On Tue, Jan 11, 2005 at 10:03:30PM +0100, devis wrote: > It is prooved matter that spywares do exploits IE holes ( Iframes bugs, > Active X etc etc ). Do your work on a few and you will see.
Perhaps some do, but generally speaking this is unnecessary for spyware to exist, as I said before; spyware exists regardless of such vulnerabilities. > Beside, you > missed the point entirely: if an user, just by clicking, can install > spyware on his machine, then the OS / browser is to blame, not the > actual (bad) code (exploiting it) floating around websites. A user can install spyware with one click for the same reason he can install a *good* application with one click. Having the user run every day with install privileges is relatively irrelevant; if he owns the machine, he will have the ability to install things. Being prompted for an admin password (as in the case of OSX) hardly prevents a stupid user from installing crap. > Once again, you are missing the point completely, if M$ didn't 'slack > code' their OS, spyware would : > 1) not install How do you intend to make spyware not install while still allowing the user to install other things? > 2) therefore not exist in the form, numbers and variety we know them See above. > I'll give you a clue: > try to get a 'tool bar' or some 'other added bonus' automagically on > bsd/unix/linux/solaris using any browser, on any site, clicking randomly. I cannot do so from "clicking randomly," but I quite easily can simply from clicking "OK" to the download prompt. Firefox installs plugins and toolbars just as easily as IE does. > As you said, > 'It's very, very difficult to prevent people from voluntarily installing > spyware on their own systems.' yes indeed, because MS made it that the > average joe is an admin therefore has supreme powers out of the box. So we don't give the *owner* admin privileges? Mac does this, as does Linux. I don't know of a single OS where the machine's owner does not, by default, have admin access. > Usability costs security. Always has, always will. Of course. But the ability to execute code is pretty much non-negotiable. I will never buy a general purpose PC on which I cannot run programs of my choosing. And if MS sold one as such, you would be here complaining about that instead. The point is, spyware does not require OS vulnerabilities to be spyware, and it likely, for a long time to come, never will. I never argued that Windows is the most secure OS, however, only that spyware does not imply bugs. And that point should, by now, be crystal clear. -- Dan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
