Bube i bubice [Linux vs Windows]

Microsoft Windows Server 2003 Enterprise Edition
Currently, 5 out of 44 Secunia advisories, is marked as "Unpatched" in the Secunia database.
http://secunia.com/product/1174/


RedHat Enterprise Linux AS 3
Currently, 0 out of 139 Secunia advisories, is marked as "Unpatched" in the Secunia database.
http://secunia.com/product/2534/

SUSE Linux Enterprise Server 9
Currently, 0 out of 26 Secunia advisories, is marked as "Unpatched" in the Secunia database.
http://secunia.com/product/4118/

Slackware Linux 10.0
Currently, 0 out of 4 Secunia advisories, is marked as "Unpatched" in the Secunia database.
http://secunia.com/product/4368/

Trustix Linux 2.2
Currently, 0 out of 1 Secunia advisories, is marked as "Unpatched" in the Secunia database.
http://secunia.com/product/4641/

---

Ima tu svašta..

Npr.

http://secunia.com/multiple_browsers_idn_spoofing_test/


Opa miki, IE nije na spisku:

View the Secunia advisory regarding your browser:
- [SA14209] VeriSign i-Nav Plug-In
- [SA14166] OmniWeb
- [SA14154] Opera
- [SA14163] Mozilla / Firefox / Camino
- [SA14162] Konqueror
- [SA14165] Netscape
- [SA14164] Safari

Sad sam proverio, Maxthon ne reaguje, a Firefox lepo "popije" test stranicu.

---

@degojs, malo si offtopic, a?:)

Fine su to statistike ali:

1. Redhat 139! Mnogo je, u odnosu na MSovih 44.
2. Ovi MS problemi i nisu nešto posebno kritični

U svakom slučaju ja vozim Slacka :) on ima samo 4.

---

A za firefox i ostale browsere, pa ne kazem ja da nemju ni jedan bug, al IE ima vise, i odakle ja znam da taj konkretan test nije napravljen bas tako da opravde IE???

---

Otkud znaš da ima više?

---

Pa bar se vise njih aktivno koristi, a i imam neki utisak da recimo firefox tim mnogo brze odklanja bagove nego M$ u IE-u.

---

Pa Slobodane, onda su možda i ostali podaci namešteni? Koliko mi se čini još negde sam neki dan čitao o istom bagu --- svi ostali ga imaju osim IE.

Inače, što se brzine ispravljanja bagova tiče --- MS mora da mnogo više testira svoje zakrpe od ostalih - zbog kompatibilnosti. Evo npr. šta kažu za Firefox 1.0.1:



Dakle, onog trenutka kada kompatibilnost postane važna, sa ispravkom bagova se ide malo opreznije -- sa više testiranja. A ako Firefox uspe da uđe u firme u malo većem %, videćemo tek onda kako će ići.



@Zidoo:
jeste offtopic, slažem se, čisto kad sam gledao ove linkove, pogledao sam i ovaj, pošto je na istom sajtu, a čini mi se da i to donekle spada u propuste vezane za sigurnost.

---

http://www.guninski.com/browsers.html

bicu off topic u duhu diskusije:
Results 1 - 20 of about 10,900 for "stop using internet explorer"
http://www.google.com/search?n...et+explorer%22&btnG=Search

Currently, 20 out of 79 Secunia advisories, is marked as "Unpatched" in the Secunia database.
http://secunia.com/product/11/


IE je jos uvek neprevazidjen skandal od softvera.

---

Evo sta je MS spremio u periodu koji je pred nama:
http://www.microsoft.com/billgates/speeches/2005/02-15RSA05.asp

---

Osim ako izuzmemo Linux, koji će, već desetak godina, ove godine da konačno počisti Windows :)

Toliko FUD-a, iz godine u godinu, to ni MS ne uspeva.

---

Inace, Slack vec postoji u verziji 10.1, RHAS u verziji 4, a to je poslednji Win2k3, zar ne?

---

ok, idemo dalje
posluzicemo se [search.us-cert.gov] bazom za Cyber Security Alerts & Vulnerability Notes

["Microsoft" u nazivu] = [ 441 pogodak ]
http://search.us-cert.gov/quer...et=iso-8859-1&ql=a&qt=
-------------------------------------------------------------------------------
["Red Hat"] = [ 190 pogodaka]
http://search.us-cert.gov/quer...et=iso-8859-1&ql=a&qt=
-------------------------------------------------------------------------------
["Suse"] = [ 159 pogodaka ]
http://search.us-cert.gov/quer...et=iso-8859-1&ql=a&qt=
-------------------------------------------------------------------------------
["Trustix"] = [ 58 pogodaka ]
http://search.us-cert.gov/quer...et=iso-8859-1&ql=a&qt=
-------------------------------------------------------------------------------
["Slackware"] = [ 46 pogodka ]
http://search.us-cert.gov/quer...et=iso-8859-1&ql=a&qt=
-------------------------------------------------------------------------------
["Linux"] = [ 238 pogodaka]
http://search.us-cert.gov/quer...et=iso-8859-1&ql=a&qt=

Bill Gates:
...hehe secam se price za 2k3...

==============================================================
Vulnerability Notes search na www.kb.cert.org
Ono sto nas interesuje su "severity points"(kolona metric)
Sve vrednosti iznad 40 se smatraju ozbiljne:

[Microsoft]
http://www.kb.cert.org/vuls/by...searchview&query=microsoft
250 pogodaka od kojih 39 ima vrednost iznad 40:

94.5 VU#254236 9/10/2003 Microsoft Windows RPCSS Service contains heap verflow in DCOM request filename handling
94.5 VU#483492 9/10/2003 Microsoft Windows RPCSS Service contains heap overflow in DCOM activation routines
79.31 VU#789543 5/14/2001 IIS decodes filenames superfluously after applying security checks
78.75 VU#568148 7/16/2003 Microsoft Windows RPC vulnerable to buffer overflow
78.0 VU#117394 3/17/2003 Buffer Overflow in Core Microsoft Windows DLL
76.5 VU#323070 11/25/2003 Outlook Express MHTML protocol handler does not properly validate location of alternate data
69.3 VU#952336 6/18/2001 Microsoft Index Server/Indexing Service used by IIS 4.0/5.0 contains unchecked buffer used when encoding double-byte characters
64.8 VU#713878 6/3/2004 Microsoft Internet Explorer does not properly validate source of redirected frame
63.78 VU#842160 11/2/2004 Microsoft Internet Explorer vulnerable to buffer overflow via FRAME and IFRAME elements
61.96 VU#972415 12/21/2004 Microsoft Windows HTML Help ActiveX control does not adequately validate window source
60.75 VU#980499 3/29/2001 Certain MIME types can cause Internet Explorer to execute arbitrary code when rendering HTML
56.7 VU#865940 8/20/2003 Microsoft Internet Explorer does not properly evaluate ""application/hta"" MIME type referenced by DATA attribute of OBJECT element
56.1 VU#266926 2/15/2004 Microsoft Internet Explorer contains an integer overflow in the processing of bitmap files
56.04 VU#652452 9/10/2003 Microsoft Internet Explorer does not adequately validate javascript: protocol URL
55.28 VU#820427 2/8/2005 Microsoft Hyperlink Object Library buffer overflow
54.0 VU#516648 5/1/2001 Microsoft Windows 2000/Internet Information Server (IIS) 5.0 Internet Printing Protocol (IPP) ISAPI contains buffer overflow (MS01-023)
52.58 VU#542081 11/20/2002 Microsoft Windows Data Access Components contains heap overflow in Data Stubs when parsing a malformed HTTP request
52.31 VU#279156 11/11/2003 Microsoft FrontPage Server Extensions contains buffer overflow in remote debugging functionality
51.84 VU#251788 5/8/2003 Microsoft Internet Explorer does not safely handle multiple file download requests
51.63 VU#951555 12/20/2001 Microsoft Windows Universal Plug and Play (UPNP) vulnerable to buffer overflow via malformed advertisement packets
51.3 VU#454091 4/10/2002 Microsoft Internet Information Server (IIS) vulnerable to buffer overflow via inaccurate checking of delimiters in HTTP header fields
50.62 VU#575892 10/15/2003 Buffer overflow in Microsoft Messenger Service
50.62 VU#713779 5/9/2002 Microsoft MSN Messenger Chat Control contains a buffer overflow in ""ResDLL"" parameter
50.62 VU#443699 12/13/2001 Microsoft Internet Explorer Does Not Respect Content-Disposition and Content-Type MIME Headers
48.55 VU#255924 4/13/2004 Microsoft Windows ASN.1 library contains a memory management vulnerability
46.57 VU#228028 7/13/2004 Microsoft Windows Task Scheduler Buffer Overflow
45.56 VU#567620 11/11/2003 Microsoft Windows Workstation service vulnerable to buffer overflow when sent specially crafted network message
45.24 VU#274496 10/12/2004 Microsoft Excel parameter validation error
45.18 VU#627275 3/12/2002 Microsoft SQL Server contains buffer overflow vulnerabilities in multiple extended stored procedures
45.1 VU#771604 9/10/2003 Microsoft Internet Explorer does not properly validate URL sources
44.75 VU#625856 12/23/2004 Microsoft Windows LoadImage API vulnerable to integer overflow
43.69 VU#547820 10/10/2003 Microsoft Windows DCOM/RPC vulnerability
43.28 VU#399260 7/24/2002 Microsoft SQL Server 2000 contains heap buffer overflow in SQL Server Resolution Service
43.28 VU#484891 7/24/2002 Microsoft SQL Server 2000 contains stack buffer overflow in SQL Server Resolution Service
42.09 VU#326412 9/10/2003 Microsoft Internet Explorer execCommand method does not properly validate URL source
41.76 VU#610986 1/22/2003 Microsoft Locator service contains buffer overflow
41.0 VU#784102 11/25/2003 Microsoft Internet Explorer does not properly validate source of URL stored in Travel Log
40.16 VU#586540 4/13/2004 Microsoft Private Communication Technology (PCT) fails to properly validate message inputs
40.07 VU#422156 10/15/2003 Microsoft Exchange Server fails to properly handle specially crafted SMTP extended verb requests

[Red Hat]
http://www.kb.cert.org/vuls/bymetric?searchview&query=redhat
55 pogodaka od kojih 3 ima vrednost iznad 40:
108.16 VU#16532 11/10/1999 BIND T_NXT record processing may cause buffer overflow
87.72 VU#29823 6/23/2000 Format string input validation error in wu-ftpd site_exec() function
48.19 VU#382365 9/25/2000 LPRng can pass user-supplied input as a format string parameter to syslog() calls

---

Auuuu...:)

Da samo podsetim, Mandrake Linux 10, 6 MESECI nakon izlaska - na raspolaganju je bilo oko 600 MB zakrpa samo za sigurnost.



Pričajte mi priče.


_{[Ovu poruku je menjao degojs dana 28.02.2005. u 00:36 GMT+1]}

---

Pa da, kod vas nisu zakrpe, već nove verzije svakih 6 meseci. To je prednost kao... hehehe

Inače Slack bolje da ne pominješ - jedan čovek bude bolestan, a ono sve stalo.. To ti dođe kao Tito i bivša Juga..

---

U to vreme je izasao 10.1 Mandrake. To je deo upadate-a na isti.
Ta cifra od 600 MB samo pokazuje da doticni korisnik ne koristi taj Mandrake vec mu sluzi za "ukras". Zasto je cekao 6 meseci na update?
Da je ozbiljan korisnik bio bi verovatno na Mandrake mail listi pa bi uz redovne dojave, redovno i vrsio update... ovako....neozbiljno
Mislim moglo se i sa 9.0 na 10.1 pa da ima 800 MB... :O)

Naravno, 600 MB bi svakako preneo u update-u, a to i nije tako velika cifra kada Mandrake dolazi sa preko "1000" raznih 3rd party open source software-a.
Doticni korisnik je ocigledno nabacao sve i svasta.....(pa kad mu treba) :O)))
To su zakrpe/update za SVE instalirane paketa, mnogi od njih i ne predtavljaju vitalni deo OS-a, mnoge od njih korisnik nece nikada ni koristiti, za veliki broj njih je severity ispod 40.... ali ajde da brojimo,

Kakav je slucaj sa Windows servis pakovima???

Mada, iskreno, ne znam kako je Mandrake tih dana stojao sa update servisom, to se negde poklapa da vremenoim njegovog bankrota/finansijskih poteskoca... :o)

---

A onda, malo posle 10.1 imamo 10.2.



Nemoj samo da mi pričaš da je na Windowsu stvar gora sa SP.




To je ono što je Mandrake sam instalirao po difoltu. Izabrao sam "Workstation" konfiguraciju iz liste, čini mi se. Pa šta bi tek bilo da sam stavio i servere tipa Apache? :)



Upravo zato valjda i nudi onu opciju da izabereš neku ponuđenu konfiguraciju (Workstation, Server, bla bla).

Na ovoj tvojoj gore listi nalaze se i SQL Server i neki drugi programi koji nisu deo Windowsa, tako da je to - to. Čak i ta gore "Microsoft" lista je mala u poređenju sa Ljinuxom.


Najsmešnije je što nudi i neku "Game-station" konfiguraciju, ako se dobro sećam :)) To je biser kakvog nema :)



_{[Ovu poruku je menjao degojs dana 28.02.2005. u 03:18 GMT+1]}

---

Ček' da vidim coLinux/Debian šta će da kaže..



Hahaha, ma daj, kome ti pričaš bajke.. pa nema ni 2-3 nedelje kako sam uradio dist-upgrade :)))

Šta je ovo, service pack, svakih mesec dana? Ma da bar ima toliko..

---

...da, "workstation" opcija ume da bude "bogata"... :o))



Jedna od listi pokazuje vrednost "severity-a" koji je iznad 40, neka se uklone programi koji nisu deo Windowsa i ostaje i dalje impozantna cifra...

Mozemo da zanemarimo i vurn. koje se ticu DOS-a i za Windows i za Linux. Potoje i drugi nacini da se DOS izvede...

Sto se tice severity-a za Red Hat/Linux mnogo korisnika,na primer, i ne koristi BIND vec alternativu, stvar izbora, tako da takvi korisnci nisu bili izlozeni.

Korisnici koji koriste MS SQL Server trenutno nemaju bas taku alternativu. Mogu samo da biraju verziju Windowsa na koju se moze primeniti gore pomenuti severity.


Security upgrade? Critical? ili poboljsane verzije?

OK, tako funkcionise open source zajednica.... "always upgrade" ;o))
.. i naj tacin je i opstala...

---