Posted on 01/10/2004 12:20:46 PM PST by Bush2000
Flaws raise red flag on Linux security
But many users remain confident about the security of the open-source environment
Story by Jaikumar Vijayan
JANUARY 09, 2004 ( COMPUTERWORLD ) - A report earlier this week about a critical flaw in the Linux kernel was the latest in a series of recently discovered security problems with the popular open-source operating system. But many users were unfazed by the report and said Linux remains a solid and secure environment for running enterprise applications.
Poland-based iSec Security Research on Monday said it had found a critical flaw in a function used to manage virtual memory on Linux systems (see story). The flaw affects the 2.2, 2.4 and 2.6 versions of the Linux kernel, according to iSec.
The vulnerability could allow attackers to take administrative control of compromised systems and run attack code of their choice, an iSec advisory stated. ISec claimed that it had developed and successfully tested code that was capable of exploiting the flaw, although it added that actually launching such an attack wouldn't be easy.
The news follows the discovery of a similar flaw in the Linux 2.4 kernel last fall. In November, unknown attackers used that flaw to take down several servers belonging to the Debian Project, which produces a noncommercial Linux distribution. And last month, an attack on the Gentoo Linux Project compromised a server that was being used to download copies of Gentoo's Linux source code by users.
The rise in such incidents can be attributed to Linux's growing popularity, which makes it a more attractive target for malicious attackers, said David Wreski, CEO of Linux security vendor Guardian Digital Inc. in Allendale, N.J.
"The underground hacker community is very interested in Linux as a potential target," he said. "Because of the accessibility of the source code to everyone, it provides an equal opportunity for malicious attackers to find vulnerabilities and ways to exploit them."
Even so, Linux remains a secure environment, said John Cahill, senior network security engineer at Piedmont Natural Gas in Charlotte, N.C.
"I would say it is more secure than Microsoft and other environments because the code is looked over by so many people and it's so widely available that any vulnerabilities can be quickly identified and patched," Cahill said. Piedmont uses Linux for several e-mail-related functions and is considering its use for antispam purposes.
"There's not very much we've needed to do to secure Linux [applications]," said Joe Poole, manager for technical support at Boscov's Department Stores LLC in Reading, Pa. The company runs several virtual Linux servers on its mainframes that are protected by network and internal firewalls. All nonessential services, such as file transfers and Telnet, have been disabled. But there has been no need for the kind of constant patching and maintenance required for Windows, Poole said.
Linux distributors in general are also doing a better job of shipping products that have nonessential services disabled by default, said Paul Schmel, adjunct information security officer at the University of Texas at Dallas.
"The biggest plus that Linux has is that it's designed to allow users to be users and not administrators," Schmel said. "What Linux has that Windows doesn't have is ease of configuration from an administrator's standpoint. Stopping and starting services, configuring services to only respond on certain ports and interfaces is dramatically easier than it is with Windows."
You can disable use of IE to browse the Web, but the bug-ridden components are still there in use by other applications.
We had it lots on Windows servers too.
I'd better tell Best Buy and Circuit City to get rid of all those copies.
The installer is able to create a lower-privilege account at any time.
For average user desktop systems, the installer usuall won't run at a lower level account because they don't provide enough privileges, that is if that user even knows other types of privilege groups exist.
they know from experience that having a user run as a lower-privileged user will result in a greater number of support calls when the user tries to install ProductA, discovers that ProductA won't install, and calls Dell/etc asking why they can't install ProductA.
Yet on a Mac, users get it out of the box with an administrator account that can do almost everything any user could want to do, and without support calls. But yet they still don't have root access which equivalent to the Windows administrator level. Windows privileges are poorly designed.
Linux is the province of geeks only. Practically no desktop users are using it.
I wouldn't give my mom a Linux box either. But Mac is brain-dead easy to use for anyone, and it has the same privilege system and shares a lot of the components found in Linux. What about that? Would you say a Windows system out of the box is more secure than a Mac system? Why?
In a large diverse organization with multiple management angles and funding channels spread about a continent, it's hard to know exactly what everyone is running. We found them by scanning.
BTW, my comment about accidental IIS installation was mainly for desktops.
But better compilers will catch possible buffer overflow situation. Everyone's right, in a sense. That's why Microsoft not only reprogrammed much of RPC for XP SP2, but also used a better compiler.
My XP machine is running IIS, although it and the related services are stopped because I don't need IIS except for when I'm doing Web development on that machine.
I think I have told you before that on an OSX platform one does not have to have the equivalent of Windows Administrator access to install aftermarket software. Windows Administrator access does not equal OSX Administrator level.
This is so funny, Bushie. You seemed not to understand us when we were pointing out an even greater improbable chain of events when you were crowing about a "security issue" in Mac OSX!
Just how many pieces of "malicious software" are there for Windows? How many spyware programs invade Windows computers and run without their owners' permissions? Hilarious!
Gee... just the other day you were howling about a single OEM configured default setting on OSX that, in your opinion, was a "Critical" security issue, that might, after an extremely improbable chain of events, allow a local area user access to root level... and that, according to you, was a heinous flaw in the OS!
Suddenly SEVERAL flaws in WINDOWS are not "an operating system design flaw!"
You, Sir, are again hoist on your own petard!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.