Remote flaw found in Vista existed since December 2006

[Quinton McLeod]

Originally posted by: Nothinman

I never said I was l33t. However, you have no proof that windows users don't deny their problems. In fact, you had to result to bashing me because you couldn't find enough information to support your original claim.

Oh please, your entire first post (not counting the pasted crap from your "sources") is misinformation and Windows user "bashing".

Ok....

You really need to read the stuff you're using in your defense.
One of the Developer accounts were compromised. The system was not. If the hacker has access to the server by legit means (valid username and password), then the security of the OS goes right out the window since the server assumes the person logging in is legit. That is exactly what happened last year. It had nothing to do with a remote vulnerability that the Windows XP of last year (and Vista now) was plagued with.

No, it's you who needs to read and comprehend. Yes, they found a weak password to get access to a shell account but that doesn't mean the they automatically own the box. From there they used a Linux kernel exploit to take over the box. It's on par with the .ani exploit because in both cases they have to find some way to get onto the system to attack it, in the Debian case it was a weak password and in the .ani case it's getting you to visit a malicious webpage or read a malicious email. Neither is 100% automatic.

No, it's you who needs to read and comprehend. The hacker used a local vulnerability. He wouldn't have been able to do that if he didn't first have access to the server. The ani exploit is a REMOTE VULNERABILITY. This means the hacker doesn't need remote access to the machine to gain local access. Remote vulnerabilities are far far more serious than local vulnerabilities. You should know that more than anybody here.

Looks like Microsoft even admitted that this vulnerability is on the rise as more hackers are deciding to use it.

That means absolutely nothing, there's a ton of "hackers" out there that still run bots using years old IIS and SQL Server exploits.

How many home users are running IIS and SQL Servers? Exactly my point.

This is simply not true and has been proved a thousand times before. Don't make me pull the IIS vs. Apache example out.

But can you come up with another example? And have you looked at IIS lately? IIS 6.x only has 3 exploits listed on Secunia and all are patched but Apache 2.2 has 3 with 1 remotely exploitable one not patched yet. And Apache 2.0 has 33 with 3 not patched vs IIS 5.x only having 14 total with 2 unpatched.

First of all, IIS 6.x hasn't been out for as long as Apache 2.2. It's obvious that you'd find more vulnerabilities as more time passes by. The same goes for the previous versions you have listed. Why would they patch Apache 2.0 when a newer version of Apache already has the fixes? They only support one version at a time. Just encase you didn't know that.

If Ubuntu Linux was as widely used as Windows, I doubt it would be plagued with viruses and vulnerabilities as bad as Windows is.

Be careful what you wish for, especially since it's obvious that you have no real understand about what you're talking.

Same with you, friend.

 

[Nothinman]

No, it's you who needs to read and comprehend. The hacker used a local vulnerability. He wouldn't have been able to do that if he didn't first have access to the server. The ani exploit is a REMOTE VULNERABILITY. This means the hacker doesn't need remote access to the machine to gain local access. Remote vulnerabilities are far far more serious than local vulnerabilities. You should know that more than anybody here.

Nope, the ani vulnerability is local and it requires a second transport to work. You have to do something like get the user to visit a web site or open an email which will cause IE to process the cursor locally. A remote exploit is one that can be done remotely with no local interaction required by the user, like breaking into sshd or an RPC server.

How many home users are running IIS and SQL Servers? Exactly my point.

A lot more than you'd think, otherwise CodeRed wouldn't have been the big deal that it was.

Why would they patch Apache 2.0 when a newer version of Apache already has the fixes?

Because they're still supporting all 3 versions, take a look at the Apache home page and you'll see version announcements for 2.2.4, 2.0.59 and 1.3.37. Just like the Linux kernel 2.4 and 2.6 are both still supported.

They only support one version at a time. Just encase you didn't know that.

Wow, I can see you've done your reseach on this...

Same with you, friend.

The difference being that I actually do understand the topic at hand.

 

[Quinton McLeod]

Originally posted by: Nothinman

No, it's you who needs to read and comprehend. The hacker used a local vulnerability. He wouldn't have been able to do that if he didn't first have access to the server. The ani exploit is a REMOTE VULNERABILITY. This means the hacker doesn't need remote access to the machine to gain local access. Remote vulnerabilities are far far more serious than local vulnerabilities. You should know that more than anybody here.

Nope, the ani vulnerability is local and it requires a second transport to work. You have to do something like get the user to visit a web site or open an email which will cause IE to process the cursor locally. A remote exploit is one that can be done remotely with no local interaction required by the user, like breaking into sshd or an RPC server.

Nope. It's a remote vulnerability. Here is the proof (and patch):
http://research.eeye.com/html/alerts/zeroday/20070328.html

How many home users are running IIS and SQL Servers? Exactly my point.

A lot more than you'd think, otherwise CodeRed wouldn't have been the big deal that it was.

There are more people running IE7 than there are running IIS and SQL Servers. This vulnerability affects a much higher number of machines than what you're talking about.

The difference being that I actually do understand the topic at hand.

Actually, you know a lot less than you give yourself credit for.

 

[Matthias99]

Originally posted by: Quinton McLeod

Originally posted by: Nothinman

No, it's you who needs to read and comprehend. The hacker used a local vulnerability. He wouldn't have been able to do that if he didn't first have access to the server. The ani exploit is a REMOTE VULNERABILITY. This means the hacker doesn't need remote access to the machine to gain local access. Remote vulnerabilities are far far more serious than local vulnerabilities. You should know that more than anybody here.

Nope, the ani vulnerability is local and it requires a second transport to work. You have to do something like get the user to visit a web site or open an email which will cause IE to process the cursor locally. A remote exploit is one that can be done remotely with no local interaction required by the user, like breaking into sshd or an RPC server.

Nope. It's a remote vulnerability. Here is the proof (and patch):
http://research.eeye.com/html/alerts/zeroday/20070328.html

From that page:

An unspecified vulnerability exists within Microsoft Windows which may possibly allow for a remote attacker to execute arbitrary code under the context of the logged in user. This vulnerability requires user interaction by viewing a malicious Windows animated cursor (.ANI) file. .ANI files are commonly used by web developers to display custom cursor animations to enhance web-site experiences.

(emphasis added)

It's "remote" in the sense that the attacker doesn't need login access to the system, but you need a local user to actually take some action in order to exploit the vulnerability. That is what you don't seem to be understanding.

Also, as explained multiple times, the default security settings for Vista and IE7 limit the amount of damage that can actually be done, since you are normally not running as an administrative user.

Is it a bug? Yes. Is it a security hole? Yes. Is it moderately serious? Yes.

Does this mean that, somehow, all Microsoft products are incredibly insecure? No. Does it say anything about the state of security in Linux/UNIX/OSX? Not really.

 

[Nothinman]

Nope. It's a remote vulnerability. Here is the proof (and patch):

Meh, it's semantics. The browser has to download the .ani file locally before doing anything so on the strictest level it's a local exploit. You can't take a script or program, point it at a Windows box and say "exploit .ani vulnerability" so it's not remote in the important sense, the security companies just like to make things seem worse than they really are in order to scare people into believing their worth is higher than it really is.

There are more people running IE7 than there are running IIS and SQL Servers. This vulnerability affects a much higher number of machines than what you're talking about.

That's irrelevant and questionable since IE7 only runs on Vista and XP, everyone running a different version of Windows is stuck on IE6 and there's a lot of XP users who still haven't installed it either. And hell there's probably more people running IIS and SQL Servers on the Internet than Ubuntu.

Actually, you know a lot less than you give yourself credit for.

Even if that's true I've managed to get a lot more correct in this thread than you and I like how you totally ignored the fact that the Apache Group is indeed supporting all 3 versions of Apache and still haven't patched every vulnerabilty. At least I'm not afraid to admit when I'm wrong.

 

[Quinton McLeod]

Originally posted by: Matthias99

Originally posted by: Quinton McLeod

Originally posted by: Nothinman

No, it's you who needs to read and comprehend. The hacker used a local vulnerability. He wouldn't have been able to do that if he didn't first have access to the server. The ani exploit is a REMOTE VULNERABILITY. This means the hacker doesn't need remote access to the machine to gain local access. Remote vulnerabilities are far far more serious than local vulnerabilities. You should know that more than anybody here.

Nope, the ani vulnerability is local and it requires a second transport to work. You have to do something like get the user to visit a web site or open an email which will cause IE to process the cursor locally. A remote exploit is one that can be done remotely with no local interaction required by the user, like breaking into sshd or an RPC server.

Nope. It's a remote vulnerability. Here is the proof (and patch):
http://research.eeye.com/html/alerts/zeroday/20070328.html

From that page:

An unspecified vulnerability exists within Microsoft Windows which may possibly allow for a remote attacker to execute arbitrary code under the context of the logged in user. This vulnerability requires user interaction by viewing a malicious Windows animated cursor (.ANI) file. .ANI files are commonly used by web developers to display custom cursor animations to enhance web-site experiences.

(emphasis added)

It's "remote" in the sense that the attacker doesn't need login access to the system, but you need a local user to actually take some action in order to exploit the vulnerability. That is what you don't seem to be understanding.

Also, as explained multiple times, the default security settings for Vista and IE7 limit the amount of damage that can actually be done, since you are normally not running as an administrative user.

Is it a bug? Yes. Is it a security hole? Yes. Is it moderately serious? Yes.

Does this mean that, somehow, all Microsoft products are incredibly insecure? No. Does it say anything about the state of security in Linux/UNIX/OSX? Not really.

I never argued that user interaction was or wasn't involved. The fact is the vulnerability is still remote. You even admitted that it was a security hole and it was moderately serious. So, what's the issue?

 

[Matthias99]

Originally posted by: Quinton McLeod
I never argued that user interaction was or wasn't involved. The fact is the vulnerability is still remote. You even admitted that it was a security hole and it was moderately serious. So, what's the issue?

The "issue" is that you are:

1) blowing this way out of proportion IMO. This is not a vulnerability that allows someone to 'break into' a system remotely with no user intervention, which is much more serious. Is it bad that visiting a maliciously designed website may give someone the ability to access your machine? Yes. Is this going to affect most people? Probably not, unless they like to visit sketchy websites all the time.

2) trying to use this as conclusive proof that Windows is less secure than other operating systems, and/or that Microsoft doesn't care about security.

3) posting FUD such as:

...Windows users deny vulnerabilities when they are staring you right in the face...

...When such a threat is posed in Linux (or even on Firefox), despite its threat level, it is fixed immediately...

These are both blanket statements that are not true.

 

[Quinton McLeod]

Originally posted by: Matthias99

Originally posted by: Quinton McLeod
I never argued that user interaction was or wasn't involved. The fact is the vulnerability is still remote. You even admitted that it was a security hole and it was moderately serious. So, what's the issue?

The "issue" is that you are:

1) blowing this way out of proportion IMO. This is not a vulnerability that allows someone to 'break into' a system remotely with no user intervention, which is much more serious. Is it bad that visiting a maliciously designed website may give someone the ability to access your machine? Yes. Is this going to affect most people? Probably not, unless they like to visit sketchy websites all the time.

How am I blowing this out of proportion? Microsoft even considers this vulnerability critical. The webpage I linked to also listed the vulnerability as critical. I never mentioned anything about user intervention. The point is that it takes very little user intervention to infect the said computer. However, I never really argued whether or not this vulnerability needed user intervention. You did. The fact still remains that the vulnerability is still there. The same could go for other operating systems. If they have a vulnerability, no matter what, they still have a vulnerability. I've never argued this.

I think you forgot the point I was arguing. Microsoft touted that Vista was more secure than Linux and then this happened. This was a vulnerability that has not been patched since December of 2006. It shows that Microsoft is still slow at responding to threats to their OS. If they are slow to respond to something like this, then they cannot claim that Vista is more secure than Linux. Point blank.

2) trying to use this as conclusive proof that Windows is less secure than other operating systems, and/or that Microsoft doesn't care about security.

I don't understand this sentence. Seems like you were trying to say more, but you stopped half way through.

3) posting FUD such as:

...Windows users deny vulnerabilities when they are staring you right in the face...

...When such a threat is posed in Linux (or even on Firefox), despite its threat level, it is fixed immediately...

These are both blanket statements that are not true.

