back to article Sorry, Linux. We know you want to be popular, but cyber-crooks are all about Microsoft for now

Eight out of the ten most exploited vulnerabilities tracked by threat intelligence biz Recorded Future in 2018 targeted Microsoft products – though number two on its list was, surprise surprise, a Flash flaw. The most exploited vuln in the firm's hall of shame was a remote code execution flaw in Windows' VBScript engine that …

  1. Will Godfrey Silver badge
    Unhappy

    Oi! Keep quiet

    We definitely don't want to attract the crims' attention to Linux. Even if you're certain the cage is secure, you don't go poking the lions with sharp sticks.

    1. Mark 85

      Re: Oi! Keep quiet

      That used to be said about Apple's boxen... While not in high numbers of exploits like Windows, they are getting their share of them. So don't be smug as Linux hasn't garnered enough attention yet from the black hats.

      1. bombastic bob Silver badge
        Unhappy

        Re: Oi! Keep quiet

        some Linux flavors are already WAY too permissive with 'sudoers' and one Mac exploit used an Apple API of some sorts that is (in many ways) very similar to a permissive config of sudo...

        keep THAT up and there will be exploits for it

        1. Jamie Jones Silver badge
          Unhappy

          Re: Oi! Keep quiet

          ... and if you google chmod 777 www-data, your heart will sink even further...

          1. Zippy´s Sausage Factory

            Re: Oi! Keep quiet

            You just made me sad. Have an upvote.

            1. Jamie Jones Silver badge
              Happy

              Re: Oi! Keep quiet

              It's what I do best!

      2. Chris Parsons

        Re: Oi! Keep quiet

        Downvoted for 'boxen'.

        1. John G Imrie

          Re: Oi! Keep quiet

          Down voted for down voting boxen.

    2. CrazyOldCatMan Silver badge

      Re: Oi! Keep quiet

      don't go poking the lions with sharp sticks

      Albert? Is that you?

      (That monologue contains the immortal line: "Yon lion's etten our Albert, and him in his best suit too!" - RIP Stanley Holloway)

      1. d2

        Re: Oi! Keep quiet

        ahhh, BFTP...

        https://www.youtube.com/watch?v=Putw3by4-e8

        The lion and Albert - Stanley Holloway

        3.15

        hawkmoon03111951

        Famous monologue.

        Sorry about the jump, but that's vinyl for you.

        The missing words are:-

        "a grand little lad was their Albert

        all dressed in his best"

    3. handle handle

      Re: Oi! Keep quiet

      Interesting that you chose the Lion

      https://www.symantec.com/security-center/writeup/2001-032311-2042-99

  2. Anonymous Coward
    Anonymous Coward

    Really?

    Why is VBScript still a thing? Kill it off already.

    If a business has to rely on a "mission critical" VB app, then they can either rewrite it in a real language or pick up a quill and papyrus.

    1. Anonymous Coward
      Anonymous Coward

      Re: Really?

      You would be deeply saddened by the number of businesses that have "mission critical" stuff they don't understand and/or don't have access to the original code or developers to help them. Furthermore, many simply won't spend the money until the fan gets hit (even though everyone reading El Reg saw it coming years ago).

    2. Danny 14

      Re: Really?

      vbscript is still useful for gpos. powershell is ok but has a huge overhead when executing.

    3. bombastic bob Silver badge
      Meh

      Re: Really?

      Bill Gates _LOVES_ BASIC !

      (that's why it was there in the first place. Now, legacy, I'd guess)

    4. thames

      Re: Really?

      VBScript is not the same as VB. The syntax is similar, but the former is a scripting language which can be embedded into other software, or as a shell scripting language via WSH (Windows Scripting Host). Plain VB is an application programming language, with the "classic" version producing "exe" files and using loads of COM and ActiveX objects, and the later versions being another Dot Net language (with the Dot Net version not being backwards compatible with the "classic" versions). VBScript was also used by IIS, so if you have a legacy IIS installation it may be in there somewhere.

      VBScript was used as an extension language in various applications. It may be hard to get rid of simply because some legacy business applications such as accounting systems may make use of it to tailor the application for the customer. It's one of those Microsoft zombie technologies that stagger on devouring victims long after everyone thought they were dead.

      Some Windows propeller head is probably going to nit pick at the details, but that's it in a nutshell.

      I used it for some simple shell scripting years ago. It was absolutely wretched to try to do anything useful with.

      1. Robert Helpmann??
        Unhappy

        Re: Really?

