Vista functionality still wins over security
Windows Vista security ‘rendered useless’ by researchers
The attacks themselves are not based on any new vulnerabilities in IE or Vista, but instead take advantage of Vista’s fundamental architecture and the ways in which Microsoft chose to protect it.
(Emphasis added)
Jeff Jones, the guy who does the Client OS Vulnerability Scorecard that always shows Vista as the most secure client OS, says he’s having lots of fun at Black Hat. Must be in the bar.
Finally, proof of what we knew all along… 
IE has always been a weak point of any Windows operating system. Saphari, on the Mac, is even worse. I think the major problem with Windows, however, is both its architecture and philosophy. XP and Vista computers are setup with a “Default User” with Administrative privileges. Most new users blissfully rename the “Default User”, and retain this account for themselves. No hassle installing new software, no need to worry about file permissions… In short, Windows is aimed at the newbie computer user who could care less about the operating system’s file and program management details. All that matters to them is the software that they run on Windows, and Microsoft for years was happy to oblige by exerting all their efforts into providing extra software. It was an easy, fool-proof way to rake in the dollars twice over. This approach had one unforeseen the flaw however: the Windows architecture is no longer sustainable in today’s world, where users browse the web and download and install software at will. Microsoft doesn’t want to realize that Windows needs a complete remake; instead MS choose to add a host of warning dialogs and prompts for the system administrative tasks, thus leaving it up to the clueless users to bypass the the complicated dialogs and accept the responsibility of incurring virusses. The result - Vista!
Alexander Sotirov has responded in various places to the press coverage of his paper, e.g. Alarmed about Vista security? Black Hat researcher Alexander Sotirov speaks out. His comments are worth reading to understand the significance of what they found. What I took away is that a lot of the new memory protections in Vista could be hacked and that the benefits of Vista, in terms of improved security, maybe weren’t that great over XP. As greatly improved security seemed to be one of the main selling points for Vista, one has to wonder, yet again, why bother?
Alexander Sotirov has responded in various places to the press coverage of his paper, e.g. Alarmed about Vista security? Black Hat researcher Alexander Sotirov speaks out. His comments are worth reading to understand the significance of what they found. What I took away is that a lot of the new memory protections in Vista could be hacked and that the benefits of Vista, in terms of improved security, maybe weren’t that great over XP. As greatly improved security seemed to be one of the main selling points for Vista, one has to wonder, yet again, why bother?
Researching before commenting goes a long way:
Mozilla Firefox 2.x Secunia:
Affected By 26 Secunia advisories
Mozilla Firefox 3.x Secunia:
Affected By 3 Secunia advisories
Safari 2.x:
Affected By 7 Secunia advisories
Safari 3.x:
Affected By 5 Secunia advisories
–
From a historical perspective, Firefox has been leaking ‘quite a lot more’ than Safari. 3.x has been out for a year now compared to the 2 months that Firefox 3 has been out.
Not that it’s related to this discussion at all - just wanted to point out that claiming “it’s a leaking ship” is a bit exaggerating.
You have to put the Secunia reports into perspective. For one thing, if Mozilla developers/users find a leak in Firefox, they report it to the community. Neither Microsoft or Apple have it in their interests to do so, hence it does not get reported by Secunia. That doesn’t mean the bug doesn’t exist, however, or that a hacker will find the vulnerability. Also, since Firefox is open-source, bugs are much quicker to be found and acted upon.
Finally, Secunia doesn’t “rate” the bugs. Some of the hacks made upon Saphari in the past few years have been ridiculous. For example, it was discovered that downloading a zip file with a 126-character filename would trigger a memory leak. Firefox has never experienced such a crazily simple, yet potentially lethal, bug. IE is another matter altogether, as it doesn’t suffer directly so much from bugs, but rather from its security standpoint with ActiveX. Microsoft prefers to sacrifice security to make the end-user experience easier. How much easier in the long run, however? I personally don’t find reinstalling my operating twice a year to be an enjoyable task…
I think you’re seeing things that aren’t there - whilst indeed Apple and Microsoft fix issues “in-house”, they are listed in the releases - Apple lists their non-public fixes in their security bulletins.
And how does this differ from any other program? Seriously, at least try to come up with convincing arguments.
Actually they do - they have multiple security levels regarding the ‘Critical’ level of the issue such as Extreme, High, Moderate, Less and Not.
Let’s compare Firefox 2.x security issues in a bar graph:
http://secunia.com/graph/?type=cri&period=all&prod=12434
Then let’s look at Safari 2.x one:
http://secunia.com/graph/?type=cri&period=all&prod=5289
Oh my, it looks as if… almost HALF of the Firefox issues have been “High” rated with “21%” of them giving completely unmitigated access to your system whilst only “9%” for Safari…
Nice try - there have been several cases of Firefox exploits via GIF and SVG - for example.
If you intend to promote open source and the benefits of ‘free’ software, you should come up with FACTS - not smoke and mirrors.
Claiming that software such as Firefox is “without issues” and is somehow magically “secure” are extremely dangerous and non-beneficial to the movement in general. It will backfire on you at some point.
Facts. Remember that.
I’m not going to join the browser debate but a couple of notes: