[funsec] Microsoft announce most secure OS on the planet
Nick FitzGerald
nick at virus-l.demon.co.uk
Mon Apr 20 17:56:44 CDT 2009
Larry Seltzer to der Mouse:
> > I know someone who until recently (~1yr ago?) was running Windows 3.1
> >
> > For all its lack of inherent security, it was substantially stronger
> > against today's carpet-bombed attacks than lots of more modern stuff,
> > simply because most malware wouldn't run on it at all.
>
> Facinating. Think of how secure DOS and CP/M are by this standard.
That is "pragmatic security".
It's the main reason I use Firefox rather than IE. It's a good bet that by
objective coding quality standards, etc FF is much less secure than contemporary
versions of IE, but to date FF has not been subjected to anything like the same
level of scrutiny for exploitable holes by the bad guys (or anyone else) largely
because of its market share (and a misguided belief that because OSS code _can_
be scrutinized by millions of eyeballs, it is almost necessarily better
scrutinized than non-OSS code). Thus, FF's market share means the (mostly)
monetizable value of finding and exploiting vulnerabilities in FF makes doing so
orders of magnitude less attractive to the bad guys (and really bad karma to the
white hats who should be auditing the code better).
In a couple of years, as a greater and greater proportion of Windows users are
forced to "better" versions of IE, these economics will likely change, but the
next low-hanging fruit will then probably be the third-party add-ons that are
common _across browsers_ and typically exploitable across browsers too (and yes,
we have been seeing this for a while now), rather than "the browser with next
largest market share".
Regards,
Nick FitzGerald
More information about the funsec
mailing list