Re: Is a Windows 98se computer more, or less, of a security threat with IE 5.5 (unused) & Firefox, or with IE 6.0 & latest updates (unused) & Firefox?
- From: "Noel Paton" <NoelDPspamless@xxxxxxxxxxxxxx>
- Date: Thu, 13 Jul 2006 23:34:52 +0100
Here's an initial response - from Chris Quirke
<quote>
Small networks are the only kind I do :-)
: Is a Windows 98se computer more, or less, of a security threat
: with IE 5.5 with all critical updates (unused) & Firefox browser,
: or with IE 6.0 & latest updates (unused) & Firefox?
Security may be better served by an NT-based OS, but for safety
from drive-by attacks (especially clickless attacks) its a closer
call, IMO leaning towards Win9x.
: We use FireFox for our browser, but we do use Outlook
: Express for e-mail, which I know is part of the IE package.
:The way i'm thinking is that IE 6 is more of a target, and we're not
: really using it anyhow. Keeping Windows secure is still an issue.
I'd want to be on IE 6 SP1, even in spite of this bug...
http://cquirke.mvps.org/bexp1.htm
....rather than IE 5.xx as I think a lot of defects in 6 will be in 5.xx too.
Anything older than patched IE 5.01 SP1 or patched IE 5.5 SP1 is
lethal, due to this bug...
http://cquirke.mvps.org/9x/mimehole.htm
Plus, if you're using OE, you have all the IE HTML rendering bugs
in full (d)effect, as the same engine renders Outlook and OE HTML
"message text". That opens you up to clickless attack.
My strategy with Win9x would be:
- do NOT bind File and Print Sharing to any sort of TCP/IP at all
- do not full-share C:\ or any part of the startup axis
- use patchable edge-facing apps that run on Win9x; Firefox, Eudora
- patch IE as far as you can
- consider adding a firewall, even if it's an old-version one
Win9x has yet to be subject to clickless pure network worm attacks.
If you don't use a bad HTML renderer, don't click emaul attackments
that lack convincing, *personal* message text, and stay off dodgy
sites, you could last as many months unattacked as the original
unpatched XP would last in minutes or hours.
IOW, if you set either XP or Win9x up badly and use them badly,
you're fairly sure of atrocious mileage either way. If you weren't able
to patch pre-SP2 XP, then you'd prolly be safer with Win9x.
: The disadvantages of us upgrading all of the computers to IE 6 are:
: #1 Constant monthly updates Microsoft requires us to install, where as
: with IE 5.5 updates on generally every several months.
If you cannot patch, then XP can suddenly become deadly, thanks to
all the network surfaces it exposes *plus* the intense focus on exploiting
these. Make no mistake, there will be exploitable surfaces within IE 5.5
(even as patches stop altogether) but they are less likely to be attacked
unless an attack crafted for IE 6 also "fits the gap" (quite likely).
But the main thing is, Win9x exposes far fewer network surfaces, and
what pure network surfaces there are, will be such different code that
attacks crafted for XP are unlikely to succeed.
: One would think that if there were a serious problem, they'd address it.
No. Once an OS is "not supported", it's not even tested by the vendor...
all those "affects the following OSs" lists don't magically start at the
lowest supported versions because earlier versions were bulletproof,
but because no-one cares whether they are vulnerable or not.
: ...after July Win98 might be unsafe finally and we may finally
: decide to replace all the older pcs. But we'll see. We'd rather
: replace them as needed by software requirements.
I don't think Win9x will be much more unsafe as far as exploitability
goes, because by now, you'd expect most weaknesses to have been
found. It's not only MS that "no longer supports" Win9x; once the
pool of users shrinks to the world's poorest on-line users, the interest
of malware writers tends to dry up as well.
What is more likely to obsolete Win9x systems are things like...
- can't get small enough HDs and old enough RAM to fix old PCs
- can't easily use USB sticks, card readers, cameras, etc.
- can't get printers, scanners etc. that come with drivers
- patchable edge-facing apps (e.g. Acrobat Reader, Firefox) won't run
- can't find updated av or firewall that will run on Win9x anymore
- some LoB app you need won't run on Win9x
: #2 Microsoft has a history of releasing Windows updates that seem to
: have a lack of testing, and very often installing the updates when
: first released actually causes many problems for many users. At least
: with IE 5.5, updates are less frequent.
You have to ask why updates were less frequent with IE 5.xx than now,
and the reason is because there was less diligence "out there" directed
to finding and exploiting some of the really obscure stuff that's patched
now. There may have been fewer defects, but the ones that were there
were often horrendous design failures that were mass-exploited even at
a time when malware writers weren't geared to exploiting code defects.
So for example, an IE 5.00-era defect would be "by design, the HTML
renderer is too clueless to sanity-check MIME type against file type",
or "by duhfault, Outlook and OE auto-run scripts within unsolicited
'message text' as if they were in a web page you chose to visit", or
"even though we now default the email apps to Restricted Zone, by
duhfault this zone runs 'safe' ActiveX, scripting and Java without any
warning or prompt". Whereas today's defects tend to be fairly deep
within the minutiae of parameter parsers or graphic element processing.
Unfortunately, although today's typical code defects are harder to find
and require coding skill to exploit, the search is on to find them and
the skills to exploit them are quickly applied; Exploit code is soon
available in source code form, making it easy to drop into production
multi-function bots that can apply them to stealing money just as fast.
: #3 Machines running IE 6 often run slower on our older computers, but
: since using FireFox maybe this is no longer a problem. Some users
: have complained about IE 6 or Outlook 6 running slower than what they
: had previously (IE 5.5). Most of these computers are Celeron 600mhz,
: 128 megs of ram. We have about 30 of them.
A fresh install of IE 6 over IE 5.00 will run slower at first, until Win98+
figures out which new code to locate at the front of the volume and a
defrag puts that awareness into effect. After that there may still be a
slowdown factor due to bloat. Firefox is trimmer, but even that will be
slower than (say) IE 3.0x on a really old 16M-32M RAM PC. The
Windows Explorer bug is *far* worse than the "normal" slowness!
: We now also have about 8 or 9 Windows XP Pro machines, and
: they come with IE 6 and i'm certainly not about to down grade IE 5.5
: as IE 6 is standard for XP.
I like IE 6 because you can kill off BHOs in IE (Tools, Advanced...)
and for me, that alone is enough reason to prefer it over any IE 5.xx
: A better investment would be to wait until Vista is out and at least
: we'd know yet another major upgrade isn't just around the corner
<cough>
You can rely on Vista to respond definitively to today's issues that
plague XP (or at least many of them), but it's also going to be dripping
with brand new version 1.00 features that will bring new risks. Even
old features rendered in brand new code may have that effect.
What will be crucial is whether Vista:
- provides effective user control so stuff can be ripped out or disabled
- is designed to render inevitable defects manageable
- has better post-infection maintainability than XP
I can't go into details as yet, but there may be better news than
expected on the last issue in particular.
<NDA> MS WinPE 2.0 availability on all MS Vista CDs </NDA>
: When most of the machines are finally XP or Vista, at least then
: i'll have to option of using WSUS which might speed up the
: process a bit, but some administrators are telling me they prefer
: manual updates anyhow.
We're being forced into "trusted computing" for exactly the wrong
reason; because code is so untrustworthy that there are too many
defects and patches for users (even geeks) to individually track and
manage. Increasingly, "allow no unlogged changes to the code"
gives way to "let the system swallow and apply whatever patches
the vendor releases, as soon as these are available".
At first I thought this could be an artificial situation allowing vendors
to manipulate users into a tighter dependency, but I don't see much
better mileage in other vendors of widely-used edge-facing code. As
Windows patch delivery becomes more prompt and effective, attention
turns to attacking 3rd-party edges that are nearly as ubiquitous, e.g.
Acrobat Reader, Firefox, Winamp, WinZip, MacOS, various *NIX.
If Windows has (say) 5 defects a month and Xxxx has (say) 2 defects
a month, you'd still have regular exploitability with Xxxx, and then it's:
- how big is Xxxx's market share, to attract malware attention?
- how promptly, effectively and securely can Xxxx be patched?
One key to this inevitable code defect problem is being able to narrow
exposure (e.g. through STRICT file type discipline) and bulkhead off
any subsystem, as any subsystem can go rotten.
<NDA>
Consider the testing and deployment of these types of code...
- RTM; long testing, known initial installation state
- patches; response to crisis, retro-fit to divergent states
- av sigs; very fast dev cycle, huge surface area, sys privs
This is one reason I don't want to see a pervasive MS resident
anti-malware signature-based scanner out there.
</NDA>
> I'm aware IE SP1 is listed as a critical update, but choose not to
> install it as IE 6 is probably more of a target. We use the latest
> version of FireFox as the primary web browser.
Using patchable FireFox rather than unpatched IE makes sense
on Win9x, until such time that FireFox won't run on your Win9x.
FireFox is a smaller download, which is a mercy for modem users,
so even if you have to install a new version every time, it's still small,
plus (unlike IE) you can amputate it.
OTOH, even if you "don't use" IE and OE, they are welded into the
OS and the OS will use them in various contexts. For example, an
..EML file will "open" with OE using IE's HTML renderer, no matter
what other email app is set as default, facilitating attachment attack.
>>>>>IE is very much part & parcel of Windows: Without IE6 SP1
>>>>>installed, Windows is /not/ as secure as it could be, no matter
>>>>>what browser you use; therefore your machine is in fact "more
>>>>>of a target."
I'd agree with that, up to a point. The main win with Win9x is none
of that Lovesan, Sasser etc. "global in 20 minutes" clickless attack.
....so far.
There's a case to be made for IE 3.00 with pre-HTM email app :-)
I use that solution a lot, with 486DXn and early Pentium Win95 PCs.
</quote>
.
- Follow-Ups:
- References:
- Re: Is a Windows 98se computer more, or less, of a security threat with IE 5.5 (unused) & Firefox, or with IE 6.0 & latest updates (unused) & Firefox?
- From: Noel Paton
- Re: Is a Windows 98se computer more, or less, of a security threat with IE 5.5 (unused) & Firefox, or with IE 6.0 & latest updates (unused) & Firefox?
- From: Nate Goulet
- Re: Is a Windows 98se computer more, or less, of a security threat with IE 5.5 (unused) & Firefox, or with IE 6.0 & latest updates (unused) & Firefox?
- From: Noel Paton
- Re: Is a Windows 98se computer more, or less, of a security threat with IE 5.5 (unused) & Firefox, or with IE 6.0 & latest updates (unused) & Firefox?
- From: Nate Goulet
- Re: Is a Windows 98se computer more, or less, of a security threat with IE 5.5 (unused) & Firefox, or with IE 6.0 & latest updates (unused) & Firefox?
- From: Noel Paton
- Re: Is a Windows 98se computer more, or less, of a security threat with IE 5.5 (unused) & Firefox, or with IE 6.0 & latest updates (unused) & Firefox?
- From: Nate Goulet
- Re: Is a Windows 98se computer more, or less, of a security threat with IE 5.5 (unused) & Firefox, or with IE 6.0 & latest updates (unused) & Firefox?
- Prev by Date: Re: vista virus protection
- Next by Date: Re: Windows XP Latest Security Updates Failure...
- Previous by thread: Re: Is a Windows 98se computer more, or less, of a security threat with IE 5.5 (unused) & Firefox, or with IE 6.0 & latest updates (unused) & Firefox?
- Next by thread: Re: Is a Windows 98se computer more, or less, of a security threat with IE 5.5 (unused) & Firefox, or with IE 6.0 & latest updates (unused) & Firefox?
- Index(es):
Relevant Pages
|
Loading
