[CS-FSLUG] NI: Longhorn following Unix on security?

Don Parris evangelinux at thefreelyproject.org
Wed Jul 13 09:53:21 CDT 2005 

On Wed, 13 Jul 2005 09:51:46 -0400
Frank Bax <fbax at sympatico.ca> wrote:

> At 06:31 AM 7/13/05, 國產 Wei-Yee Chan (Made in Chinar) wrote:
> 
> >Microsoft's delayed Longhorn operating system appears to be taking a
> >page from the Unix management book by curbing user's administration
> >rights.
> >
> >http://www.theregister.co.uk/2005/07/11/longhorn_security/
> 
>  >> Microsoft-sponsored Security Innovation study published in June 
> ...[snip]...
>  >> The study, part of Microsoft's "Get the facts" campaign, claims SQL
>  >Server> had zero vulnerabilities over the course of the year compared to
>  >seven for> MySQL and 30 for Oracle 10g.
> 
> 1) I found this a little hard to believe, so I did some searching.  It 
> didn't take long to find this:
>          http://www.microsoft.com/technet/security/Bulletin/MS03-031.mspx
> How is it possible that a "cummulative" security patch can be released the
> 
> month immediately following the study, and yet the software had no 
> vulnerables for the 12 months prior to study??  Is a vulnerability only 
> counted when the patch to fix it is released?  Were patches leading up to 
> the "cumulative" patch all released after the study as well?
>

This report is old, but contains some info on SQL Server that would scare
the tar out of anyone.  I don't know if Msft has taken the path predicted in
the article (basing the new filesystem on it??), but that would be seriously
scary.

http://www.theregister.co.uk/security/security_report_windows_vs_linux/

 
> 2) The whole issue of Admin rights in Windows appears to be distorted by 
> this article.  WinXP already has the ability to create non-admin 
> users.  The real problem is that many windows software packages require 
> admin rights to run properly.  Until software developers test their 
> products using non-admin accounts, the problem will continue.
> 
> Frank 
> 
> 

Yeah, this is another thing that bothers me.  At work, I have write access
to the system folders.  I just think it's bad policy - even if the PC is
used by a single user.  I've never heard of employees intentionally
sabotaging their PCs, but I wouldn't put it past someone who might be mad
at the boss or has just been told to clean out their desk.  

That maybe overly pessimistic, but having been in physical security for many
years, I don't generally concern myself so much with what has never happened
before as I do with what could happen.

Don
-- 
evangelinux    GNU Evangelist
http://matheteuo.org/                   http://chaddb.sourceforge.net/
"Free software is like God's love - you can share it with anyone anytime
anywhere."

More information about the Christiansource mailing list