Malicious code, not a vulnerability

Malicious code, not a vulnerability

Summary: George Ou explains to me that the security issue associated with the Monad command shell that is part of the Windows Vista rollout for next year is not a vulnerability, but an example of malicious code.These are not remote exploits or buffer overflows.

SHARE:
TOPICS: Tech Industry
7

George Ou explains to me that the security issue associated with the Monad command shell that is part of the Windows Vista rollout for next year is not a vulnerability, but an example of malicious code.

These are not remote exploits or buffer overflows.  These are standard scripting features of the Vista operating system similar to Linux scripting.

If I wrote a cmd script that said something to the effect of:

delete all documents
delete critical program files
delete all registry keys

That is not a vulnerability in the OS, that is a vulnerability in social engineering to be able to get someone to run that script.  Fortunately, Vista will default to non-admin mode which will limit the damage of a script if a user fell in to the trap of running it.  You could do the exact same kind of script in Linux, UNIX, or Mac OS X.  In fact, a proof of concept script is readily available for OS X.  No body reports those as vulnerabilities for Linux or Mac OS X.

This is just like the incorrect reporting of the donut virus which was portrayed as the first virus against the Microsoft .NET framework "vulnerabilities".  Again that was not the correct use of the word "vulnerability".  It was simply written using the .NET language which required the .NET framework runtime engine.  It obviously didn’t go too far because most computers don’t have the runtime installed.

 


 

Topic: Tech Industry

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • Guns don't kill people

    People kill people! Does it really matter if people still end up dead?
    Roger Ramjet
    • And your point is?

      How does your "point" prove that Monad is in any way more "vulnerable" than any other scripting language in any other OS? You can re-write this "proof of concept" in any other scripting language on any other OS, so I really fail to see what the big deal is here, other than some desperate grasp at sensationalism.

      This has got to be one of the best examples yet of sloppy "reporting" by ZDNet (and many others), and that from an online services that likes to think of themselves as "technical".

      Anyone that falls for this FUD clearly do not know much about scripting languages, or computers in general. This probably includes most of the Clueless Mac Fanboys. I would think most of the Linux Fanboys would be smart enough to figure out how laughable this whole topic is, but I guess they will keep quiet since hey, it's just MS, so who cares...?
      Qbt
      • Not quite

        "...but I guess they will keep quiet since hey, it's just MS, so who cares...?"

        Check out the talkback over in the main ZDNet article about this story.

        Carl Rapson
        rapson
      • This is a common mistake, but we correct ourselves

        This is a common way of reporting Microsoft problems everywhere. We should note that at least we correct ourselves.
        george_ou
    • Yes it does

      Since guns don't kill people, you must address the reasons behind the killing to stop it. If people determined to kill didn't have guns, they would find other means. The implication you're making is that MS shouldn't make a shell scripting tool such as this available. How would that really stop malware writers?

      It's a matter of accuracy. For example, it's important to distinguish between flaws in an OS kernel and flaws in applications (the pro- vs. anti-MS squabbles frequently bring that point up). This isn't a vulnerability in Windows; it's an example of using shell scripting to execute some malicious code. The exact same thing could be done in Linux or any *nix. And if the Windows user has reduced privileges, no more damage could be done than could be done on a Linux system. The whole problem can be avoided through proper system administration.

      Carl Rapson
      rapson
  • The symptom != the disease

    This is just another example of a larger trend: people blaming their problems on someone (ANYONE) else. No one wants to take responsiblity anymore. If they were duped into downloading and installing malicious software, they cry, "aw, shucks, my Windows is broken!" I wish people would stop believing that anything bad that happens to them is not their fault and take some responsiblity. I'd love to hear, "yep, I shouldn't have double-clicked on that 'nude_pics_of_paris_hilton.pif' file"
    Real World
  • Ou hits the mark again

    George is right again. Another problem media wonks have is that they mistake "flaw" with "vulnerability". Just because a dirtbag breaks into a system doesn't make it a flaw in the software. The flaw is in the criminal. Unless the software was explicitly design for the job of protecting itself from criminals, the problem is a vulnerability, NOT a flaw. The media elevation of the criminal should really be reexamined.
    tshinder@...