Microsoft Defends Win 7 Security After Pwn2Own

[back_by_demand]

6 or 7 days to get past it?
Is that 6 or 7 days constantly battering the machine? What if the user switches their machine off in the meantime? Do they have to start again?

 

[randomizer]

A Linux box is not invulnerable. If it has not been properly configured it can be broken in to. One of the primary reasons it is harder than on Windows is because permissions are always the lowest required by default and require a password to elevate (which users may not know, and should not know if they don't need to), making the user think for slightly longer than just clicking "Yes" on a UAC prompt like on Windows 7 (users are the weakest link, don't let them do things without thinking and don't let them do things they don't need to do). On XP and older you didn't even need this, and malware had Administrator permissions on the default account to start with. Very poor design. Luckily MS worked around that with Vista and at least lowered the default user privileges.

A Linux box properly configured with Mandatory Access Control is very secure, because even if a person manages to get access to an Administrative account they still may be limited to what they can do. I don't think (correct me if I'm wrong) that Windows 7 has anything along the lines of MAC, so it relies on simple file system permissions like many default Linux configurations do. I doubt they will implement anything like this any time soon either, as it will create a "hassle" for users who find them selves not privileged enough to perform some tasks, and would prefer insecurity if it meant simpler usability.

 

[daggs]

[citation][nom]warmon6[/nom]These so called experts......http://www.tomshardware.com/news/p [...] osx&xtcr=1In either case, my personal option, if it's made by 1 person, another person can crack that person codes. It may take time but any software can be broken.[/citation]

funny, that exact link talks mainly about windows and mac, almost no linux related issue, only two guys have mentioned linux, the first one is Ross Anderson which states that if you don't want to have malware, get a mac or install linux on your pc.
the second is Dino Dai Zovi which states that one should run iphone or chromeos as there are more secure then linux or mac.
now that dude should get a new job as iphone is based on osx and chromeos is a linux distribution.

this article may say that windows 7 is more secure then osx, but it certainly doesn't say it is more secure then linux.
so I ask again "says Who?"

I tend agree with the notion that a system is as secured as it is configured. but naturally(mainly due to design issues), linux is the most secure of all three.

as no system is invulnerable,just take a look at the percentage of the isp companies and supercomputers in the world that are using linux.

 

[jrrdmchls]

My words for Microsoft. "Keep up the good work! Im enjoying my pirated copy of microsoft office "

 

[rollerdisco]

In my experence users are tards, you could give them a link to install a program like "LogMeIn" with admin rights for the entire world, tell them thats what it is for, and tell them not to click it. Guess what THEY WILL CLICK IT!!!!

 

[SAL-e]

It is so sad that so many commenters here can't see past their own monitors. The Internet is much bigger place then the desktop market. So every time you say that Linux has only 1% of the market and not worthed cracking you are talking about 1% of the desktop market. The reality, the Linux is running on most of the servers on the Internet. And if you have been Sys Admin as long as I have been you will know that hackers first target server and if they fail to succeed they will move to the desktop. Linux Servers was under attack longer then any MS desktop. Only when security of the Linux server was raised above the knowledge of the average hacker the Windows desktops become really valuable target. This happen around 2003/2004.
So the argument that hackers don't target yet MAC OS X because the small market share is quite valid, but when you make this comment about Linux it shows you really have no idea what you talking about.
Good desktop Linux distribution has all the security features and default settings as any Linux server. It has to be configured correctly and most Linux users know how to. This is valid for latest OSes from MS and I am glad to see it. Well configured Windows 7/Vista/2008 are secured, but they have too much legacy code and bad design decisions from the past that still causing problems. The biggest one is the integration the IE into the OS. If the IE to become normal application the security of the Windows OS will be raised significantly.

 

[coldmast]

[citation][nom]thedipper[/nom]It's Microsoft. They can have almost any exploitable security hole repaired and the patch rolled out to users all within the same day.[/citation]

...but only on Tuesdays

 

[dgingeri]

You could build a house entirely underground with only one door, and have that door solid steel 6 feet think, and someone would still be able to find a way in to rob you.

It's not the way Windows is designed that is the problem. Other people are the problem. Windows could never be perfectly secure. If it was, it wouldn't be usable. (Just look at Vista, much more secure than Windows 7, but nobody wants to use it because it is so annoying to get programs to work and actually do things with it.)

 

[isamuelson]

[citation][nom]doc70[/nom]Wasn't that hard? At least 6-7 days to overcome?Doesn't sound too easy to me.A little confusing there, Kevin.[/citation]

My thoughts exactly. I'd say, that's pretty darned good. Now, on another note, he has helped Microsoft by finding this vulnerability and they can hopefully get it fixed.

I take Microsoft's explanation as being pretty good. NO amount of security will stop everything, short of turning off network connection. However, 7 days to exploit this "vulnerability" doesn't seem easy to me at all. Sounds like a LOT of work had to take place to make this happen. Sounds like the security worked until he broke it 7 days later. Better than breaking it in less than a day I'd say. Might hold of most hackers.

 

[eyemaster]

There is no security, for any system of any kind, on this planet, that is impossible to break. To fault IE or any browser on security is hypocrisy. The best castle can be breached, the best safe can be breached, and the best security software can also be breached. It's always a factor of time.

 

[CircusMusic]

[citation][nom]ahnilated[/nom]I hope to god you are kidding about this.[/citation]
Ever read the Full disclosure mailing list?
A good cross section of the posts on it are about vulnerabilities found in linux operating systems..
If your commenting with regards to "it's not worth attacking because of the small footprint" then I agree. What OS runs a lot of the websites/services out there?

 

[Nightsilver]

I love it when I read something online where the writer is braying on about something that "should be fixed immediately" in regards to anything code driven.


It doesn't really work like that. Ever.

 

[JohnnyLucky]

SAL-e - Spot On!

 

[PhoneyVirus]

An additional set of Data Execution Prevention security checks have been added to Windows XP SP2. These checks, known as software-enforced DEP, are designed to block malicious code that takes advantage of exception-handling mechanisms in Windows. Software-enforced DEP runs on any processor that can run Windows XP SP2. By default, software-enforced DEP helps protect only limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor.

Existing /noexecute settings in the Boot.ini file are not changed when Windows XP SP2 is installed. These settings are also not changed if a Windows operating system image is moved across computers with or without hardware-enforced DEP support.

During installation of Windows XP SP2 and Windows Server 2003 SP1 or later versions, the OptIn policy level is enabled by default unless a different policy level is specified in an unattended installation. If the /noexecute=policy_level setting is not present in the Boot.ini file for a version of Windows that supports DEP, the behavior is the same as if the /noexecute=OptIn setting was included.

For more information Read http://support.microsoft.com/kb/875352#5

I came across this just now in nLite and I said this can't be what I was just read on Tomshardware and what you know it is, man we live in a small world. Hope the info helps as it did for me.