For example, is it a FEATURE of all mentioned windows OS's that any
non-privileged program can add new .EXE files to the system directory
and modify the registry such that those newly added programs autostart
on boot?
Or is it a BUG which was exploited? And if it's a BUG is it odd that
the same bug exists across all those releases, has it been known
previously, why hasn't it been fixed in, apparently, over 7 years
(Windows95 ... XP.)
As much as you might not like to hear the answer... since this characteristic
is
found in all those releases, AND counted upon by large numbers of applications
which would be broken if that characteristic were changed... clearly the item
in
question IS a "feature".
Not all "features" are particularly well-considered. This is true for ALL
software. (Sometimes it's more important which easily implemented features you
LEAVE OUT than which ones you PUT IN.)
The FACT remains, however, that restricting certain operations to "root-only"
or
"sysadmin-only" is really pretty meaningless on typical user-level Windows
desktops, where (especially on home machines) there IS no root or
sysadmin-level
qualified/intelligent/wise authority which is more qualified to approve or deny
such requests.
As for rapidly getting out patches for SENDMAIL, I'll point out that many of
the
security weaknesses in Outlook and Outlook Express have been closed by patches
that have been out for more than a year, and maybe TWO... but where many users
haven't bothered to (or don't realize that they should) install those patches.
Certificates attesting to the trustworthiness of incoming executable software
are one approach, but typically not a good one especially given the large
numbers of applications (freeware/shareware/etc) produced by
trustworthy-but-small producers which cannot ante up the bucks for certificates.
I still believe that a good alternative that is effective in the great majority
of typical cases is to simply by default block unexpected attachments that
arrive from unfamiliar. untrusted senders (and most especially if those are of
risky/executable types).
Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support the Anti-SPAM Amendment! Join at http://www.cauce.org/
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg