Re: Vista

On May 8, 4:51 am, Tony Gravagno
<address.is.in.po...@[EMAIL PROTECTED]
> wrote:
> art  wrote:
> >You can say Microsoft and security in the same sentence, and keep a
> >straight face??
>
> Hey, I'm laughin...  I've provided a list below of just security
> advisories for Linux - note these are not fixes for functionality
> issues.  And Art, yes, you're Ubuntu is in there with the rest of
> them.
>
> Since we're here, for anyone who believes Firefox security is so much
> better than IE, I've provided another list below, of issues in each
> patch release of Firefox 2.  The list is just as long for FFv1.  There
> is another list for Thunderbird v2 if you're interested.
>
> So can you say Open Source and security in the same sentence, and keep
> a straight face??
>
> My goal here isn't to play up or down on one side or the other, but to
> point out that no one has all the answers, and software from the
> Bazaar is as subject to issues as that from the Cathedral.  People
> aren't any smarter or dumber on either side.  The longer Linux is
> around the more it looks like Windows in its evolution of bugs,
> failings, and vulnerabilities.  People that come up with these
> hit-n-run guffaws about keeping a straight face need to be a little
> more careful about pointing fingers at incompetence because there's
> plenty of it on all sides.
>
> Just tryin to keep it balanced...
> T
>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>
> May 2, security advisories were issued for JRockit, KDE, SILC, dbmail,
> gstreamer-plugins-good, iceape, java-1.4.2-bea, java-1.5.0-bea,
> java-1.6.0-bea, kronolith2, ldm, libpng, perl, phpgedview, phpmyadmin,
> speex, thunderbird, tomcat, vorbis-tools, wireshark, wml, wordpress,
> and xulrunner. The distributors included Debian, Fedora, Gentoo,
> Mandriva, Red Hat, and Slackware.
>
> April 25, security advisories were issued for Adobe Flash Player,
> Firefox,Gnumeric, JRockit, KOffice, OpenOffice.org, Openfire, PHP
> Toolkit, Poppler, PowerDNS, SILC, Speex, Sun JDK/JRE, VLC, clamav,
> iceape, iceweasel, kdegraphics, perl, phpmyadmin, roundup, rsync,
> suphp, wireshark, xine-lib, xpdf, and xulrunner. The distributors
> included Debian, Gentoo, Mandriva, Red Hat, Slackware, SuSE, and
> Ubuntu.
>
> April 4, advisories were released for xpdf, exiftags, libxine,
> iceweasel, policyd-weight, xulrunner, firebird, cups, rpmdrake, sarg,
> java, gnome-screensaver, lspp, seamonkey, mysql, and openssh. The
> distributors include Debian, Gentoo, Mandriva, Red Hat, Slackware, and
> Ubuntu.
>
> March 28, advisories were released for policyd, firebird, cupsys,
> serendipity, debian-goodies, xwine, asterisk, kerberos, ssl-cert,
> openssl, perl-Tk, wml, bzip2, audacity, perl-Net-DNS, Ruby, Dovecot,
> libicu, unzip, and mysql. The distributors include Debian, Gentoo,
> Mandriva, and Ubuntu.
>
> March 21, advisories were released for asterisk, iceape, krb5,
> ikiwiki, unzip, icedove, sdl-image, lighthttpd, smarty, horde3,
> backup-manager, dovcot, ssl-cert, kerberos, nagios, gcc, drakeconf,
> evolution, mysql, and mailman. The distributors include Debian,
> Gentoo, Mandriva, and Ubuntu.
>
> March 14, advisories were released for libnet-dns-perl, moin,
> lighttpd, kernel, sarg, drakconf, pulseaudit, tomboy, evolution,
> thunderbird, mailman, cups, and python. The distributors include
> Debian, Gentoo, Mandriva, SuSE, and Ubuntu.
>
> Feb 29, advisories were released for ghostscript, koffice, diatheke,
> turba2, iceape, alsa-driver, linux kernel, wordpress, dspam, splitvt,
> thunderbird, settroubleshoot, dbus, python, and pcre. The distributors
> include Debian, Fedora, Gentoo, Mandriva, and Ubuntu.
>
> Feb 22, advisories were released for pre3, libimager, nagios, clamav,
> boost, thunderbird, xine, mplayer, php, httpd, and apache. The
> distributors include Debian, Gentoo, Mandriva, and Slackware.
>
> Feb 15, advisories were released for nagios, sdl-image, wml, tk,
> iceweasel, icedove, xulrunner, phpbb2, libexif, kernel, mandriva-kde,
> rpmdrake, Qt4, netpbm, gd,libcdio, python, firefox, imageop,
> nss_ldap, rsync, e2fsprogs, and tetex.
>
> Feb 8, advisories were released for squid, poppler, gnatsweb, tk,
> dovecot, rb_libtorrent,libcdio, emacs, ruby, boost, pcre, apache,
> kernel, and pulseaudio. The distributors include Debian, Fedora,
> Mandriva, Ubuntu.
>
> Feb 1, advisories were released for mysql, yarssr, pulseaudio, gforge,
> netkit, maradns, postgresql, blam, xine, cherrypy, icu, kdebase,
> libxfont, xfree86, and xll.
>
> Jan 25, advisories were released for exiv2, php, scponly, xfree86,
> xine-lib, libvorbis, horde3, flac, tomcat, xorg, mantis,
tikiwiki,libcdio,=
 libxfont, cairo, mysql, lzma, regression, and
> apt-listchanges. The distributors include Debian, Gentoo, Mandriva,
> SuSE, and Ubuntu.
>
> Jan 18, advisories were released for syslog-ng, postgresql, hplip,
> libxml, gforge, openafs, xine, python, apache, autofs, rsync, kernel,
> e2fsprogs, exiv2, XFree, boost, and DovCot. The distributors include
> Debian, Fedora, Mandriva, SuSE, and Ubuntu.
>
> Jan 11, advisories were released for openafs, dovecot, fail2ban,
> libarchive1, freetype, tomcat, wzdftpd, mysql, rsyslog, Xfce, unp,
> kernel, e2fsprogs, libexif, postgresql, gcc, clamav, wireshark,
> openssh, squid, cups, pwlib, opal, and tomboy. The distributors
> include Debian, Fedora, Gentoo, Mandriva, and Ubuntu.
>
> Jan 04, advisories were released for tomcat, wireshark, maradns, php,
> tcpreen, libsndfile, peercast, inotify-tools, type3-src, tar, zope,
> imlib, wireshark, firefox, clamav, syslog, daap, dosfstools, and
> ez-ipupdate. The distributors include Debian, Gentoo, and Mandriva.
>
>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
> Similarly extensive list for 2007 omitted.
>
> And now for Firefox - again, these were just the security issues, not
> functionality bugs.
>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
>
> Fixed in Firefox 2.0.0.14
> MFSA 2008-20 Crash in JavaScript garbage collector
>
> Fixed in Firefox 2.0.0.13
> MFSA 2008-19 XUL popup spoofing variant (cross-tab popups)
> MFSA 2008-18 Java socket connection to any local ****t via LiveConnect
> MFSA 2008-17 Privacy issue with SSL Client Authentication
> MFSA 2008-16 HTTP Referrer spoofing with malformed URLs
> MFSA 2008-15 Crashes with evidence of memory corruption (rv:1.8.1.13)
> MFSA 2008-14 JavaScript privilege escalation and arbitrary code
> execution
>
> Fixed in Firefox 2.0.0.12
> MFSA 2008-13 Multiple XSS vulnerabilities from character encoding
> MFSA 2008-11 Web forgery overwrite with div overlay
> MFSA 2008-10 URL token stealing via stylesheet redirect
> MFSA 2008-09 Mishandling of locally-saved plain text files
> MFSA 2008-08 File action dialog tampering
> MFSA 2008-07 Possible information disclosure in BMP decoder
> MFSA 2008-06 Web browsing history and forward navigation stealing
> MFSA 2008-05 Directory traversal via chrome: URI
> MFSA 2008-04 Stored password corruption
> MFSA 2008-03 Privilege escalation, XSS, Remote Code Execution
> MFSA 2008-02 Multiple file input focus stealing vulnerabilities
> MFSA 2008-01 Crashes with evidence of memory corruption (rv:1.8.1.12)
>
> Fixed in Firefox 2.0.0.11
> Firefox 2.0.0.11 fixed a bug introduced by the 2.0.0.10 update in the
> <canvas> feature that affected some web pages and extensions. There
> were no security-related fixes in this release.
