From: Mike N. 

On Fri, 12 Jan 2007 19:30:34 -0500, "Geo."  wrote:

>>   Not bigger - it's more like Win32 code is the juicy fruit on the low
>> hanging branches.  .NET exploits are the scrawny twigs on the top of the
>> tree.   There may be a few escalation of privilege exploits in there that
>> may become more popular as Vista, but nothing compared to the holes still
>> residing in Office apps file formats, and Adobe Hackrobat.
>
>I thought PHP was the low hanging fruit? 
>
>Microsoft .NET Framework Request Filtering Bypass Vulnerability
>2006-10-30
>http://www.securityfocus.com/bid/20753

  Web server only.   No complete remote takeover from this alone.

>Microsoft ASP.NET AutoPostBack Variable Cross-Site Scripting Vulnerability
>2006-10-13
>http://www.securityfocus.com/bid/20337

   Browser - client vulnerability only

>Microsoft ASP.NET Application Folder Information Disclosure Vulnerability
>2006-07-13
>http://www.securityfocus.com/bid/18920

   Web server only.    No complete remote takeover from this alone.

>Microsoft Visual Studio .NET msdds.dll Remote Code Execution Vulnerability
>2005-08-17
>http://www.securityfocus.com/bid/14594

   I wouldn't classify this as a  .NET vulnerability - why is IE5
vulnerable to this one?  I don't think it ever used the .NET library.

>Microsoft ASP.NET URI Canonicalization Unauthorized Web Access Vulnerability
>2004-10-06
>http://www.securityfocus.com/bid/11342

  Web server only.  No complete remote takeover from this alone.

>Ok that doesn't look excessive until you consider that you didn't need the
>framework at all prior to that.. It's just more crap to patch.

  Only one bad client one ( you can count 14594).   Not too bad compared to
a whole boatload of PHP ones.      Sure it's more crap to patch.  The size
of the OS is increasing steadily - Vista will have even more that
potentially needs to be patched.

--- BBBS/NT v4.01 Flag-5