really bad karma to the 
white hats who should be auditing the code better).

In a couple of years, as a greater and greater proportion of Windows users are 
forced to "better" versions of IE, these economics will likely change, but the 
next low-hanging fruit will then probably be the third-party add-ons that are 
common _across browsers_ and typically exploitable across browsers too (and yes, 
we have been seeing this for a while now), rather than "the browser with next 
largest market share".


Regards,

Nick FitzGerald


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.