ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Asrg] Bug, or Feature?

2003-06-26 12:59:01
from [gep2] [Permanent Link] 
For example, is it a FEATURE of all mentioned windows OS's that any

non-privileged program can add new .EXE files to the system directory
and modify the registry such that those newly added programs autostart
on boot?


Or is it a BUG which was exploited? And if it's a BUG is it odd that

the same bug exists across all those releases, has it been known
previously, why hasn't it been fixed in, apparently, over 7 years
(Windows95 ... XP.)

As much as you might not like to hear the answer... since this characteristic 
is 
found in all those releases, AND counted upon by large numbers of applications 
which would be broken if that characteristic were changed... clearly the item 
in 
question IS a "feature".

Not all "features" are particularly well-considered.  This is true for ALL 
software.  (Sometimes it's more important which easily implemented features you 
LEAVE OUT than which ones you PUT IN.)

The FACT remains, however, that restricting certain operations to "root-only" 
or 
"sysadmin-only" is really pretty meaningless on typical user-level Windows 
desktops, where (especially on home machines) there IS no root or 
sysadmin-level 
qualified/intelligent/wise authority which is more qualified to approve or deny 
such requests.

As for rapidly getting out patches for SENDMAIL, I'll point out that many of 
the 
security weaknesses in Outlook and Outlook Express have been closed by patches 
that have been out for more than a year, and maybe TWO... but where many users 
haven't bothered to (or don't realize that they should) install those patches.

Certificates attesting to the trustworthiness of incoming executable software 
are one approach, but typically not a good one especially given the large 
numbers of applications (freeware/shareware/etc) produced by 
trustworthy-but-small producers which cannot ante up the bucks for certificates.

I still believe that a good alternative that is effective in the great majority 
of typical cases is to simply by default block unexpected attachments that 
arrive from unfamiliar. untrusted senders (and most especially if those are of 
risky/executable types).

Gordon Peterson                  http://personal.terabites.com/
1977-2002  Twenty-fifth anniversary year of Local Area Networking!
Support the Anti-SPAM Amendment!  Join at http://www.cauce.org/
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] hiring challenge responders, Vernon Schryver
Next by Date:  [Asrg] System hijacking, gep2
Previous by Thread:  Re: [Asrg] Proposal: Separate ISP(s) for "guaranteed delivery" of email, Kurt Magnusson
Next by Thread:  Re: [Asrg] Bug, or Feature?, Vernon Schryver
Indexes:  [Date] [Thread] [Top] [All Lists]