BugTraq
new linux malware Feb 18 2006 10:40PM
Gadi Evron (ge linuxbox org) (2 replies)
Re: new linux malware Feb 20 2006 04:57PM
Christine Kronberg (Christine_Kronberg genua de) (1 replies)
PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 20 2006 08:22PM
Gadi Evron (ge linuxbox org) (2 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Dec 30 2006 10:00PM
Kevin Waterson (kevin oceania net) (1 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 01 2007 05:53PM
Bill Nash (billn billn net) (1 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 01 2007 09:00PM
Tino Wildenhain (tino wildenhain de) (1 replies)
RE: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 01 2007 09:31PM
Jim Harrison (Jim isatools org) (1 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 01 2007 10:37PM
Dana Hudes (dhudes hudes org) (1 replies)
RE: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 12:02AM
Jim Harrison (Jim isatools org) (2 replies)
Re: PHP as a secure language? PHP worms? Jan 02 2007 12:01PM
Duncan Simpson (dps simpson demon co uk) (1 replies)
RE: PHP as a secure language? PHP worms? Jan 02 2007 02:17PM
Jim Harrison (Jim isatools org)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 10:58AM
Darren Reed (avalon caligula anu edu au) (2 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 03:16PM
Dana Hudes (dhudes hudes org) (1 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 06:48PM
Lawrence Paul MacIntyre (macintyrelp ornl gov)
RE: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 02:15PM
Jim Harrison (Jim isatools org) (1 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 06:37PM
Darren Reed (avalon caligula anu edu au) (3 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 03 2007 05:16AM
Ronald Chmara (ron Opus1 COM) (1 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 04 2007 08:59PM
Jim Manico (jim manico net)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 09:07PM
Bill Nash (billn billn net)
RE: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 07:18PM
Jim Harrison (Jim isatools org)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 22 2006 10:48AM
Kevin Waterson (kevin oceania net) (2 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 24 2006 09:13PM
Matthew Schiros (schiros gmail com) (1 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 27 2006 03:26PM
L. Adrian Griffis (agriffis dstsystems com) (1 replies)
On Fri, 24 Feb 2006, Matthew Schiros wrote:
> PHP, like any and all projects, does indeed have security flaws. So
> does MySQL. So does Linux. So does sshd. So does Windows. To claim
> that we should abandon any individual service simply because it has
> security bugs is absurd. Yes, there are non-trivial problems with
> PHP's memory management, but the same could easily be said for Java as
> well.

You may be missing an important point, here. Not all security flaws are
alike. We can divide security flaws into two catagories. Those
catagories are Design Flaws and Implementation Flaw. Implementation
flaws can lead to serious problems, but from a security perspective,
they are easier to deal with because correcting them is likely to make
the behavior of the afflicted programs more like what the users expect.
That is, assuming the documentation accurately reflects the programmer's
intentions, correcting implementation flaws should usually make the
program's behavior more consistent with the documentation.

Design flaw, on the other hand, are more serious, because correcting
those flaws can mean breaking program behaviors that the user was
told he could count on. Vendors live with their bad designs for years,
simply to avoid upsetting user expectations.

While you are correct that sshd and Java have occasional flaws with
security implications, not all security flaws are alike. sshd and
Java were more carefully designed than many other tools in this
business, and the Linux community is much quicker to abandon badly
flawed designs than some other communities. You can't make meaningful
comparisons on security by simply counting flaws.

Adrian

-----------------------------------------
This e-mail and any attachments are intended only for the
individual or company to which it is addressed and may contain
information which is privileged, confidential and prohibited from
disclosure or unauthorized use under applicable law. If you are
not the intended recipient of this e-mail, you are hereby notified
that any use, dissemination, or copying of this e-mail or the
information contained in this e-mail is strictly prohibited by the
sender. If you have received this transmission in error, please
return the material received to the sender and delete all copies
from your system.

[ reply ]
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 27 2006 03:50PM
Matthew Schiros (schiros gmail com) (1 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 27 2006 04:21PM
L. Adrian Griffis (agriffis dstsystems com) (1 replies)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 27 2006 05:55PM
Matthew Schiros (schiros gmail com)
Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 24 2006 09:07PM
Jamie Riden (jamie riden gmail com)
Re: new linux malware Feb 20 2006 04:24PM
Marco Monicelli (marco monicelli marcegaglia com) (1 replies)
Re: new linux malware Feb 20 2006 07:58PM
Gadi Evron (ge linuxbox org) (1 replies)
Re: new linux malware Feb 22 2006 08:00PM
Jamie Riden (jamie riden gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus