But if you think Microsoft's Closed Source "Windows" operating system to be bug free, then i have but only to laugh at you in the face. Windows 98 may well contain millions of bugs (for its stability), and perhaps thousands of security exploits. In all probability, that's TRUE. After all, Microsoft is the only company to review the source code, EVER, and they produce a new version of the beast about every 365 days. How can you really test all that? Windows 2000 shipped with some 60,000 known (forgive me for forgetting the number, perhaps was as "low" as 35,000) bugs! That's a lot of bugs! Do you think you're ever going to see fixes for all of them? I'll grant that I happen to be one of those users who insist on compiling my own applications, for reasons of knowing where the binaries are going, and getting the added benefit of not waiting around for a precompiled binary, or better yet, installing an inferior version of this program. But i'm not stupid, and I don't just download and compile every program i come across. The ones I do compile, I'm not even using all the time. For example, I compiled Xmms (X MultiMedia System, from http://www.xmms.org) but it's not playing music right now. I realize that an efficient virus or trojan only needs to be inserted ONCE before it can do bad things. But since I don't substitute the root user for another one, and my binaries are owned by me, they have to run with root priveledges to do any real damage.

Besides, people have been exploiting Windows security holes for almost as long as Windows has been around. Oftentimes, you don't hear about it until it's been patched (usually at least a few days). In the case of the Frontpage backdoor, I checked microsoft.com, and what they said was that the back door does not exist. However, in examining the source code (on that same day!) they found and patched another "unrelated" security hole. At the bottom was a disclaimer saying that there was no guarantee to the report's accuracy. That is something i found amusing indeed- can they really scan through all that source code in a single day, find not only that the first report was not true, but also find and offer a patch for a hole that they found in this same day that was missed in earlier reviews and tests!? You can't tell me that FrontPage Server is that simple!

If you think that security through obscurity is good, then rather than build a better vault, let's just have banks hide your money behind the shrubbery at selected locations. You can't see it, therefore you can't find or exploit it, correct?

Anyone nuts enough to try to exploit Apache knows that at best his efforts will be patched again within a few days. And a detailed report of the problem will be made, usually by Apache. Does Microsoft provide such detailed reports about their security holes? Before you answer this, recall that long capitalized disclaimer of warranties at the bottom of their page for FPS security hole...

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/19/1448#1448