92% of Windows PCs Vulnerable To Zero-Day Attacks On Flash 286
CWmike writes "More than 9 out of every 10 Windows users are vulnerable to the Flash zero-day vulnerability that Adobe won't patch until Thursday, Danish security company Secunia says. According to Secunia, 92% of the 900,000 users who have recently run the company's Personal Software Inspector (PSI) utility have Flash Player 10 on their PCs, while 31% have Flash Player 9. (The total exceeds 100% because some users have installed both.) The most-current versions of Flash Player — 9.0.159.0 and 10.0.22.87) — are vulnerable to hackers conducting drive-by attacks hosted on malicious and legitimate-but-compromised sites. Antivirus vendors have reported hundreds, in some cases thousands, of sites launching drive-bys against Flash."
Flash can DIAFF (flash fire) (Score:2, Insightful)
Well at least the iPhone is safe...
Will Flash just die already! We have the video tag, IE users can suck it up as well. FlashBlock for Firefox, but what to use for Chrome?
Re: (Score:3, Insightful)
People wonder why I don't install flash, all web sites have a perfectly usable non-flash variant of the site, and get extremely PISSED OFF when an enterprise software manufacturer requires the use of flash for important parts of their site.
Re:Flash can DIAFF (flash fire) (Score:4, Funny)
Will Flash just die already!
There's always Silverlight... No, really!
Re: (Score:3, Informative)
That's the biggest load of bullshit in a while.
You talk about Silverlight being worse than Flash because it uses ActiveX -- hey guess what... SO DOES FLASH!
ActiveX is not a platform, it's a specifically formatted way of producing a Dynamic Link Library that the browser can load it as a COM object (usually in the browser's context - so the users). It by definition cannot have security vulnerabilities - the host can, and the plugin can, but "ActiveX" can't.
This is why... (Score:2, Interesting)
So true (Score:2)
Yes, who are they to support all platforms in equal manner allowing same functionality in all sites?
My suggestions are:
1) Drop PowerPC support
2) Drop Linux support
3) Find some sold out once open source heroes to implement half ass functional thing with a cool name.
4) Go mono! err.. profit!
Re: (Score:2)
Benefits to monoculture? You mean the benefits to MS and Apple for not really having to properly compete with platforms that Adobe doesn't support? Or the benefit of being largely left to the mercy of a company whose software regularly crashes, freezes and randomly covers parts of
Re: (Score:2)
FlashBlock (Score:4, Insightful)
FlashBlock may not be fast enough (Score:2)
FlashBlock stops Flash from running after a second or two. Some of the remote code still runs. This may be enough time for an attack to get through.
Re: (Score:3, Informative)
FlashBlock stops Flash from running after a second or two. Some of the remote code still runs. This may be enough time for an attack to get through.
I was under the impression that it replaced the flash objects in the page's DOM before Firefox gets chance to call the plugin. I'll have to see if I can't verify that...
Re: (Score:2, Informative)
Re:FlashBlock may not be fast enough (Score:4, Informative)
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:2)
Wrong . http://lists.openwall.net/full-disclosure/2008/07/25/15 [openwall.net]
Fix to all Flash problems (Score:5, Funny)
The fix to all Flash problems lies here on Adobe's own web site: How to uninstall the Adobe Flash Player plug-in and ActiveX control [adobe.com].
Re: (Score:2, Informative)
Squid + Dansguardian can filter it out (Score:2)
If you're not using this, or something like it, then your Admin isn't doing their job.
It looks like none of the users are getting flash until thursday. Sorry guys, no pandora for you. (also looks like I won't be getting a cake on sysadmin day).
Adobe (Score:3, Insightful)
The only difference is that when Real started raping people's computers it was replaced.
I've Always Said... (Score:3, Interesting)
I've always said(for years) that Flash would be the killer infection vector and that its cross platform ubiquity would be the Achilles heel for Linux and Mac.
This is but a taste of things to come. Flash is an abomination. It has too much power with too little end user control over that power. Combined with its insanely large install base and you have disaster waiting to happen.
