Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs
From: Ron DuFresne <dufresne () winternet com>
Date: Fri, 2 Jul 2004 01:35:32 -0500 (CDT)

On Thu, 1 Jul 2004, Barry Fitzgerald wrote:

Matthew Murphy wrote:

Actually, you're both wrong, in my opinion. :-)

Overall market share has some to do with the success of worm propagation,
but the real problem is market share diversity at all levels.  IIS is
plagued by worms because one piece of code targeting whatever version of IIS
is widely used can typically infect ~ 95% of the vulnerable portion of the
IIS market.  Multi-platform products like Apache, on the other hand, have
the advantage of portability (i.e, variations in the underlying systems
within its market).  A fantastic example of this is Scalper -- it targeted
Apache 1.3 running on BSD/IA32.  A very small portion of the market for
Apache 1.3.

While you're right (and, in my view, the issue is even more complex and
the possibility of a functioning worm on ANY widely used Free Software
technology being long-lived in the wild is diminished because of it) I
think that the marketshare argument is more psychological than anything

For instance, we can safely say that approx. 25% of all webservers are
GNU/Linux and the vast majority of those run Apache.  Of those,
approximately 50% are the latest version of Red Hat (this is an
assumption, but I think it's probably a fairly safe one).   That's 12.5%
of all of the web servers on the web running the same version of apache
with, presumably, a significant portion of those running on ix86 based
machines.   Assuming that the worm only utilizes Apache memory space and
is otherwise self-contained (doesn't requite a local nc or tftp or
anything like that) then the entire body of installed systems would be
vulnerable to said worm, let's say it's a 0-day worm for the sake of

If the numbers reflect any sense of reality, they are already flawed
though.  Not all red-hat installs, even or apache are going to be alike,
even on the same OS versions.  Some folks actually do cut down red-hat
installs to minimums, rather then load each and every trinket on the CD's
for prod purposes.  Some that follow that or those toss in the
kitchen-sink installs might still not use the red-hat tarball for various
reasons, grab apache source and whatever side apps they need to compile
in and there you have broken from 'the standard'.  not to mention that
not all linux is red-hat...  And then we have modules, linux is modular,
apache is modular, configs again can be pretty diverse... I start to get
the impression the margin of error needing to be calculated in makes the
issue even more complex...unless of course one targets something key to
the linux kernel or tcp-ip stack, or the core base of apache...


Ron DuFresne
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]