The standard Microsoft HTML control: Having the HTML control provide a mechanism to execute code in a document with local user permissions at all is unacceptable. Given that exists, the "security zones" mechanism to control access to it fails "open", not "closed".

Command line program execution: The application being called is responsible for parsing the command line into components. Microsoft themselves have admitted it is impossible for an application to completely sanitize a command line in the general case, even where the command line is specified by an API.

Native Windows network servers: There is no general mechanism to control the binding of services to specific interfaces, which forces you to use firewalls, which would otherwise be a second layer of defense, to become the only way to prevent external access to internal services using TCP.

Responses to this? "Three very small issues you nit-pick", and "your precious Linux and/or OSX have many many vulnerabilities, but the userbase is so small on those THAT NOBODY GIVES A DAMN."

Some days I really do despair.

There aren't just security flaws, freinds, these are security *swamps*. They're tarpits with no bottom. You literally can't use these systems safely.

The fact is that Windows has a number of components with APIs that are impossible, even in theory, to use securely with untrusted content, and for which no alternative can be expected to be available to a Windows application. This is different from "any operating system can have a buffer overflow".

I've listed a few above and as I'm absolutely appalled that people are still making up excuses for fundamental design flaws that should have been fixed a decade ago. And all these flaws are still in Vista, all the same components with the same APIs... and putting your easily exploited browser inside a leaky sandbox to "mitigate" the damage is like depending on the rhythm method to guard against AIDS. Not only is it unreliable, but if someone can compromise IE through the HTML control they don't *need* to get out of it to steal your credit card numbers and bank account passwords from a form sniffer.

Security is like sex, once you're penetrated you're ****ed.

As for the popularity argument... even in markets where Microsoft is in a minority they have still carried an inordinate percentage of the exploits. It's not because Windows is "popular", it's because Windows security is "badly designed".

* Security zones should be labelled "insecurity zones".
* No other OS *requires* a firewall simply to shut off access to essential internal services from the internet. NONE.
* Having to use the equivalent of 'system' to run applications from a browser? You gotta be kidding.

And that's just the high profile ones, the ones that have been exploited routinely. And what happens when someone finds a vulnerability? They blame the victim, arguing "yahoo instant messenger" should have "sanitized" third party HTML before passing it to the HTML control (for one recent example). Sanitized? Sanitizing a document you're passing to a turing-complete interpreter is equivalent to solving the halting problem. No, you idiots, they couldn't have "sanitized" it... Microsoft should have provided an API for calling the HTML control that didn't require "sanitization". No other bleeding HTML display engine out there defaults to granting documents full local user rights unless it guesses they're not in the "trusted zone".


A security mechanism MUST 'fail closed'. Not 'half open' (like Vista's reduced permissions scheme) or 'full open' (like security zones).

I despair, really I do. What the HELL are people learning in college these days?

Lynx-enhanced by <peter at> (Peter da Silva)