[nfbcs] Windows vs linux security

John G Heim jheim at math.wisc.edu
Tue Nov 18 16:15:45 UTC 2014 

Today Microsoft is releasing a patch for a  bug that allows escalation 
of privileges  in all supported versions of Windows.
See https://technet.microsoft.com/en-us/library/security/ms14-nov.aspx

Why doesn't this exploit have a name? Why isn't the whole world going 
crazy like they did with the heartbleed bug? The fact that the bug is in 
all versions of Windows implies that it's been out there for a long 
time. We don't know what the bug is, who found it, or how many systems 
have already been compromised. If you google for news about this bug, 
you won't find anything. But you willfind plenty of stories about 
similar exploits from the past.

Why does every linux exploit seem like the end of the world while 
Windows exploits get nothing but yawns? Microsoft does a better job of 
controlling the announcements. You are not going to get Microsoft to 
speculate on how much damage could be done in the worst case scenario 
the way people do with the linux exploits. Microsoft has control over 
how the problem is perceived and they have every reason to downplay it.

Microsoft has control over the message because nobody except the bad 
guys can look at the code and figure out how to take advantage of it  If 
you come out and say, "Oh, I see how you can take advantage of this 
bug," Microsoft is going to say, "Wait a minute. How did you get our 
code?" But believe me, it's out there. As a provision of selling Windows 
in China, Microsoft had the turn the Windows source code over to the 
Chinese government.
See 
http://www.informationweek.com/software/operating-systems/china-gets-a-peek-at-microsoft-source-code/d/d-id/1089702?

According to a security expert at a conference I went to last summer, 
this is how the Windows source code got out. The bad guys got it by 
hacking into systems in China. In fact, China itself used the code to 
devise attacks.
See 
http://www.businessinsider.com/wikileaks-china--microsoft-source-hack-google-2010-12

So now the bad guys have the Windows source code  but the good guys 
don't.   It's a false perception caused by hype that leads people to 
believe that Windows is more secure than linux.

More information about the NFBCS mailing list