From: Jeff Shultz 

On Tue, 02 Mar 2004 20:48:23 -0500, Geo. wrote:

> "Adam Flinton"  wrote in message
> news:109399.6238cd{at}harborwebs.com...
>
>> The problem I have is that "Windows" is a marketing name
applied to
> everything
>> from Windows 1.0 through to WinXP & Win2KS3. It's simply not a single OS
> but a
>> whole raft of em from a DOS Shellto NT to WinCE. It's like saying that
> because
>> IBM supports Linux hence they could market AIX,OS400,OS390 & PCDOS as
> "linux".
>> Linux is an operating system where Windows is a maleable marketing term.
>
> Directory services is part of W2Kserver and not part of W2Kpro, both
> versions of W2K are simply different distributions of the exact same
> kernel. Only the server distribution would be exploitable by a DS exploit.
>
> Is it a windows exploit or not?
>

So the hole only exists if DS is installed? It's a DS exploit.

>> i.e in the case of MS it's all "Windows" (for marketing
terms). However
>> if there is a hole that affects all reasonably modern versions (i.e.
>> thouse
> still
>> likely to be in use) then it's a Windows hole. If it affects all the NT
>> versions then it's a Windows NT hole. If it only affects XP then it's an
> XP
>> hole.
>
> So you seem to be saying a DS exploit would be a W2Kserver and 2003server
> exploit but not a "windows" exploit. Go tell them that on /.
>

Be my guest. 

>> Take your example & see it from another direction. If It only affect
> Win2KS & I
>> have XP then I could argue that since I am running Windows & I don't
>> have
> that
>> vuln then there is no "windows" vuln coz I have
"Windows" & yet I don't
> have a
>> vuln.
>
> Yes you could argue that, likewise if you and I are running RH with
> different kernel versions and there is an exploit that affects your
> version but not mine then I could claim it's not a RH exploit. I'd be
> wrong but I see the logic you are trying to use.

It would be a Kernel hole then.

>
>> Do I need to patch my Windows system if I'm running XP & it's a DS vuln?
>
> Nope, you don't have to patch an IIS exploit if you aren't running IIS
> either, and if you don't have SQLserver you don't have to patch that, and
> if you don't have DCOM you don't have to patch that, and if you don't have
> IE (it was optional on NT4) you don't have to patch that, and if you don't
> have OE or NetBIOS or NTFS then you don't have to patch any of those
> either. SO I GUESS THERE ARE VIRTUALLY NO WINDOWS EXPLOITS with the
> possible exception of RPCSS...

> That's the logic you are using with this "just linux" line
of reasoning.
> That's why I think it's silly to even try to define "OS",
it's much more
> relevant to discuss product flaws as flaws in anything that's contained in
> the product. That means if we are talking RH exploits that includes
> exploits for everything in the RH package be it a word processor or a tcp
> stack, if it's part of "RH the product" then it counts.

Except somewhere there should be a dividing line between an application
(GAIM) and something integrated into the Operating System (IE) when
defining what an exploit is called.

--- BBBS/NT v4.01 Flag-5