They are true. Because right now you're denying that this vulnerability is a threat.
And last I checked, Mozilla has been very fast at patching vulnerabilities. Same thing with Linux. Microsoft, on the other hand, has yet to patch this vulnerability 4 months after they've known about it.

 

[Kappo]

Originally posted by: Quinton McLeod

Originally posted by: Matthias99

Originally posted by: Quinton McLeod
I never argued that user interaction was or wasn't involved. The fact is the vulnerability is still remote. You even admitted that it was a security hole and it was moderately serious. So, what's the issue?

The "issue" is that you are:

1) blowing this way out of proportion IMO. This is not a vulnerability that allows someone to 'break into' a system remotely with no user intervention, which is much more serious. Is it bad that visiting a maliciously designed website may give someone the ability to access your machine? Yes. Is this going to affect most people? Probably not, unless they like to visit sketchy websites all the time.

How am I blowing this out of proportion? Microsoft even considers this vulnerability critical. The webpage I linked to also listed the vulnerability as critical. I never mentioned anything about user intervention. The point is that it takes very little user intervention to infect the said computer. However, I never really argued whether or not this vulnerability needed user intervention. You did. The fact still remains that the vulnerability is still there. The same could go for other operating systems. If they have a vulnerability, no matter what, they still have a vulnerability. I've never argued this.

I think you forgot the point I was arguing. Microsoft touted that Vista was more secure than Linux and then this happened. This was a vulnerability that has not been patched since December of 2006. It shows that Microsoft is still slow at responding to threats to their OS. If they are slow to respond to something like this, then they cannot claim that Vista is more secure than Linux. Point blank.

2) trying to use this as conclusive proof that Windows is less secure than other operating systems, and/or that Microsoft doesn't care about security.

I don't understand this sentence. Seems like you were trying to say more, but you stopped half way through.

3) posting FUD such as:

...Windows users deny vulnerabilities when they are staring you right in the face...

...When such a threat is posed in Linux (or even on Firefox), despite its threat level, it is fixed immediately...

These are both blanket statements that are not true.

They are true. Because right now you're denying that this vulnerability is a threat.
And last I checked, Mozilla has been very fast at patching vulnerabilities. Same thing with Linux. Microsoft, on the other hand, has yet to patch this vulnerability 4 months after they've known about it.

So, by your own logic we can state:

"Solaris, Linux and AIX users deny vulnerabilities affect patched machines"? I use all of them. And this isn't a huge deal for me.

Contrary to what you may believe, most of us aren't fanboi enough to only use one OS.

 

[Nothinman]

I think you forgot the point I was arguing. Microsoft touted that Vista was more secure than Linux and then this happened. This was a vulnerability that has not been patched since December of 2006. It shows that Microsoft is still slow at responding to threats to their OS. If they are slow to respond to something like this, then they cannot claim that Vista is more secure than Linux. Point blank.

There are still 18 exploits unpatched on the Linux 2.6 kernel going back as far as 2004, how does that actually make them better than MS?

They are true. Because right now you're denying that this vulnerability is a threat.

No, we're denying the misinformation you're spreading around and the conclusions that you're generating from the vulnerability.

And last I checked, Mozilla has been very fast at patching vulnerabilities. Same thing with Linux. Microsoft, on the other hand, has yet to patch this vulnerability 4 months after they've known about it.

I guess you should check again or do you not consider the 3 unpatched vulnerabilities in FF 2.0.x important? And I guess the same thing goes for the 4 unpatched vulnerabilities in FF 1.x and the previously mentioned Linux kernel and Apache vulnerabilities?

 

[Quinton McLeod]

Originally posted by: Nothinman

Nope. It's a remote vulnerability. Here is the proof (and patch):

Meh, it's semantics. The browser has to download the .ani file locally before doing anything so on the strictest level it's a local exploit. You can't take a script or program, point it at a Windows box and say "exploit .ani vulnerability" so it's not remote in the important sense, the security companies just like to make things seem worse than they really are in order to scare people into believing their worth is higher than it really is.

lol ok...

There are more people running IE7 than there are running IIS and SQL Servers. This vulnerability affects a much higher number of machines than what you're talking about.

