begin risky.vbs
<7719406.7zi7ER5hcO@xxxxxxxxxxxxxxx>,
Roy Schestowitz <newsgroups@xxxxxxxxxxxxxxx> writes:
> __/ [ Roy Culley ] on Saturday 14 October 2006 00:09 \__
>
>> begin risky.vbs
>> <1160780646.626981.315300@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
>> "Tom Shelton" <tom_shelton@xxxxxxxxxxx> writes:
>>>
>>> You might want to take a look at "Blue Pill". The prototype was
>>> Vista,x64 but according to the above Black Hat:
>>>
>>> <Quote>
>>> Rutkowska stressed that the Blue Pill technology does not rely on
>>> any bug of the underlying operating system. "I have implemented a
>>> working prototype for Vista x64, but I see no reasons why it should
>>> not be possible to port it to other operating systems, like Linux or
>>> BSD which can be run on x64 platform," she added.
>>> </Quote
>>>
>>> This is one that maybe the Linux people should be worried about as
>>> well.
>>
>> And I'm sure they will. I read about Blue Pill a couple of months or
>> more ago but little has been mentioned of it since. Is it a viable
>> attack vector or not?
>
> I can only see Windows mentioned.
>
> http://en.wikipedia.org/wiki/Blue_pill_%28malware%29
I read that it could affect any OS. Time will tell.
> The last time I heard about a 'flaw' that compromised Apple's OS X
> and GNU/Linux it was "a joke" (Firefox FUD). It seems like trolling
> (hypothetical) which intensifies the magnitude of the issue and
> attracts media attention.
Security vulnerabilities exist in all complex SW systems. What makes
MS SW more vulnerable is that their OS is insecure by design. Anyone
who denies this is living in cloud cuckoo land. What makes matters
worse is that most home Windows users run with admin privileges.
Regardless of the FUD Erik posts, security vulnerabilities are patched
in the OSS world far faster than in the CSS world.
A few years ago, there was a big debate on security mailing lists on
whether vulnerabilities in any SW should be made known when they were
discovered or only after a patch was available. The consensus was
about 50 to 50%. MS won the day and most security companies agreed, in
writing, not to disclose security vulnerabilities until a patch was
available.
Then MS announced their great concern about security. All product
development was stopped for a month to concentrate on finding security
vulnerabilities. It was a great success. At the end of the month a
whole bundle of patches came out of MS. The problem was only a couple
were from MS. The rest were found by people who had no access to the
surce code!
What we are seeing today is people who are fed up with MS hiding security
vulnerabilities in their SW until MS are willing to patch them. Hence the
increasing number of zero day exploits being publiched today.
--
Security is one of those funny things. You can talk about being "more"
secure, but there's no such thing. A vulnerability is a vulnerability, and
even one makes you just as insecure as anyone else. Security is a binary
condition, either you are or you aren't. - Funkenbusch 1 Oct 2006
|
|
