Excerpt from:
Inside Firefox – The Inside Track on Firefox Development
Every few months a new worm makes the rounds, Sobig, Sober (the 77KB worm which ultimately destroyed my email account) and others. These worms usually travel using Microsoft Outlook as the hook onto people’s systems. Creating an email with an attachment that appears inocuous and beckons the user to open it but which is really a malicious piece of executable code, these emails scan addressbooks and propagate rapidly. Sophisticated worms like Sober even contain their own SMTP engine.
People get infected with these worms because they are a) do not understand internet security (probably an impossible problem to solve) and b) their email client software makes it too easy to execute such attachments.
“I’ve set up a new personal email address, and as soon as I can figure out how, I will make it so that it cannot receive email from Microsoft Outlook users. Why? Because Microsoft Outlook and Outlook Express are the unsung security hole in most people’s systems.”
Yeah, this guy can bite me. I am not going to defend Microsoft’s continual failure to fix security issues, but boycotting mail from the most popular e-mail clients on the net is cutting off your nose to spite your face. It may well be an act of protest, but it isn’t one I am particularly impressed with.
I’m joe average user. My e-mail client is Outlook 2003. It is scanned not just by my personal anti-virus software with worm scanning, but it is sent somewhere else and scanned at another location provided as a free service through my ISP. Fool proof I’m sure it isn’t…but these are reasonable and honorable precautions.
Recently there have been viruses for Linux and security issues for Mozilla/Firefox. I’m curious about if every hacker on the net set their sights on screwing over either of these…whether their security would stand up to the scrutiny.
…mail client stuff…
Wow… what crawled up your *** and died? ;-) I had no idea that your feelings on the matter had become so polarized. It’s clear the guy is a bit perturbed because someone using Outlook sent him a copy of SoBig and it eventually destroyed his entire mailbox; we’d all be more than a little upset about that.
Emotional entwinings aside, have you tried Mozilla Thunderbird since 1.0 was released (not so long ago)? Or are there features unique to Outlook that you enjoy? Not that I’m trying to convince you to muck with your email again — I know what a perturbing history you’ve had yourself with mailboxes — but it doesn’t hurt to take a look at new stuff now and then. Granted, Outlook 2K3 is much better than previous versions. It bugs me just because the database format is non-portable and eventually gets altered to the point where if you don’t commit to being “locked in” to Outlook forever the files eventually will be unreadable. I know it’s prehistoric, but there’s something to be said for plain ol’ ascii text flat files. In a corporate environment with terabytes of email a database format makes sense; not for home users, though.
Recently there have been viruses for Linux and security issues for Mozilla/Firefox. I’m curious about if every hacker on the net set their sights on screwing over either of these…whether their security would stand up to the scrutiny.
There’s definitely a reason Microsoft products are targeted: they’re easy to find, and they’re always wholly insecure out of the box and tend to stay that way. The average time-to-infection for a Windows box on the Internet is down to something like 12 minutes. Some Linux distributions are pretty bad too but they all give enough time to download patches to close the holes. Then again, anyone not behind a firewall, not running on the same Windows machine, of some kind doesn’t deserve any sympathy but then these are the very people propogating virii at nausea-inducing rates. People like you, chrys, are the exception to the rule, but the exceptions are only a few percent of the total — not something to discourage by any means but also far from adequate.
As for the Mozilla/Linux stuff, there’s also one other significant difference between them and Windows: the vast majority of Windows users run the box as a user with administrator privileges — this is Microsoft’s’ fault entirely and is really the biggest possible security hole one could imagine on that OS — but the alternative “restricted” account is basically unusable and this is reflective of the fact that the entire operating system was not designed to be secure. At least on the Linux/Unix boxes, potential damage is limited to the user’s home directory, and this is the advantage of having evolved from systems designed to be multi-user and secure. If a Windows user were to install Linux, the only exposure to the root account they’d have, by default, would be setting the password during the installation process; every distribution I’ve ever used forces a non-root user be set up at the same time and, typically, that’s what gets used — if you login to XWindows as root there’s lots of bright red stuff and dialog boxes warning you not to do that. If Windows had a usable alternative non-administrator-privileged account, and complained when one with those privileges was used, maybe we could make a dent in the virii propogation… at least until the bad guys figure out a way around that; $deity knows there are plenty of ways now.
Of course there’d be more break-ins and virii in the wild if any other OS had a larger market share; that’s just natural. But let’s not forget that Linux in particular is not a trivial presence on the Internet; it runs millions of web servers (check out Netcraft for statistics) so there’s not really any shortage of target machines exposed to the Internet.
Windows is the target of choice first because it’s easy, second because there’s more of it on desktops than anything else (for now).