        The most exploited vuln in the firm's hall of shame was a remote code execution flaw in Windows' VBScript engine that could pwn users who opened a booby-trapped web page with Internet Explorer.

        Q. Who does this?

        A. Enough people to make it worthwhile to exploit, apparently.

      2. Prst. V.Jeltz Silver badge

        Re: Really?

        "VBScript was used as an extension language in various applications."

        Yeah , like all the office apps , The called it vba

        but if you want to really customise excel for a particular task , i dont know another way of doing it.

        Probly you shouldnt be using excel for the task in the first place but if its a spreadsheety type job ....

    5. bobblestiltskin

      Re: Really?

      Unfortunately I had to use it - more than 20 years ago, and only for a few months.

      It was horrible.

      I still have nightmares about it. What a wile of pank!

    6. Yet Another Anonymous coward Silver badge

      Re: Really?

      >If a business has to rely on a "mission critical" VB app, then they can either rewrite it in a real language

      If only there was some way of protecting a computer program that didn't depend on the language it was written in. Perhaps some sort of system that operated the computer and dealt with things like security and limiting what resources a user and program had access to.

      I think there is a kernel of an idea there....

  3. Anonymous Coward
    Anonymous Coward

    BBC

    If Flash is insecure, why does the BBC now insist I install Flash to get their podcasts or view catch up?

    1. dnicholas

      Re: BBC

      State (Broadcaster) sponsored backdoors, of course

    2. Anonymous Coward
      Anonymous Coward

      Re: BBC

      I think your question answers itself.

      Clue: "BBC".

      1. Alistair
        Windows

        Re: BBC

        @Archtech:

        BBC => Big Bold and Compromised?

    3. N2

      Re: BBC

      What do you expect?

      Wouldn't be at all surprised if they are using flash long after it's retired

    4. Chemist

      Re: BBC

      "If Flash is insecure, why does the BBC now insist I install Flash to get their podcasts or view catch up?"

      They don't - I've not needed it for years.

      Suggest you look at http://www.bbc.co.uk/html5

      The exceptions are :

      "There are some places where the HTML5 player won't work. These include:

      Windows XP

      Internet Explorer on Windows 8.1 or below

      Safari on MacOS El Capitan or older"

      (Some 3rd party content does need flash )

    5. steviebuk Silver badge

      Re: BBC

      Because the BBC are the same people that think I'm going to put legit details for the sign in. And not using Mr Knobber at a post code miles away from where I am. The amount of fake details in their database now. Why'd they bother.

    6. phuzz Silver badge
      Stop

      Re: BBC

      "why does the BBC now insist I install Flash to get their podcasts or view catch up?"

      Dunno mate, you must be special, because they don't ask me. (And I just tested it on two different machines without flash, Windows and Linux).

      What urls are you visiting where you're getting asked to install flash? I'm assuming you're not just making it up of course.

    7. Prst. V.Jeltz Silver badge

      Re: BBC

      If Flash is insecure, why does the BBC now insist I install Flash to get their podcasts or view catch up?

      so does Planet Rock website , and on linux it takes it several attempts to load correctly

    8. Anonymous Coward
      Anonymous Coward

      Re: why does the BBC now insist I install Flash

      It doesn't. And the number of commenters on here who are happy to jump on the moaning band wagon without even wondering if your statement is accurate shows how the quality of thinking around here has gone through the floor.

  4. Anonymous Coward
    Anonymous Coward

    I would like to personally thank Redmond for Windows 10

    it is because of Windows 10 and the upcoming EOL for Windows 7 that I finally made the move to Linux

    1. Anonymous Coward
      Anonymous Coward

      Re: I would like to personally thank Redmond for Windows 10

      And I shall follow you this year.

      I just bought a refurbed HP Elite which happens to have a copy of Windows 10 installed. It has some good aspects, and they say it is more secure so of course that must be true.

      But the good aspects are mostly hidden, and the only new program that I really like is Task Manager.

    2. Anonymous Coward
      Anonymous Coward

      Re: I would like to personally thank Redmond for Windows 10

      Did you really need to cloak?

      Real Penguins scream from the keyboard ...

      1. Anonymous Coward
        Anonymous Coward

        Re: I would like to personally thank Redmond for Windows 10

        He is anon because, in his heart of hearts, he knows it is a rather silly and tedious thing to come on these forums and tell everyone he is now assimilated by the micro-borg, and he feels a bit ashamed of himself.

