yikes!
Yikes! - Apparently Windows XP has a security hole in UPnP that lets hackers get control of a machine. Add this to the IE6 security hole that was recently patched, and you have a very serious situation. These aren’t trivial bugs. A talented hacker could build a worm atop these two vectors that would make Code Red seem tiny and insignificant. And if people thought it was difficult to get IIS users to patch their machines, how about IE users? Although I am sure certain people will happily claim this to be evidence of something wrong with Windows and IE, the problem is really much bigger. Problems like this get discovered periodically in all software, and the monoculture afficionados would merely increase the amount of investment that a malicious organization would have to put in to wreak havoc. For a well-funded malice, the cost difference between a worm that targets one platform vs. a worm that targets five is trivial — certainly puny compared to the potential payoff in damage. The answer has to be in creating a sort of “immune system” for the body electronic. Does this mean shipping all versions of Windows with mandatory Windows Update? Unfortunately, I still don’t see either patch on the Windows Update site, so that plan isn’t too practical at the moment.
Another one I found interesting; CCBill admits that a hacker infected a bunch of their customers (1,200 sites that accept credit cards) with eggdrop. They say that they didn’t bother to contact the FBI because, “it’s not that big of an issue.” The article goes on to paint the compromised systems as being capable only of participating in distributed denial of service attacks. That is, sadly, dead wrong. There are 1,200 of those things that could be loaded with any software an attacker wishes, not just DDoS. What if the hacker installs code that exploits the IE hole mentioned above, and therefore infects the machines of any users who browse the sites accepting payments? It is “that big of an issue”.
Now Microsoft is reportedly suing “Lindows” for infringing on the trademark “Windows”. Interesting that John Dvorak was commenting on the name earlier. And technically, it is kind of misleading to call Lindows a “New Operating System”. Isn’t Linux just a knockoff of Minix, which is another flavor of Unix that’s been around for 30 years? Putting a Windows emulator on Unix is not a new concept, and even the WINE/Linux combination is pretty common. But I guess that doesn’t sound as good as a shiny new OS that talks like a superset of Windows and Linux. And who would want to keep up with all of the Microsoft security patches *and* the Linux security patches?