Vulnerability Development mailing list archives
Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs
From: dpz () POBOX COM (Daniel P. Zepeda)
Date: Sun, 14 May 2000 21:05:50 -0500
Thus spake Bluefish on Sun, 14 May 2000:
How long would you say Perl has been "widely available" on Windows boxen?Perl is not "widely available" on Windows.No matter how you try to fix it the security is not in the basic design, so the system cannot be secure.This is true. However the rest of the argument is entirely wrong. These worms we've seen lately are havily dependent upon user interaction. I believe a clear interface etc as I mentioned would efficiently limit (not stop entirely, but limit) the spread of these worms as less users would be fooled.
Yeah, some upgrading will band-aid the sitiuation, but... You are still only seeing half of it. They are dependant on user interaction *and* the ability for a program to own the machine. If you don't have the latter, it doesn't matter what the user does and that is the point. Any security system where you try to rely on the user (less educated as you would have it) to "do the right thing" will fail.
Again, No matter how you try to fix it the security is not in the basic design, so the system cannot be secure.As stated before, numerous of these problems aren't actually security problems but a problem with the interface.only MS OS that has the hope of doing that. Please, no comments on how UNIX does not have these limitations, that is given, but UNIX does not have the market share to cause this problem, 9x does.You mean *nix doesn't have the *desktop* market share. And who cares about 9x anyway? MS wants you to upgrade now.You're not even replying to my message here, just so you know. I didn't type what you're replying to.
Of course you are right, sorry. I think we have the same ideas here.
Oh, please can you tell me where I can verify your claims on the education level of the respective operating systems? The second point also missesYou must have missed the "or you might call me biased". I have nothing else than my own experience to base that upon. I have not yet found a single unix adminstrator who is as clueless as the avarage windows administrator. But seriously, where do you look when you want find Unix users? You look at companies dealing with high tech products. Or you look at universities teaching undergraduate engineers in computer science. Where do you find the windows user? Everywhere. The avarage person use windows, and the avarage person is less educated than those who use unix. I have no proof, but I believe in real-world experience. Now we're entirely out of the scope of vuln-dev. If anyone really is intressted in religious wars, please send them to me off-topic ;-)the mark. Almost any of the *nix GUI's could be set up to be "one mouseclick to excute possible hostile code."'Could be' is far from 'is'. Is there any unix mail client which allows you to execute attachments in one mouseclick?
Oh sure. I know for a fact that KDE, a very popular Linux WIndow Manager features kmail which handles mime attachments very well. I routinely have Mathematica launched to handle an attachment. I'm fairly cetain that popular formats like PDF, postscipt etc are handled "right out of the box." Even if this is the only window manager available that does this out of the box (I doubt it) the point is, there will be soon.
> > trait. But as I pointed out earlier, *nix has
compartmentization in the > > design, so even if these capabilities are built into the GUI, the overall > > ability for hostile code to damage the system is still much less than with > > W9x because any program can basically "own" the computer in W9x if written > > properly.
I'm aware of multiuser issues, and the reasons for people to use unix, NT and other OSes with multiuser awareness. However, I commenting upon solutions to make email worms less powerfull. As long as something is basicly relying upon the user and not exploits, the only efficient meassure is a client with a clear interface so the user understands what it does.
You will fail. Having experience with 12,000+ user - intranets tells me that you can't "educate" everybody, so that is not the solution. Clear interfaces are the band-aid.
I'll echo that *nix is not perfect.Perfect (= perfectly secure) operating systems die out. It's the survival of the fittest, a trade-off between useability and security. That's why C2 systems isn't selling very well (besides the point that C2 systems cannot be used upon the internet). No manufacturer who hasn't lost his mind even think about developing an A1 system.
I like Unix a lot, but it's well overdue that some easier security meassure than SUID and GUID was offered. Lets face it, few of the developers of the different unixes (& unix applications) are actually able to handle suid root.However, it is designed from the ground up as a multi-user system. Any advancing OS that intends to "conquer" the internet will have to have at least this basic idea incoporated into it.Definatly. I agree totally. I was however thinking about what could be done quickly by MS to make Outlook less worm-friendly. Let's face it, whatever we say about the W9x problems the majority of the users won't upgrade because of it.
That's where you are really wrong. When the general public get's into thier head that their data (their homework, their painting etc.) is at the mercy of almost any bored 15 year-old and there is no permanent solution in 9x, they'll move on. >
(sigh. some newspapers in sweden actually recommended the users to keep using W9x... In the same article they asked why people should care about "40 bit" and "128 bit", that was just tech-talk according to them)
Newspapers are not known for the tech saviness in general so I'm not suprised and give no credence them.
..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
-- Daniel P. Zepeda dpz () pobox com Find my public keys at: http://www.cs.utsa.edu/~dzepeda/PublicKeys.html
Current thread:
- Fwd: [Newssubmission: Security vulnerability in the ICS HTTPServer component], (continued)
- Fwd: [Newssubmission: Security vulnerability in the ICS HTTPServer component] TLsecurity.net (May 14)
- Re: regarding phrack49's stack smashing tutorial Pavel Kankovsky (May 14)
- Re: regarding phrack49's stack smashing tutorial Darshan Patil (May 14)
- Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Richard Rager (May 13)
- is: tcp/ip vuln, not?... was: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Bluefish (May 13)
- Re: is: tcp/ip vuln, not?... was: WSCRIPT.EXE ,CSCRIPT.EXE replacement for *.vbs Crispin Cowan (May 15)
- Re: is: tcp/ip vuln, not?... was: WSCRIPT.EXE ,CSCRIPT.EXE replacement for *.vbs Jason Legate (May 17)
- Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Bluefish (May 13)
- Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Maxime Rousseau (May 12)
- Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Richard Rager (May 13)
- Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Daniel P. Zepeda (May 14)
- Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Bluefish (May 16)
- Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Istvan Takacs (May 15)
- Re: WSCRIPT.EXE , CSCRIPT.EXE replacement for *.vbs Bluefish (May 16)