I'm not sorry for being right all the time. So suck it!
Zero-Day attack (Score:2, Insightful)
The coder: whack
One means to stop
The furbrained attack
Burma Shave
Sad, yes. News? No. (Score:2)
Flash is installed on almost every PC. The large majority of Windows users still use Internet Explorer, so the majority right there are vulnerable. Firefox has a respectable percentage of the user base, but very few of those people (outside of the Slashdot crowd) seem to use tools like Flashblock. The other browsers - Chrome, Safari, Opera round out the group; their users are pretty much all vulnerable too.
It's sad, I agree - but we already knew this was the case since we've known about this unpatched flaw
Re: (Score:2)
Well, given that it's possible to avoid Flashblock just by lying to the browser (since FF3 doesn't do much MIME checking), installing it really doesn't help security significantly.
I hate Adobe (Score:4, Insightful)
You know ...
I hate Adobe software.
There, I said it.
Photoshop is buggy. Premiere is often weird and arcane. Flash and Reader have had some NASTY security holes of late. Reader is a painfully source resource pig. Adobe is at least a year late in releasing a 64 bit version of Flash (outside of the Linux beta).
You know you're in trouble when freakin' MicroSoft is putting out better software.
Adobe's releasing one awful update after another. They seem to lack the resources and expertise to maintain a huge portfolio of overly-ambitious software on a wide variety of platforms. They just can't seem to get anything right with their free (as in beer) software from a security, and sometimes even usability, standpoint.
Dear god.
Request to Adobe: if you want to be the gateway for rich content on the 'net, please realize what's at stake if you fsck things up. By botching security, you're putting millions of people at risk for having their lives turned upside down by thieves and fraudsters. You're releasing the digital equivalent of Pintos. Please start fixing your mess.
Re: (Score:2)
I just installed Windows 7 RTM and went to install flash for IE8 (for steam) and Adobe installed a download manager just to install flash. Are they retarded or something? I wish I could ditch Adobe flash for an alternative. I'm already 100% free of Apple software, it would be nice to coup de grace Adobe from my system as well.
Adobe Flash security is extremely disappointing (Score:3, Informative)
There were 23 reported security issues [mitre.org] in the last 2 years, including at least 4 browse-and-get-owned vulnerabilities.
In comparison, Silverlight has had no security bulletins since its 1.0 release (it's now at 3.0).
This may be just yet another reason to migrate to Silverlight, especially for intranet applications.
Re: (Score:2)
Flash's record is pretty bad, but Silverlight hasn't been completed tested out in the wild yet because it's not very popular right now. More exploits might be coming as it gets used more. But MS seems to have developed it with security in mind, so let's see what happens.
Re: (Score:2)
Window's record is pretty bad, but Mac OSX hasn't been completed tested out in the wild yet because it's not very popular right now. More exploits might be coming as it gets used more. But Apple seems to have developed it with security in mind, so let's see what happens.
Re: (Score:2)
The day there is a Silverlight issue (if it doesn't get scraped), I will remember this message.
Even Java, completely designed around sandboxed virtual machine idea and even invented it had security vulnerabilities.
Hope you guys are getting paid to post these bullshit.
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:3, Informative)
Well, it's unsurprising Silverlight doesn't have any vulnerabilities. Flash runs in its own, custom built virtual machine. Silverlight runs in the .NET virtual machine, which is designed with a sandbox at its core, and generally has been much, much more rigorously audited and tested.
I have no idea about Silverlight vulnerability track record, but I can assure you that full .NET sandbox can and was successfully broken. I've personally discovered one way to corrupt the stack and execute arbitrary native code from a sandboxed application (such as a WPF browser app). That particular vulnerability has been fixed, and does not affect Silverlight anyway, but it serves as a reminder that VM sandboxes aren't perfect. Java also had its share of problems in that regard (though IIRC .NET had far l
Re: (Score:2)
So, MS jumps 3 versions in matter of 2 years, dropping PowerPC support and never intending to support Linux except hired open source cloning monkeys method and you claim it is 3rd generation software with no known threats?
