on 5/7/02 2:28 PM, noog@libero.it purportedly said: > MYTH: Windows NT users cannot defend from e-mail borne malware, because > unlike in Unix all files in Windows NT are executable, and the only > protection against this is antivirus software (read on Usenet) > > FACT: all files, in Windows NT, are merely executable *by default*. In fact > not only execution of files can be restricted on a per-file basis, but it > can be restricted more efficiently than on Unix, and using only features of > the operating system Granted, there is quite a bit of anti-Microsoft FUD, however much of it deserved. However, the biggest threat is from 95/98/ME machines, which have a far larger installed base than NT/2K/XP. Use these machines to attack IIS or MSSQL, and you get into an NT machine anyway. > Instead of boring you with a lesson on Windows NT security, with the risk > of ranting all the time against Unix, I'll get straight to the point: > there's almost NOTHING that Windows NT cannot do, in terms of access > control. I'll demonstrate this with two examples: system-wide temporary > directory, and secure attachments directory I will have to take your word for what NT can do, but I think you are missing key points. One, what requires 8+ steps and 5+ dialog boxes in NT can be accomplished in Unix by one step using a single command. And that it may have to be done on 100+ systems in a business, it makes sense why it doesn't tend to be done. Two, having an execute restricted directory is irrelevant in Unix since no files are set with executable permissions by default. How can NT be more efficient when you have to take this step that isn't even necessary in Unix? Granted, someone could simply set execute permissions on a file and run it. But then, someone could move the executable out of the protected directory on NT and execute it. However, on Unix, a directory could be set such that files executed within it run with nobody permissions, and thus can't cause any damage (except to world writable directories/files, which exclude the system and user configuration files). This can be further mitigated by having a more restricted umask, such that it practically can't damage anything at all. Thus there is little reason to move the file outside of a protected space, and still be relatively safe. And also what Unix doesn't have, are macro viruses which can infect you by simply opening a non-executable file (e.g. Word document). I also doubt the steps you outline here would protect against the XML and media player vulnerabilities. Doesn't matter what the OS can do when the apps can avoid its security measures. Keary Suska Esoteritech, Inc. "Leveraging Open Source for a better Internet"
