Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Thu, 01 Jul 2004 16:51:16 -0400

Matthew Murphy wrote:

Actually, you're both wrong, in my opinion. :-)

Overall market share has some to do with the success of worm propagation,
but the real problem is market share diversity at all levels.  IIS is
plagued by worms because one piece of code targeting whatever version of IIS
is widely used can typically infect ~ 95% of the vulnerable portion of the
IIS market.  Multi-platform products like Apache, on the other hand, have
the advantage of portability (i.e, variations in the underlying systems
within its market).  A fantastic example of this is Scalper -- it targeted
Apache 1.3 running on BSD/IA32.  A very small portion of the market for
Apache 1.3.

While you're right (and, in my view, the issue is even more complex and the possibility of a functioning worm on ANY widely used Free Software technology being long-lived in the wild is diminished because of it) I think that the marketshare argument is more psychological than anything else.

For instance, we can safely say that approx. 25% of all webservers are GNU/Linux and the vast majority of those run Apache. Of those, approximately 50% are the latest version of Red Hat (this is an assumption, but I think it's probably a fairly safe one). That's 12.5% of all of the web servers on the web running the same version of apache with, presumably, a significant portion of those running on ix86 based machines. Assuming that the worm only utilizes Apache memory space and is otherwise self-contained (doesn't requite a local nc or tftp or anything like that) then the entire body of installed systems would be vulnerable to said worm, let's say it's a 0-day worm for the sake of argument.

That's certainly a large enough body of systems for a worm to take hold on. The Morris worm did it with far fewer hosts and look at the spread of the witty worm for another example.

So, technically, while there's something to what you're saying, Apache still has a large enough market share to make it a juicy target for worms and exploits.

The marketshare argument that's being bounced around is actually more of a psychological one dealing with the amount of percieved compromisable hosts and the glory of the target being attacked.

I personally think that it's futile to try to generalize the motivations of the black hat community. There are as many reasons for them to do something as there are reasons to think of. Marketshare DOES factor into the equation, it just isn't the only factor, and often isn't the primary factory.

The existance of exploits for software that is not so heavily used proves this point.

Relying on the security of using something because fewer people use it is tantemount to security through obscurity, to me. Having said that, right now the most used browser is architecturally flawed, and it just so happens that the underdog browsers are better designed.

In the near future, that may not be the case. If all of this advice is heeded and Mozilla is adopted en masse, we may be talking about IE being the underdog browser and - my prediction - we'll still see people exploiting it because it will still be more exploitable than Mozilla. That is, of course, unless Microsoft makes massive changes to it's OS and rips OS code out of IE, completely redesigning it's security model -- but I don't see that happening for at least five years.

Microsoft's supporters like to say that they turned the Titanic on a dime when they embraced the internet.

The rest of us realize that they never really got what the internet was in the first place - and that's where IE's problems come from. That's not bashing Microsoft, it's just the fact of how they work as a corporation, and a fact of how most large corporations work. It's internally difficult to change the philosophy of a large corporation. It's also difficult for them to make major changes like that because program designers/users demand a certain amount of backward compatibility. Unlike with Free Software systems, you can't recompile windows with autoconf switches to change it's behavior. Therefore, any significant changes to IE are unlikely for the time being.


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]