That's irrelevant and questionable since IE7 only runs on Vista and XP, everyone running a different version of Windows is stuck on IE6 and there's a lot of XP users who still haven't installed it either. And hell there's probably more people running IIS and SQL Servers on the Internet than Ubuntu.
[/quote]

You forget that the vulnerability affects IE6 as well. So, it affects that much more and then some. You used the IIS and SQL server analogy when you know those programs are not as wide spread as Internet Explorer.

Actually, you know a lot less than you give yourself credit for.

Even if that's true I've managed to get a lot more correct in this thread than you and I like how you totally ignored the fact that the Apache Group is indeed supporting all 3 versions of Apache and still haven't patched every vulnerabilty. At least I'm not afraid to admit when I'm wrong.

I never said they patch all of their vulnerabilities. However, you're insinuating that IIS is more secure than Apache and that is just not the case. You even admitted in your sentence structuring. That was the point I was trying to make.

 

[Nothinman]

lol ok...

Laugh all you want but that is the differentiation between remote and local exploits. I mean hell if all it takes is the ability to download a file and have an app work on the downloaded file to be considered a remote exploit then just about all vulnerabilties are remotely exploitable.

You forget that the vulnerability affects IE6 as well. So, it affects that much more and then some. You used the IIS and SQL server analogy when you know those programs are not as wide spread as Internet Explorer.

Originally I said nothing about the pervasiveness of IIS or SQL, I just said that lots of "hackers" were exploiting them. It was in response to your "Even MS said this is OMGBAD because more hackers are beginning to exploit it", I was just trying to point out that the "hackers" running those botnets will use every exploit available no matter how many machines the target software is on. Then you made your comment about IE7 having a larger install base than IIS and SQL Server. And anyway, this exploit is less useful for them because it can't be easily automated, the target user still has to visit a webpage or open an email to get attacked.

I never said they patch all of their vulnerabilities. However, you're insinuating that IIS is more secure than Apache and that is just not the case. You even admitted in your sentence structuring. That was the point I was trying to make.

IIS 6.x may well be more secure than Apache, it's impossible to do a real comparison without the source code to audit. And you most certainly did say that Mozilla and the Linux kernel developers are "very fast at patching vulnerabilities" when there are clear examples to the contrary. No one handles every vulnerability perfectly, claiming that Vista is less secure than Linux just because this one exploit took a while to fix is just an idiotic cry for attention.

And the fact that you're stooping to attacking the semantics and structure of my posts instead of the real content just proves that you have no real facts and are just looking to argue and get some attention. So, this is my last post here today since it's Sat night, there's a hockey game on and a bar calling my name.

 

[Quinton McLeod]

Originally posted by: Nothinman

I think you forgot the point I was arguing. Microsoft touted that Vista was more secure than Linux and then this happened. This was a vulnerability that has not been patched since December of 2006. It shows that Microsoft is still slow at responding to threats to their OS. If they are slow to respond to something like this, then they cannot claim that Vista is more secure than Linux. Point blank.

There are still 18 exploits unpatched on the Linux 2.6 kernel going back as far as 2004, how does that actually make them better than MS?

They are true. Because right now you're denying that this vulnerability is a threat.

No, we're denying the misinformation you're spreading around and the conclusions that you're generating from the vulnerability.

And last I checked, Mozilla has been very fast at patching vulnerabilities. Same thing with Linux. Microsoft, on the other hand, has yet to patch this vulnerability 4 months after they've known about it.

I guess you should check again or do you not consider the 3 unpatched vulnerabilities in FF 2.0.x important? And I guess the same thing goes for the 4 unpatched vulnerabilities in FF 1.x and the previously mentioned Linux kernel and Apache vulnerabilities?

I at least provided proof. Where is your proof. Needless to say, I don't believe you.
I wanna see a link that displays 18 "exploits" that have been unpatched in the current Linux kernel. Please show this to me

 

[MedicBob]

Everyone, why do we feed them???

I mean, Nothinman and n0cmonkey, you two are new to this and must be MS fanbois like most of us Lemmings to not see the wisdom of QM pointing out that Vista has security flaws but no one else does. I mean come on, do you see his wisdom?

QM, yes this is a troll post. Evidence has been posted and from your previous posts you do not like, want, or need Vista. So don't use it, MS probably doesn't care. We kinda cared at the start of this, but you blatently ignore your own posts. Several bugs have been shown to you on OS 10.X.X and on *Nix flavors, but you seem to backtrack and say supported OSes, current bugs, faster patching, longer software deployment, etc.

If you do not like Vista so be it. You are not going to convince me or most here not to use it.

 

[Quinton McLeod]

Originally posted by: MedicBob
Everyone, why do we feed them???

I mean, Nothinman and n0cmonkey, you two are new to this and must be MS fanbois like most of us Lemmings to not see the wisdom of QM pointing out that Vista has security flaws but no one else does. I mean come on, do you see his wisdom?

QM, yes this is a troll post. Evidence has been posted and from your previous posts you do not like, want, or need Vista. So don't use it, MS probably doesn't care. We kinda cared at the start of this, but you blatently ignore your own posts. Several bugs have been shown to you on OS 10.X.X and on *Nix flavors, but you seem to backtrack and say supported OSes, current bugs, faster patching, longer software deployment, etc.

If you do not like Vista so be it. You are not going to convince me or most here not to use it.

My job is not to convert you. I want people like you to fess up to all of those times when you said Vista was invincible. I haven't heard a single one of you admit to the same things you've all said a few months back.

 

[loup garou]

Originally posted by: Quinton McLeod

Originally posted by: MedicBob
Everyone, why do we feed them???

I mean, Nothinman and n0cmonkey, you two are new to this and must be MS fanbois like most of us Lemmings to not see the wisdom of QM pointing out that Vista has security flaws but no one else does. I mean come on, do you see his wisdom?

QM, yes this is a troll post. Evidence has been posted and from your previous posts you do not like, want, or need Vista. So don't use it, MS probably doesn't care. We kinda cared at the start of this, but you blatently ignore your own posts. Several bugs have been shown to you on OS 10.X.X and on *Nix flavors, but you seem to backtrack and say supported OSes, current bugs, faster patching, longer software deployment, etc.

If you do not like Vista so be it. You are not going to convince me or most here not to use it.

My job is not to convert you. I want people like you to fess up to all of those times when you said Vista was invincible. I haven't heard a single one of you admit to the same things you've all said a few months back.

Please post quotes of anyone you've argued with in this thread saying Vista is invincible.

C'mon, troll, do it.

 

[Tegeril]

Originally posted by: Quinton McLeod

Originally posted by: MedicBob
Everyone, why do we feed them???

I mean, Nothinman and n0cmonkey, you two are new to this and must be MS fanbois like most of us Lemmings to not see the wisdom of QM pointing out that Vista has security flaws but no one else does. I mean come on, do you see his wisdom?

QM, yes this is a troll post. Evidence has been posted and from your previous posts you do not like, want, or need Vista. So don't use it, MS probably doesn't care. We kinda cared at the start of this, but you blatently ignore your own posts. Several bugs have been shown to you on OS 10.X.X and on *Nix flavors, but you seem to backtrack and say supported OSes, current bugs, faster patching, longer software deployment, etc.

If you do not like Vista so be it. You are not going to convince me or most here not to use it.

My job is not to convert you. I want people like you to fess up to all of those times when you said Vista was invincible. I haven't heard a single one of you admit to the same things you've all said a few months back.

http://www.dotstrosity.net/humor/trolling.jpg

 

[n0cmonkey]

http://secunia.com/product/2719/

<- Mac head, linux zealot, bsd bigot, solaris admin, windows user

 

[Quinton McLeod]

Originally posted by: Tegeril

Originally posted by: Quinton McLeod

Originally posted by: MedicBob
Everyone, why do we feed them???

I mean, Nothinman and n0cmonkey, you two are new to this and must be MS fanbois like most of us Lemmings to not see the wisdom of QM pointing out that Vista has security flaws but no one else does. I mean come on, do you see his wisdom?

QM, yes this is a troll post. Evidence has been posted and from your previous posts you do not like, want, or need Vista. So don't use it, MS probably doesn't care. We kinda cared at the start of this, but you blatently ignore your own posts. Several bugs have been shown to you on OS 10.X.X and on *Nix flavors, but you seem to backtrack and say supported OSes, current bugs, faster patching, longer software deployment, etc.

If you do not like Vista so be it. You are not going to convince me or most here not to use it.

