Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: IE is just as safe as FireFox
From: Danny <nocmonkey () gmail com>
Date: Fri, 12 Nov 2004 16:55:19 -0500

On Fri, 12 Nov 2004 22:15:31 +0100, nicolas vigier
<boklm () mars-attacks org> wrote:
On Thu, 11 Nov 2004, Danny wrote:


Yes, IE security needs work. Yes, Firefox is a great web browser.

However, if Firefox or any other browser had the same market share as
IE, would it really be that much more secure? There sure would be a
lot more people trying to find holes in Firefox if it had the same
user base.

Yes, IIS security needs work. Yes, Apache is a great web server.

A properly setup IIS 6.0 server is no less secure than a properly
setup Apache server (with the latest patches).

Show me how/where a properly setup IIS 6.0 server needs security work?
If you can't hack it, find someone who can or has, and show me
evidence that it was setup properly.

When I say properly, I mean, based on the recommendations stated on
Microsoft's website for securing IIS 6.0. Likewise for setting up
Apache.

However, if Apache or any other web server had the same market share as
IIS, would it really be that much more secure ? There sure would be a
lot more people trying to find holes in Apache if it had the same user
base.

I didn't ask for a comparison for web SERVERS. We are talking about
clients; we are talking about Internet Exploiter and any other web
browser with more than 1000 users, say for example Firefox.

Wooops. Netcraft tells us that 67% webservers are running Apache while 21%
running IIS. Why are there so much worms targeting IIS and not so much
for Apache ?

1) Because Microsoft did not have any useful security in-mind when
they put out IIS 4 & 5. IIS 6 is a much different story;
http://secunia.com/product/1438/

2) I would say over 3/4 of them were not setup properly. You know, if
you want your Microsoft product on the Internet, you do,
unfortunately, have to set it up properly. However, it's actually not
a lot of work. The problem is, most people don't do the work. They
just plug it into the network and say "Alright, we gots our fackin'
websiiite up dare boys. Cletus, upload that fantiastic websiite with
you shaggin' your mom's sisters goat that you made dare in FrontPage.
Riiiight on little buddy! Shes alive!"

3) Most MS admins are lazy and know very little about security. It's
catch 23... why bother securing a product that does not have security
built-in.

The truth is that some programs have a bad design for security while
some others have a better one.

I agree. Microsoft is obviously the worst for this. See my last few posts.

Believe it or not, I prefer Firefox over IE, Apache over IIS, FreeBSD
over Windows, etc. The difference is, I have an open mind and try to
keep all aspects of the debate in mind.

...D

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault