98 Guy said:
Care to provide some evidence that there are currently MORE unpatched
vulnerabilities for 98 vs XP?
That's difficult, because the number of unpatched vulns for XP is somewhat
unknown. Also, whatever comparison you do now, will be changing in the
future. With patches being released for XP and not for 98, the number of
unpatched 98 vulns is certain to increase.
Only Since July 11. And how many vulnerabilities discovered since
then are really for IE?
For a significant time before that, Microsoft was not providing patches for
updates they did not consider critical. There was some disagreement about
the non-critical rating Microsoft assigned to a few of the vulnerabilities.
And are you aware that the 2K versions of the patched files made
available since July 11 can be used on Win-98?
Is installing those Win2K patches on Win98 easy for home users? I assume
you have to manually extract the files and replace them, assuming they are
not in use by the OS?
Privilege escalation vulnerabilities exist for NT-based OS's like XP.
True, but Microsoft is and needs to be reducing these privilege escalation
vulnerabilities, not giving in to their inevitability. Resistance to local
privilege escalation attacks is one weakness Microsoft security has in
comparison to Linux, a growing competitor to Windows. With spyware, adware
and other malware increasingly infecting Windows platforms, more and more
users are asking why Windows cannot control what is done by local users.
The ability to open listening TCP/IP ports, send spam email outbound, launch
DoS attacks on other systems, etc. are things non-admins should not be able
to do silently and without native Windows logging.
A significant problem for Microsoft is the time it takes them to code both
patches and new software versions. A significant reason for that problem is
the large number of different combinations of product versions they need to
support. Different browser versions with different language versions on
different OS versions with different service pack versions in different
localized language versions, the number of combinations of patches that
Microsoft has to release is hundreds if not thousands. This is one big
compelling reason why Microsoft is trying to reduce the number of browser
and OS variants out there, such as eliminating Win98, in the name of
security. I do not see them reversing this trend, especially not to create
a Windows98-like niche OS that is only useful for some niche users [e.g.
home users that don't need the security features of XP].
Many systems are configured (for ease of use) for single-user systems
to logon as administrator or have admin rights. ACL permissions are
primarily designed for servers on multi-user networks, not really for
single-user desktop / home computer use.
Not true. ACLs are most valuable for system configuration management. Many
parents want to control what their children can and cannot do on their
single-user home computers, and this is difficult on 98 due to the lack of
ACLs.
Many large organizations configure their infrastructure so that no
personal or organizational files or data exist on local desktop
machines, and where a correct login name/PW must be used to gain
access to the network. That strategy can be used all the way down to
a 2-desktop network.
.... but going back to home users, the most likely consumer of the proposed
new Windows 98 product, those users would most likely be storing files on
the local hard drive, without any native protection against unauthorized
access from others in the house.
Irrelevant in the context of malware vulnerability. If you have users
of shared systems that seek out private information or intentionally
plant malware on their own system, then you have an HR problem.
Well, the assertion was that Win98 was more secure than XP. I see no reason
to evaluate Windows security by ignoring certain common security features,
just because you don't need them yourself. Windows should not be programmed
just for certain users. It needs to be configurable so that it will work
for all users. Malware is only one threat, and saying that one OS is more
resistant to malware is only so useful in evaluating security.
The ability to prevent one user from modifying the files of the OS or of
other users is relevant to malware on multi-user systems. This prevents one
user from infecting anything other than just her own user profile. Log in
as another user, and the infection is not present for that user. It also
prevents malware from reading and modifying OS files and the data files of
other users. It also helps XP to protect the secret encryption keys of each
user, whether the snooper is malware, a remote attacker, or an insider on
the machine.
XP SP2 included a number of security features against malware that depend on
NTFS, such as AES. Win 98 does not have those features.
A solution that is only viable in institutional/corporate settings and
not for single-user home use.
Logging in home users as non-administrators is absolutely viable, as Vista
is showing today. Linux and Lindows do it very well, and Walmart sells
Linux computers for home users. It's just that Windows XP and third party
software make this more difficult than it should be.
Availability of what?
Of new patches and fixes?
Maybe we should wait and see what new vulnerabilities come down the
pipe that are proven to affect 98. Until then, the "not supported"
argument is a red herring.
No red herring, as you should know, there are already unpatched vulns for
Win98, and the number is going to grow. Unless you think there are zero
more vulns to be found in Win98.
I was meaning to say system availability, meaning that Win98 is not terribly
stable and crashes if it is not rebooted and reinstalled frequently.
Availability is part of the "CIA" security triad, and it's hard to argue
that 98 has better availability and stability than XP. 98 does little to
nothing to ensure system integrity is not compromised, and little to nothing
about confidentiality, so I'm not getting the assertion here that 98 is more
secure than XP.
Too bad that from it's introduction in 2002 until SP2 was belatedly
released in late 2004 that XP systems were practically garanteed to
become infected via direct network exploits and a myriad of other ways
and that many XP systems in residential settings are never updated or
patched by their owners.
That was then, this is now. We have XP SP2 now, and both XP and XP SP2 are
steps forward in security.
And all users had to do to be protected from most of those vulnerabilities
was to enable the Windows Firewall, Automatic Updates and some sort of
antivirus... things they should have been doing anyways. Anyways, the
question was, what good resources are there for hardening Windows XP, and
that's part of the answer.
As far as XP SP2 being "belatedly" released, they designed, tested and
released it in only a year, and with only minimal problems being caused by
it. That's amazing and is something to laud and support, not deride.