Guess what, DejaVu viewer has no known security issues too.
Once upon a time, MS puppets were doing their dirty job with more clever methods.
Re: (Score:2)
Very Very Intersting (Score:2)
So, are you saying Windows is not done until Adobe is broke, so that people will use M$ stuff instead? They have done that before. I don't think Adobe is at fault, since the same problem appears many times for them, but no issues on Silverlight. Interesting, Adobe works on the Mac and Linux flawlessly. So it's got to be the evil empire again. Look out for the fine they are going to get now. WOW.
Re: (Score:3, Insightful)
Silverlight doesn't have any reported issues since not enough people use it for the bad guys to bother investing resources in finding its vulnerabilities. It's related to the same "macs don't get viruses" argument that was floated around right up until the point that macs became popular enough for virus writers to bother with them.
versions of Flash Player - 9.0.159.0 and 10.0.22.8 (Score:5, Funny)
An interesting approach, using IP addresses as version numbers
Admin? (Score:2)
So do you have to be on an administrator account for the attack to work?
How can it still be a zero day exploit... (Score:2)
... if everyone knows about it?
Or am I missing something here?
The remaining 8% of Windows PC (Score:2)
Could this be.... (Score:2)
Re: (Score:2)
Well, it seems MS billions already sunk in Silverlight as nobody, including Windows users doesn't seem to care if it exists or not.
So yes, a BLACK HAT ZERO DAY security exploit may buy some months for Silverlight. All Silverlight and Moonlight developers must be THANKFUL to that mafia guys exploiting a zero day bug in expense of putting billion end users at risk. We must all congratulate them in their hideouts, thanks for stealing end user information, you did a great service for MS born dead technology...
Can we have a break from .NET monkeys? (Score:2)
When there is a zero day issue exploited in the wild and if it is effecting near billion computers, some questions must be asked.
1) Will the FBI and security organizations look to this matter as a threat to global security and this time, actually find the gang to question them?
2) When did we start supporting zero day exploiting black hat mafia?
3) Who is really behind this?
4) Why would it take until Tuesday to fix the issue? Can't they provide a quick hotfix until Tuesday and ship the real thing with more te
Flashblock won't do anything (Score:2, Insightful)
So will this be caught by AV? (Score:3, Informative)
This is something that can be detected and stopped by Antivirus software, right? Since my Avast! updates every day, if it can protect me against this Flash vulnerability, then it shouldn't matter to me when Adobe issues the patch.
Flash and PDF are both disasters (Score:3, Interesting)
These bloated plugins seem to also be responsible for 80%-ish of the crashes I have in Mozilla.
They are the big weakness of the web: what if someone decides to start putting a non-standard format out there that becomes a de facto standard because it's the easiest way to do something?
Flash seems to be the easiest way to put up an animation.
PDF is the best format for distributing documents that you don't necessarily want others to edit.
No one wants to explore alternatives because the content is in these somewhat unwieldy formats.
92% if Windows PCs vulnerable (Score:3, Funny)
I stopped reading there. Obviously a slow news day.
Flash should be replaced (Score:3, Interesting)
Flash is a ongoing security nightmare. Users demand the functionality but don't understand or care about the security cost.
Flash is one abomination that should be put out of its misery ASAP.
Re: (Score:3, Interesting)
Browsing the web without a few browser mods is the only to surf these days anyway.
Yeah. When I read this headline my first impression was "should I try to act surprised?"
This is just history repeating itself. Even if it required an NDA, if Adobe were smart they'd try to hire the OpenBSD folks to audit their code as they're obviously not capable of securing it themselves.
Re: (Score:3, Insightful)
Re:Noscript (Score:5, Insightful)
Capable? I'm sure they could, I just get the distinct feeling that they don't feel like doing it. Which would be fairly typical, MS for instance likes to get angry when people mention the fact that they've been taking months to patch a serious vulnerability. Admittedly you don't want a patch to cause another vulnerability, but how long does it really take to get a proper fix?