My job is not to convert you. I want people like you to fess up to all of those times when you said Vista was invincible. I haven't heard a single one of you admit to the same things you've all said a few months back.

http://www.dotstrosity.net/humor/trolling.jpg

rofl!

 

[loup garou]

Originally posted by: loup garou
Please post quotes of anyone you've argued with in this thread saying Vista is invincible.

C'mon, troll, do it.

 

[Quinton McLeod]

Originally posted by: n0cmonkey
http://secunia.com/product/2719/

<- Mac head, linux zealot, bsd bigot, solaris admin, windows user

Thank you for that link.

To explain to Nothinman... None of the unpatched vulnerabilities carried over from version to version or even from month to month. From what I can tell, they appear to be vulnerabilties found within the month. Only 13% of them are considered unpatched at this moment in time. However, that is only a small percentage.

If I'm wrong, please correct me.

Vista has had this vulnerability for 4 months now.

 

[loup garou]

Originally posted by: Quinton McLeod
Vista has had this vulnerability for 4 months now.

For every time you post that, I am going to post this:

Originally posted by: loup garou
Vista is protected from this as long as IE7 protected mode isn't turned off (it's turned on by default).

Oh and this too:

Originally posted by: loup garou
Please post quotes of anyone you've argued with in this thread saying Vista is invincible.

C'mon, troll, do it.

Have a nice day.

 

[fyleow]

..

 

[mechBgon]

Vista has had this vulnerability for 4 months now.

And it appears that a default installation of Vista is not actually vulnerable to the "vulnerability." To quote teh Microsoft:

Customers who are using Internet Explorer 7 on Windows Vista are protected from currently known web based attacks due to Internet Explorer 7.0 protected mode.

from here (expand Mitigating Factors). If you're enough of an idiot to go out, hunt down a malicious .ANI file, and manually drag & drop it to your Vista desktop like in the YouTube video, then that's your problem.

Not to mention that IE7, along with other user software on Vista, would also be operating at non-Admin level even from an Admin account, unless the user right-clicks it and deliberately chooses Run As Administrator every time they start it. So whatever the exploit's payload was, even if the exploit worked on Vista, would be hogtied between lack of admin rights and also Windows Integrity Control placing it at the lowest integrity level, barring it from doing much serious damage. And if that's not enough, UAC would jump in to ask me for approval if the payload tried to touch anything that called for Admin powers, such as modifying the HOSTS file, changing my DNS servers, installing spyware, etc.

And in my particular case, the payload would never get to execute in the first place, because (1) duh, my antivirus software would nuke it on sight, and if that didn't happen, (2) my SRP would slap it down arbitrarily anyway. Checkmate.

So on Vista, the situation is looking pretty bleak for the bad guys. I'm sure there'll be actual working exploits for Vista over its 10-year lifecycle, but this doesn't look like a very good one to support your posturing with. If anything, it's actually a showcase for why Vista's better than XP, IMO. Wait for something else, guy

 

[Nothinman]

I at least provided proof. Where is your proof. Needless to say, I don't believe you.
I wanna see a link that displays 18 "exploits" that have been unpatched in the current Linux kernel. Please show this to me

Take a look at Secunia.com, it took me like 2 minutes to find them, is it really that difficult for you?

My job is not to convert you. I want people like you to fess up to all of those times when you said Vista was invincible. I haven't heard a single one of you admit to the same things you've all said a few months back.

Your job is totally irrelevant and you're not even doing a public service here. Where did anyone say that Vista was invincible? If you're going to argue semantics with me why can't you even link us to the poster that said Vista is invicible?

To explain to Nothinman... None of the unpatched vulnerabilities carried over from version to version or even from month to month. From what I can tell, they appear to be vulnerabilties found within the month. Only 13% of them are considered unpatched at this moment in time. However, that is only a small percentage.

All of those unpatched vulnerabilities have carried over since they apply to the entire 2.6.x line, unless you can tell us where to find the patches that Secunia missed. And 13% is much higher than the 0% that you've implied over and over with your continuous comments about how "Mozilla has been very fast at patching vulnerabilities. Same thing with Linux" which obviously isn't 100% true.

If I'm wrong, please correct me.

We've tried, but you're not listening.

Edit: fix quotes