mailing list archives
Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Thu, 01 Jul 2004 16:51:16 -0400
Matthew Murphy wrote:
Actually, you're both wrong, in my opinion. :-)
Overall market share has some to do with the success of worm propagation,
but the real problem is market share diversity at all levels. IIS is
plagued by worms because one piece of code targeting whatever version of IIS
is widely used can typically infect ~ 95% of the vulnerable portion of the
IIS market. Multi-platform products like Apache, on the other hand, have
the advantage of portability (i.e, variations in the underlying systems
within its market). A fantastic example of this is Scalper -- it targeted
Apache 1.3 running on BSD/IA32. A very small portion of the market for
While you're right (and, in my view, the issue is even more complex and
the possibility of a functioning worm on ANY widely used Free Software
technology being long-lived in the wild is diminished because of it) I
think that the marketshare argument is more psychological than anything
For instance, we can safely say that approx. 25% of all webservers are
GNU/Linux and the vast majority of those run Apache. Of those,
approximately 50% are the latest version of Red Hat (this is an
assumption, but I think it's probably a fairly safe one). That's 12.5%
of all of the web servers on the web running the same version of apache
with, presumably, a significant portion of those running on ix86 based
machines. Assuming that the worm only utilizes Apache memory space and
is otherwise self-contained (doesn't requite a local nc or tftp or
anything like that) then the entire body of installed systems would be
vulnerable to said worm, let's say it's a 0-day worm for the sake of
That's certainly a large enough body of systems for a worm to take hold
on. The Morris worm did it with far fewer hosts and look at the spread
of the witty worm for another example.
So, technically, while there's something to what you're saying, Apache
still has a large enough market share to make it a juicy target for
worms and exploits.
The marketshare argument that's being bounced around is actually more of
a psychological one dealing with the amount of percieved compromisable
hosts and the glory of the target being attacked.
I personally think that it's futile to try to generalize the motivations
of the black hat community. There are as many reasons for them to do
something as there are reasons to think of. Marketshare DOES factor
into the equation, it just isn't the only factor, and often isn't the
The existance of exploits for software that is not so heavily used
proves this point.
Relying on the security of using something because fewer people use it
is tantemount to security through obscurity, to me. Having said that,
right now the most used browser is architecturally flawed, and it just
so happens that the underdog browsers are better designed.
In the near future, that may not be the case. If all of this advice is
heeded and Mozilla is adopted en masse, we may be talking about IE being
the underdog browser and - my prediction - we'll still see people
exploiting it because it will still be more exploitable than Mozilla.
That is, of course, unless Microsoft makes massive changes to it's OS
and rips OS code out of IE, completely redesigning it's security model
-- but I don't see that happening for at least five years.
Microsoft's supporters like to say that they turned the Titanic on a
dime when they embraced the internet.
The rest of us realize that they never really got what the internet was
in the first place - and that's where IE's problems come from.
That's not bashing Microsoft, it's just the fact of how they work as a
corporation, and a fact of how most large corporations work. It's
internally difficult to change the philosophy of a large corporation.
It's also difficult for them to make major changes like that because
program designers/users demand a certain amount of backward
compatibility. Unlike with Free Software systems, you can't recompile
windows with autoconf switches to change it's behavior. Therefore, any
significant changes to IE are unlikely for the time being.
Full-Disclosure - We believe in it.
RE: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Drew Copley (Jul 01)
Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs st3ng4h (Jul 02)
Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Thomas C. Greene (Jul 02)
Re: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs Georgi Guninski (Jul 04)