If the FOSS community is any indication, it takes anywhere from a few hours to a couple of days after the vulnerability is disclosed.
I am surprised how Microsoft often gets a pass on these issues, considering the vast resources at their command and the fact that Windows is a monoculture so their mistakes simultaneously affect millions of people. Most FOSS software is written by a "rag-tag band" by comparison, so why isn't Microsoft held to a higher standard of responsibility?
Re: (Score:3, Insightful)
Um, if your operating system is fucking brittle that a Flash update brings it down, then you've got really huge problems.
Re:Noscript (Score:4, Insightful)
Um, if your operating system is fucking brittle that a Flash update brings it down, then you've got really huge problems.
Huh. The post you're replying to is talking about Windows updates, not Flash, because the discussion got sidetracked at some point. I haven't heard of a Flash update bringing down Windows, except maybe if it messes with boot.ini or MBR or system files. I would imagine the same thing would happen in Linux or OS X.
Now if you're talking about Flash vulnerabilities in Windows, remember that OS X/Linux is similarly exploitable through Flash.
From http://www.theregister.co.uk/2009/07/22/adobe_flash_attacks_go_wild/ [theregister.co.uk]
In an advisory that was updated after this article was published, Adobe says the "vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems."
The company expects to release an update fixing Flash in Windows, OS X and Unix on July 30 and fixing Acrobat and Reader on those same three platforms on July 31.
Re: (Score:2)
Which means that currently, a flash exploit could potentially alter, email, or delete any files in ~/.
Cold comfort, to say the least.
Re: (Score:2)
It's all about sandboxing. No user exploit can affect Unix system files unless running as root, which done on a per-program basis.
That's not sandboxing, that's privilege separation and has been implemented in Windows NT i think in the beginning of 90s and for consumer OSes like 2000/2K. I don't see why you point it out as if it was exclusive to UNIX and not present in Windows? We're not in MS-DOS/95/98 era anymore.
For Ubuntu, the October 2009 version will include Firefox sandboxing to reduce damage to user files in the case of an exploit.
It's not available yet, and it was implemented in Vista available since Jan 2007. I don't really see any point to your post except to inform that Ubuntu is late to the party. Also, a reference to what you say would be appre
Re:Noscript (Score:4, Insightful)
People get pissed when Open Source patches break things too.
The difference is that in the Open Source world things tend to be more modular so making a change isn't as likely to cause unintended side affects.
Re: (Score:3, Insightful)
I wonder how true that really is.
Microsoft take so long to produce patches because they have to do a huge amount of testing. The figure they gave was something like 250 versions of Internet Explorer, when you take in to account every OS, every architecture, every language, every service pack level and so on that it runs on. I don't know if they test them all, but the implication was that extensive testing to avoid breaking the Elbonian language version running on Windows XP N SP2 took far longer than develo
Re: (Score:3, Insightful)
Because a "rag-tag band" doesn't have to QA their source change against an entire operating system? Remember how people tend to get pissed when MS releases patches that break functionality?
So if I understand you correctly, you are saying this is an unfair comparison, like comparing an apple and an orange.
I disagree because the concern you have raised applies to every general-purpose operating system on the planet. Certainly the software license (MS EULA or GPL) does not change this situation. If a bug is found in the Linux kernel or an important piece of userspace software, the people who patch it also have the same concerns about whether their fix is going to break anything else. So, I
Security through Diversity (Score:3, Interesting)
I would highly suspect by now the entire eco-system involved in an average patch in FOSS software is very much outstripping the resources of MS. At least on the eyeball side. What does MS put at any given problem a few hundred or a few thousand programmers? Yea, there might be a whole lot more people in the marketing spin department, but they don't really count as helpful.
It is not just the guys around one project, a particular writer in FOSS that vets the patch. It is the entire community of hundreds of d
Re:Noscript (Score:5, Informative)
The noscript author is an assclown who silently enables ads (And disables noscript) for his own financial advantage.
Sounds like someone doesn't keep current on events, as this problem was worked on some months ago.