> Fixed in Firefox 2.0.0.10
> MFSA 2007-39 Referer-spoofing via window.location race condition
> MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10)
> MFSA 2007-37 jar: URI scheme XSS hazard
>
> Fixed in Firefox 2.0.0.9
> Firefox 2.0.0.9 fixed a small number of rendering bugs introduced by
> the 2.0.0.8 release; there were no security fixes.
> Fixed in Firefox 2.0.0.8
> MFSA 2007-36 URIs with invalid %-encoding mishandled by Windows
> MFSA 2007-35 XPCNativeWrapper pollution using Script object
> MFSA 2007-34 Possible file stealing through sftp protocol
> MFSA 2007-33 XUL pages can hide the window titlebar
> MFSA 2007-32 File input focus stealing vulnerability
> MFSA 2007-31 Browser digest authentication request splitting
> MFSA 2007-30 onUnload Tailgating
> MFSA 2007-29 Crashes with evidence of memory corruption (rv:1.8.1.8)
>
> Fixed in Firefox 2.0.0.7
> MFSA 2007-28 Code execution via QuickTime Media-link files
>
> Fixed in Firefox 2.0.0.6
> MFSA 2007-27 Unescaped URIs passed to external programs
> MFSA 2007-26 Privilege escalation through chrome-loaded about:blank
> windows
>
> Fixed in Firefox 2.0.0.5
> MFSA 2007-25 XPCNativeWrapper pollution
> MFSA 2007-24 Unauthorized access to wyciwyg:// do***ents
> MFSA 2007-23 Remote code execution by launching Firefox from Internet
> Explorer
> MFSA 2007-22 File type confusion due to %00 in name
> MFSA 2007-21 Privilege escalation using an event handler attached to
> an element not in the do***ent
> MFSA 2007-20 Frame spoofing while window is loading
> MFSA 2007-19 XSS using addEventListener and setTimeout
> MFSA 2007-18 Crashes with evidence of memory corruption (rv:1.8.1.5)
>
> Fixed in Firefox 2.0.0.4
> MFSA 2007-17 XUL Popup Spoofing
> MFSA 2007-16 XSS using addEventListener
> MFSA 2007-14 Path Abuse in Cookies
> MFSA 2007-13 Persistent Autocomplete Denial of Service
> MFSA 2007-12 Crashes with evidence of memory corruption
> (rv:1.8.0.12/1.8.1.4)
>
> Fixed in Firefox 2.0.0.3
> MFSA 2007-11 FTP PASV ****t-scanning
>
> Fixed in Firefox 2.0.0.2
> MFSA 2007-09 Privilege escalation by setting img.src to javascript:
> URI
> MFSA 2007-08 onUnload + do***ent.write() memory corruption
> MFSA 2007-07 Embedded nulls in location.hostname confuse same-domain
> checks
> MFSA 2007-06 Mozilla Network Security Services (NSS) SSLv2 buffer
> overflow
> MFSA 2007-05 XSS and local file access by opening blocked popups
> MFSA 2007-04 Spoofing using custom cursor and CSS3 hotspot
> MFSA 2007-03 Information disclosure through cache collisions
> MFSA 2007-02 Improvements to help protect against Cross-Site Scripting
> attacks
> MFSA 2007-01 Crashes with evidence of memory corruption
> (rv:1.8.0.10/1.8.1.2)
>
> Fixed in Firefox 2.0.0.1
> MFSA 2006-76 XSS using outer window's Function object
> MFSA 2006-75 RSS Feed-preview referrer leak
> MFSA 2006-73 Mozilla SVG Processing Remote Code Execution
> MFSA 2006-72 XSS by setting img.src to javascript: URI
> MFSA 2006-71 LiveConnect crash finalizing JS objects
> MFSA 2006-70 Privilege escalation using watch point
> MFSA 2006-69 CSS cursor image buffer ...
>
> read more =BB

I'm laughing too because I don't think the playing field is level.

The libcdio vulnerabilities listed I know something about.  They were
based on someone looking at source code and then looking for known
weaknesses of C possibly using a tool.   Microsoft code is not
generally available for inspection. Therefore I would imagine a higher
pro****tion of things still exist because the code hasn't been as
easily reviewed using automated security tools.

For example see http://secunia.com/advisories/28308/
which is marked
"less critical"; for many GNU/Linux and other Unix distributions it's
not relevant because those utilities aren't even distributed.