Re: PSA: Windows PCs face 'huge' virus threat: 1990 - Present

On Tue, 3 Jan 2006 08:09:22 -0800, "Mij Adyaw" <mij@xxxxxxxx> wrote:

>Why do these vulnerabilities continue to exist and be exploited in Windoze?
>If I were Bill Gates, I would have a witch-hunt and find who did not plug
>these holes and as a result, some heads would role. Maybe there would be
>less holes in the future.

The problem is with the languages and tools used to develop essentially
all operating systems. There is no practical way to identify these sorts
of problems except by gross inspection (which isn't all that practical
when applied to millions of lines of code). That method has been used in
recent years, and the result is that all modern operating systems are
very secure. But very secure isn't the same as completely secure.
Vulnerabilities like this are becoming increasingly rare, but they won't
go away until we get rid of languages like C/C++, and adopt whole new
approaches to software design. Such approaches exist theoretically, and
are even beginning to be applied in some special cases. But I guess we
are at least a decade away from seeing them applied routinely.

The situation isn't helped by the fact that all modern operating systems
rely on large amounts of code going back decades. Really fixing things
would mean starting over from scratch- a hugely expensive endeavor that
nobody is anxious to take on.

BTW, fear has never been an effective management policy. If heads roll
because bugs slip through, you can expect creativity and innovation to
fail. If you were Bill Gates, you would be better off investing in new
tools and technologies for software development than conducting witch
hunts.

_________________________________________________

Chris L Peterson
Cloudbait Observatory
http://www.cloudbait.com
.

Relevant Pages

  • Re: The Register: OpenVMS among most-secure of operating systems
    ... > The operating systems with fewest vulnerabilities in 2003 are HP's ... Some may refer to these more secure systems ... > as legacy systems but if legacy means secure and reliable it seems ...
    (comp.os.vms)
  • The Register: OpenVMS among most-secure of operating systems
    ... The operating systems with fewest vulnerabilities in 2003 are HP's ... Some may refer to these more secure systems ... as legacy systems but if legacy means secure and reliable it seems ...
    (comp.os.vms)
  • Re: Pentesting tool - Commercial
    ... I common approach is to do a full test using a lot of tools that address known vulnerabilities, common design flaws and such - in combination with penetration testing tools to sort of false positives and confirm what sort of consequences a breach would have. ... In combination with firewall policy analyzes, looking at the routines surrounding security all the way from development to maintenance you'll have some sort of baseline to work out from when it comes to the level of security. ... I want them to acquire secure software and use it ...
    (Pen-Test)
  • RE: Fwd: Terminal services and remote programs.
    ... "help/about vulnerabilities" that were mentioned here a few days ago. ... TerminalServices and RemoteApp deployments, including ... Need to secure your web apps NOW? ...
    (Pen-Test)
  • RE: Fwd: Terminal services and remote programs.
    ... Our team regularly breaks into Terminal Servers ... Need to secure your web apps NOW? ... Cenzic finds more, "real" vulnerabilities ...
    (Pen-Test)