    3. Anonymous Coward
      Anonymous Coward

      Re: I finally made the move to Linux

      Good plan, replace one bloated overwritten and over-opinionated OS with another one.

      Or buy a Chromebook!!!

  5. Mayday
    Unhappy

    Flash

    Still around.

    Had to do a site induction today for a customer which required viewing an online Flash presentaiton. As none of my home systems (tablets, PCs, whatever) have Flash installed, and never will, and with project managers, customers and the like jumping up and down about it, I drive to a public place with a computers and ran it there.

    Still beats installing and running it at home. I'm sure there's more out there.

  6. Herbert Meyer

    linux users are worthless

    Hacker criminals do not target linux because linux users are broke hipsters with no money to steal. And beardy weirdos who hate capitalism. No profit in it.

    1. Anonymous Coward
      Anonymous Coward

      Re: linux users

      >Hacker criminals do not target linux because

      > linux users are blah-blah blah-blah hip-blah.

      > And beardy blah-blah blah-blah.

      >No profit blah-blah.

      Agree!! ;-)

    2. Anonymous Coward
      Anonymous Coward

      Re: linux users are worthless

      "Hacker criminals do not target linux because linux users are broke hipsters with no money to steal. And beardy weirdos who hate capitalism. No profit in it".

      Yeah, like Jeff Bezos.

      1. Updraft102

        Re: linux users are worthless

        And Gabe Newell of Steam.

    3. Herbert Meyer

      Re: linux users are worthless

      And retired programmers who used to write windows software, and found out what a stinking pesthole the windows API is. Real butchers do not eat sausage. Or dog food.

      1. Geoffrey W

        Re: linux users are worthless

        I do! Eat dog food that is. Or, rather, cat food. It charms my wife no end as I then run after her going "Gizza Kiss! Go on..."

        Nothing to say about your other comments. You'd have to specify Which Windows API for that.

    4. Palpy

      Re: linux users are worthless... and the public-facing servers....

      According to the best stats we have (which are not perfect) Linux powers around 96% of the one million highest-traffic web servers on the planet. If you look at the top 10 million web servers, Linux runs on about 70%.

      Now, about phone and tablet OSes -- Android (a Linux derivative, of course) and iOS split the market. Windows is not significant.

      The point being: Yes, Windows prevails on desktop and laptop machines. On other computers, other operating systems -- mostly Linux or Linux-derived -- dominate.

      And hacker crims don't target these other machines why, exactly?

      Of course they target them. And there can be handsome payoffs for compromising a server. It's not like Linux is magically super-secure. (Though some distros are built to be easily made secure -- Qubes, for instance.)

    5. MMR

      Re: linux users are worthless

      I don't mind being labeled that way for as long W10 users are used as cannon fodder.

  7. Anonymous Coward
    Anonymous Coward

    Weasel Words

    It's a twisted and / or corrupt mind that conceives the idea of spinning Windows top-of-the-vulnerabilities table into anti Linux propaganda.

    So to whoever dreamt this up: Feck You,

    1. Geoffrey W

      Re: Weasel Words

      Consider it karma for all the commenters who pop up in threads about windows claiming to have not used windows since 98, and telling us how happy they are since they switched to Linux last week/month/life-time..

      It's just The Register biting your hand this time. It's only fun when it's someone you don't like getting bit.

  8. BGatez

    Perhaps if MS hadn't done everything in their power to go from a broad, irritating target to one that's actively despised...?

    1. Updraft102

      That's it right there. I didn't move to Linux because I am ideologically opposed to selling software or the concept of profit. I don't care whether it is cool or not, as I am certainly about as far from being cool as one can be, and I certainly didn't like Linux before Linux was cool. I've only been using Linux seriously since the second half of 2015... all the "cool" kids got on board years before U did. I'm an unabashed fan of unfettered capitalism and opponent of all forms of socialism (which open-source development is not).

      So why Linux?

      Simply put, I use Linux because I wish to keep using computers, and computers need operating systems to function. What other choice do I have? Windows is being cancelled*, and MacOS requires buying their overpriced, substandard hardware with their singular vision of what hardware should be... glued-in batteries, riveted-in keyboards that break if exposed to dust, and other such things. They won't sell you parts like Lenovo, Dell, Asus, Acer, etc. will, and they go out of their way to make sure their older kit has to be thrown away rather than repaired.