Re:Noscript (Score:4, Insightful)
as this problem was worked on some months ago.
It's not a "problem" that can be "worked on". It's the character of the author. As any decent psychologist will tell you that character is inborn and cannot be changed or "worked on".
The character of the author of NoScript is that of the authors of
1) adware (redirecting to his ad-laden website with each meaningless update and preventing you from blocking these ads)
2) spyware/malware (changing configuration without the user's consent).
Re: (Score:2)
Re:Noscript (Score:5, Insightful)
It's not a "problem" that can be "worked on". It's the character of the author. As any decent psychologist will tell you that character is inborn and cannot be changed or "worked on".
That's a pretty dismal view of human nature. I, on the other hand, believe people can change.
--Bruce
Re:Noscript (Score:5, Insightful)
As any decent psychologist will tell you that character is inborn and cannot be changed or "worked on".
If by "decent", you simply mean, "holds your archaic worldview", I suppose...
The notion that people's character is set in stone at birth is laughably absurd.
The character of the author of NoScript is that of the authors of
1) adware (redirecting to his ad-laden website with each meaningless update and preventing you from blocking these ads)
2) spyware/malware (changing configuration without the user's consent).
How about:
3) people who make mistakes.
The real "test of character" isn't whether he made a mistake, but what he does about it afterwards. So far, he seems to have responded appropriately, which shows good character, actually.
Re:Noscript (Score:5, Insightful)
No decent psychologist I know of would ascribe personality (of which character is a part of) to inborn traits, disregarding experience and environment. Character as an inborn trait is an asinine idea: neither the behaviorist nor the biopsychologist would take that statement seriously.
Re: (Score:2)
It's not a "problem" that can be "worked on". It's the character of the author. As any decent psychologist will tell you that character is inborn and cannot be changed or "worked on".
That's quite the claim and quite maddeningly false.
Re: (Score:3, Informative)
as this problem was worked on some months ago.
It's not a "problem" that can be "worked on". It's the character of the author. As any decent psychologist will tell you that character is inborn and cannot be changed or "worked on".
The character of the author of NoScript is that of the authors of
1) adware (redirecting to his ad-laden website with each meaningless update and preventing you from blocking these ads)
2) spyware/malware (changing configuration without the user's consent).
trifish: I'm getting quick on the Citation Neededs. I know from firsthand experience that people can and do change. So please, please rattle off some quotations or links providing evidence to support your theory that people can't change their "character."
The MAZZTer: I would just like to inform you that there are are entries in the about:config menu that allow you to turn off the first run "pop-op." I'm not sure that your "NoScript whitelisting NoScript" is a legit complaint, as you are capable of removin
Re: (Score:2)
I for one am glad that Slashdot was on the scene and prepared to offer vital urban advice. In order to protect myself from this malware, I have closed all the curtains and moved my office to the back of the house. No fucking driveby is gonna get me, dawg.
Re:Noscript (Score:5, Informative)
The noscript author is an assclown who silently enables ads (And disables noscript) for his own financial advantage.
He admitted his error and has stopped doing this. See this link [hackademix.net]. The very first line? "I screwed up. Big time."
Any fool can make a mistake. It takes some guts to admit it, correct it, and try to move on especially in public like that. For that reason I do not count myself among the folks who still want to figuratively crucify him.
Horseshit. (Score:3, Insightful)
If it were an actual mistake, then I would agree with you. It wasn't an error.
He purposefully did it and when he got caught he then apologized for it. What I'm saying is, if nobody said anything, he'd still be doing it.
Re:Horseshit. (Score:5, Insightful)
If it were an actual mistake, then I would agree with you. It wasn't an error.
He purposefully did it and when he got caught he then apologized for it. What I'm saying is, if nobody said anything, he'd still be doing it.
This is a hard thing to understand and you raise a very valid question. I hope to answer that without just dismissing it or pretending like it isn't important. I don't know the man personally and have to go by what he and others have written, so please consider this just my opinion as I cannot speak for him.
You are right that he deliberately coded the functionality that made unauthorized and underhanded modifications of another, unrelated add-on (ABP). The mistake or error was in believing that the ends justify the means, that there is ever a good reason to do such a thing. All improper actions he took were rooted in that one error. But not for that belief, he would have probably regarded the temptation as "what the hell, I can't do that." Sometimes people get lucky and they see what's wrong with such an error on their own, before anything has to blow up in their face. Other times they have to see for themselves why it's harmful, often by being harmed by it or harming others by it, before their regret at having spectacularly failed reveals the error of their ways. It's sort of like the religious idea of "forgive them because they know not what they do," though if you asked them what they were doing they could describe their behavior accurately -- this is not really a contradiction.
I'm not an impeccably perfect person either. I have had to learn some lessons the hard way and I suspect every other human being could say the same. So no, I don't share the willingness to condemn someone who has fully come clean and has turned away from what he was doing. I think doing that would say more about me than about him. If anything, I celebrate his courage and wish it were more common.
Re: (Score:2)
Re: (Score:3, Interesting)
How is that Offtopic? It's exactly spot on. Mod parent up, if you're not Noscript shill.
Agreed. Mods, please promote the GP post. This really should be discussed and resolved.
I also disagree with the GP but censoring him is not the Way. I do think it is akin to censorship because nothing he said is detrimental to the discussion. Also, a lot of people feel the way that he does and they should have their say. At least, this is what I believe. I have written a post describing why I disagree and why I think there is a better way to handle the situation. I think that in an open discussion
Re: (Score:3, Insightful)
He admitted his error
You're kidding us right? Look up the definition of the word "error" and compare it with the definitions of the words "willful", "deliberate" and "intent".
Re: (Score:3, Insightful)
Re: (Score:2)
He admitted his error
You're kidding us right? Look up the definition of the word "error" and compare it with the definitions of the words "willful", "deliberate" and "intent".
If you could be so kind as to do so yourself before asking others to, you could save us all a lot of trouble. *None* of those words are the antonym of error, nor do they exclude something from being an error.
You're confusing error with accidental or inadvertent. He didn't inadvertently start whitelisting ads, but it was an error for him to have done so, and he has since admitted his error.
For example, your post was deliberate, willful, and written with intent, but it's also erroneous.
Re: (Score:2)
I do not want to figuratively crucify him either.
The real thing would do just fine! ;)
Re: (Score:2)
Look through your adblock whitelist and remove or disable anything for that site. The whitelist was probably added in the earlier version and never removed.
Re: (Score:3, Funny)
Not just Windows (Score:5, Insightful)
"A critical vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems" (emphasis added.)
TFA only mentions Windows because they don't bother scanning Macs or Linux boxes.
Oh please (Score:4, Informative)
Let's not let the facts get in the way of rabid fanboyism! After all, Linux is 100%, completely secure! There are magical GPL fairies in the kernel that protect it from any and all attacks, even when the app in question is from a 3rd party.
Re:Oh please (Score:4, Funny)
That's good to know!
Re:Millions of complacent idiots devastated (Score:5, Informative)
A computer worm that spreads through Flash and PDFs on PCs without the latest security updates is posing a growing threat to users blitheringly stupid enough [today.com] to still think Windows is not ridiculously and unfixably insecure by design.
1) This vulnerability exists on OSX, Windows, and Linux.
2) The annual pwn2own competition, among others, shows that Linux and Windows are similarly secure and OSX is much less secure. OSX goes down first every year, while Windows and Linux both last until later days of the competition when more direct access to the systems is granted to the contestants.
A Windows machine is more likely to be compromised, but that's because of market share. "Insecure by design" implies that you're talking about the security of the OS against someone who wants to compromise it. It's proven every year that only OSX lags in this area, and it lags quite badly (this year's winner rated the difficulty of compromising Vista and Linux as a 9-10, and the difficulty of breaking into OSX as a 3, IIRC).
3) Goto 1)
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
First, I don't understand why this myth keeps appearing. Ubuntu is the only one that came out without being cracked. [zdnet.com]
Second, pwn2own shows what can happen if someone specifically targets your machine. No
Re: (Score:2)
In all seriousness, couldn't this happen with any OS as JAVA is cross platform. And,....we'll for Windows users just leave that stuff disabled. They re-enable it, and then they have computer problems. I fix, wash, rinse, repeat, for the consumer until his money or patience wears out or if it becomes a problem at the corporate level, I just "Block, Lock and Monitor". Whadda they need to be doing going to "Flash Sites" in the first place. What could they possibly learn from that will help the company? PDF's w
Re: (Score:2)
The vulnerability exists, yes. But I can pretty much guarantee that any payload is only going to target Windows systems.
Sure, they'll be able to get "deltree c:\WINDOWS" or steal_all_your_passwords.exe onto your Linux box, but it will bork when it tries to run.
Re: (Score:2)
Re: (Score:2)
Well, not a whole lot, on a poorly set up system.
But there is the fact that a single user cannot bork a system for other users. That certainly counts for something.
And the simple fact of marketshare means that Linux will not be targetted in this way for the forseeable future.
And as to deleting data, I haven't run across malware for years that does this. Usually it tries to embed itself into the system somewhere, and steal information. The "deltree C:\WINDOWS" comment was to simplify the payload for expla
Re: (Score:2)
which protects the uninteresting, easy to reinstall OS and apps, and leaves your important data swinging naked in the wind.
Unless you run your browser in a jail, of course.
Re: (Score:2)
Err , actually so long as you keep backups of your private data a trojan coming along and screwing it up is a minor annoyance. Finding your computer OS has an infection and won't run properly or even boot is a lot more of a PITA when you have to spend half a day reinstalling it and all the apps and setting everything up the way you want.
Re: (Score:2)
Ok, if you're worried about easily detectable changes.
What if the malware makes hard to detect changes, or, even worse, no changes at all and just copies your nice data to some naughty person?
Re:Millions of complacent idiots devastated (Score:5, Informative)
WRONG on many levels. If you're not running as admin, only your user files will get affected in all the current OSes including XP. But IE8 on Windows 7/Vista does sandboxing and hence is more secure than Firefox on Ubuntu out of the box. Don't believe me? Read is straight from the horse's mouth. http://blogs.zdnet.com/security/?p=2941 [zdnet.com]
Why Safari? Why didnâ(TM)t you go after IE or Safari?
Itâ(TM)s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs donâ(TM)t do. Hacking into Macs is so much easier. You donâ(TM)t have to jump through hoops and deal with all the anti-exploit mitigations youâ(TM)d find in Windows.
Itâ(TM)s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesnâ(TM)t have anti-exploit stuff built into it.
[ SEE: 10 questions for MacBook hacker Dino Dai Zovi ]
With my Safari exploit, I put the code into a process and I know exactly where itâ(TM)s going to be. Thereâ(TM)s no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I donâ(TM)t know where it is. Even if I get to the code, itâ(TM)s not executable. Those are two hurdles that Macs donâ(TM)t have.
Itâ(TM)s clear that all three browsers (Safari, IE and Firefox) have bugs. Code execution holes everywhere. But thatâ(TM)s only half the equation. The other half is exploiting it. Thereâ(TM)s almost no hurdle to jump through on Mac OS X.
Re: (Score:2, Funny)
Don't believe me? Read is straight from the horse's mouth
Wish I could, but it appears to be highly trademarked.
Re: (Score:3, Interesting)
If Apple has about 8-10% of the usa
Once you're penetrated... (Score:2)
Privilege separation is a useful tool, but minimizing the surface area for the initial attack is critical. Security is like sex, once you're penetrated, you're ****ed.
The biggest problems Windows has are related to the surface area exposed to attack:
1. The lack of the ability to bind most survices to a specific IP address means that even services intended for internal use have to be blocked by a firewall rather than being bound to 127.0.0.1.
2. The lack of ability to pass parameters to a program without pass
Re: (Score:2)
Re: (Score:2)
I have these things called "backups". You might want to try them sometime.
Re: (Score:2)