      Linux (and other similar open source offerings, like BSD) are all that remain. It's either that or abandon the PC platform, and I don't like Google's spying any more than I like Apple's cultism and "you're holding it wrong" attitude regarding their customers. That means mobile devices are out... so you see, Linux is all that remains. Fortunately, it's proven to be quite excellent (even if am committing the sin of pretending that Linux is one singular OS rather than a kernel. People here know better, so no need to explain the basics here).

      If Windows 10 ever makes it out of its permanent beta state and begins to resemble a commercially acceptable product, I'll re-evaluate, but the trust that was lost by Microsoft's behavior will be very hard to get back. It would take a hell of a turnaround to get me to ever look Microsoft's way again, and the Linux bell is not going to be un-rung. I'm keeping Linux for sure; the only question is whether MS will play a secondary role or none at all. As it stands, it's "none at all."

      * Windows, as it always has been. This doesn't include the abomination known as "Windows 10", which is so bad that it is not a product worthy of serious consideration for any purpose. Thus, "Windows", as I use the term, consists of all Windows versions from the start through Windows 8.1.

  9. Anonymous Coward
    Linux

    How to put a positive spin on Microsoft in-security?

    Sorry, Linux. We know you want to be popular, but cyber-crooks are all about Microsoft for now

    This is the same kind of meme Microsoft have been shoving for decades. Linux doesn't get hacked not because it's secure but because it isn't popular.

    Eight out of the ten most exploited vulnerabilities tracked by threat intelligence biz Recorded Future in 2018 targeted Microsoft products

    What else would a Windows vulnerability target except Windows and hacks don't target product they target Operating Systems.

    Contextualized threat intelligence is a vital component of any truly proactive security strategy.

    How about a ‘computer’ that can't be hacked by opening an email/document?

  10. whitepines
    Linux

    Maybe Windows and Intel are just easier to hack and install APTs on? Heck if the vendors (who are often not known for being all that tech-savvy, ironically) are installing firmware based nasties, maybe those locked, game-console like machines run by users that have tech skillz barely a step up from a teenage gamer make a nice juicy target with lots of ROI for criminal types?

    Sure, Linux users do stupid things too, but they tend to not all do the same stupid thing as their counterparts, making automated probing / hacking more likely to fail. Plus, not limited by hardware and license fees, they might just be more likely to have things like a proper firewall active if there's anything worth stealing on their machines. And if not, then they might be in that camp of using Linux because they have no money -- not bad for users without income to legally get an OS in that case, but no incentive / ROI for hacking that machine either.

    1. Updraft102

      And if not, then they might be in that camp of using Linux because they have no money -- not bad for users without income to legally get an OS in that case, but no incentive / ROI for hacking that machine either.

      Linux needs hardware to run on, though. What OS does anyone suppose that hardware came with? Unless you built your own PC, which is not really an option with laptops, currently the most popular form of PC, it's gonna be Windows nearly every time. I've got valid Windows 10 licenses for all of my non-obsolete Linux machines, but... no, just no.

      1. whitepines

        What OS does anyone suppose that hardware came with?

        Don't assume that:

        a.) The hardware came with a valid license. Changing a motherboard is enough to effectively require a new license, and hardware resold from corporate use would not have a valid license attached.

        b.) Windows 10 Home has the needed features (or doesn't have unwanted features like slurp).

        I've got valid Windows 10 licenses for all of my non-obsolete Linux machines, but... no, just no.

        Exactly. Windows 10 is cyanide in a jelly baby. If you give all your data to Microsoft anyway just go rent space on their cloud like they want, don't waste your money on Windows locked hardware or software licenses on top of it.

        1. Alistair
          Windows

          "just go rent space on their cloud like they want"

          Windows next iteration will be MS365. Your ipx boot will point at a URI and will require that your hardware be registered with MS, and will only cost you $320/year. MS everything, everywhere. Cloud storage, cloud browser history, cloud based phone book and email contacts list. And of course, a sync client for your phone - with it's always on GPS of course. Oh. Say, whats that noise at my front door?

          1. whitepines
            Black Helicopters

            Windows next iteration will be MS365. Your ipx boot will point at a URI and will require that your hardware be registered with MS

            Not too far off, but MS doesn't want to pay for that bandwidth to boot the OS when they can do the same thing with locked bootloaders and local storage. And I imagine the per year is just the base rate, with burst billing at peak times for the actual cloudy bits?

            Best part? All they need to do is flip a switch in the existing Intel/AMD ecosystem to do this....the frogs are almost (but just not quite yet) done boiling...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like