Flaws raise red flag on Linux security

ComputerWorld ^ | JANUARY 09, 2004 | Jaikumar Vijayan

[ElectricRook]

If the flaw is a buffer overflow, then that is most likely a compiler issue, and will affect any software, even windows.

[mo]

this is coming at you out of a Lindows 4.5 box on a hme network of 4 lindows 4.0 or 4.5 boxes, on a Netmax server. All plug n'play, easy setup, clan install. We are Windoze free with Open Office.

[Bush2000]

We didn't really have that problem with the Sun, HP/UX and Linux systems.

Because nobody runs Sun, HP/UX, and Linux boxes as desktops. If you run them in any other role other than a server, people will start having similar issues.

[Bush2000]

This is an overly extreme solution too often suggested by Linux zealots.

You don't have to look too hard to see the folks who recommend this kind of nonsense almost constantly.

But in this case only a partial move away from Microsoft is necessary -- dump both and use Mozilla. Wait, you can't dump IE, oops. But you can cut your exposure a bit by at least not using it.

You can certainly disable IE with the "Set Access and Defaults" tool.

[Bush2000]

If the flaw is a buffer overflow, then that is most likely a compiler issue, and will affect any software, even windows.

No. Buffer overflows are generally overt programmer errors, where somebody has allocated a stack buffer which is insufficient to accomodate a sequence of data.

[antiRepublicrat]

You can certainly disable IE with the "Set Access and Defaults" tool

You can disable use of IE to browse the Web, but the bug-ridden components are still there in use by other applications.

[antiRepublicrat]

Because nobody runs Sun, HP/UX, and Linux boxes as desktops. If you run them in any other role other than a server, people will start having similar issues

We had it lots on Windows servers too.

[antiRepublicrat]

Practically nobody buys Windows retail and installs it themselves.

I'd better tell Best Buy and Circuit City to get rid of all those copies.

The installer is able to create a lower-privilege account at any time.

For average user desktop systems, the installer usuall won't run at a lower level account because they don't provide enough privileges, that is if that user even knows other types of privilege groups exist.

they know from experience that having a user run as a lower-privileged user will result in a greater number of support calls when the user tries to install ProductA, discovers that ProductA won't install, and calls Dell/etc asking why they can't install ProductA.

Yet on a Mac, users get it out of the box with an administrator account that can do almost everything any user could want to do, and without support calls. But yet they still don't have root access which equivalent to the Windows administrator level. Windows privileges are poorly designed.

Linux is the province of geeks only. Practically no desktop users are using it.

I wouldn't give my mom a Linux box either. But Mac is brain-dead easy to use for anyone, and it has the same privilege system and shares a lot of the components found in Linux. What about that? Would you say a Windows system out of the box is more secure than a Mac system? Why?

[antiRepublicrat]

I'm not surprised you don't know what's running on your servers.

In a large diverse organization with multiple management angles and funding channels spread about a continent, it's hard to know exactly what everyone is running. We found them by scanning.

BTW, my comment about accidental IIS installation was mainly for desktops.

[antiRepublicrat]

Buffer overflows are generally overt programmer errors, where somebody has allocated a stack buffer which is insufficient to accomodate a sequence of data.

But better compilers will catch possible buffer overflow situation. Everyone's right, in a sense. That's why Microsoft not only reprogrammed much of RPC for XP SP2, but also used a better compiler.

[antiRepublicrat]

IIS ain't turned on by default -- and it's used by servers (not desktops)

My XP machine is running IIS, although it and the related services are stopped because I don't need IIS except for when I'm doing Web development on that machine.

[adam_az]

The Shatter class of attacks are inherent windows architecture problems. Have you heard of them? Very interesting stuff, from an IT security perspective.

[Bush2000]

You can disable use of IE to browse the Web, but the bug-ridden components are still there in use by other applications.

The IE attack is not really a threat because it is predicated on a user/app browsing to a malicious web page. Since the likelihood of that possibility occurring approaches zero, no threat. Nice try, though.

[Bush2000]

I'd better tell Best Buy and Circuit City to get rid of all those copies.

Yeah, and they're just flying off the shelves like hotcakes, right? /SARCASM

Not! Are you seriously denying that the vast majority of people get Windows preinstalled with their machines (and thus don't pay retail or install the software themselves) -- or do you not understand the term "practically nobody buys Windows retail and installs it themselves"?

For average user desktop systems, the installer usuall won't run at a lower level account because they don't provide enough privileges, that is if that user even knows other types of privilege groups exist.

That poor choice has nothing to do with the design of Windows.

Yet on a Mac, users get it out of the box with an administrator account that can do almost everything any user could want to do, and without support calls.

Yeah, yeah, yeah. As I pointed out in previous posts, it's an OEM choice. Apple produces OSX. It is the OEM. Consequently, I'm not surprised that Apple preconfigures its machines with appropriate accounts. But blaming Microsoft for Dell or Gateway's failure is just BS -- and you know it.

I wouldn't give my mom a Linux box either. But Mac is brain-dead easy to use for anyone, and it has the same privilege system and shares a lot of the components found in Linux. What about that? Would you say a Windows system out of the box is more secure than a Mac system? Why?

Whether something is more secure "out of the box" is a worthless consideration -- because, to be useful for the average user, the machine needs to be configured. For Apple, "out of the box" means Apple has preconfigured the machine to its specifications and delivered it to the user. For Dell or Gateway, "out of the box" means Microsoft gave them the OEM discs, Dell or Gateway preconfigured it (inadequately, as I've said before), and then delivered it to the user. Thus, out of the box is only useful if you accept the proposition that the OEM adequately configures the OS.

[Swordmaker]

. . . would result if users were running at lower privilege levels and couldn't install aftermarket software.

I think I have told you before that on an OSX platform one does not have to have the equivalent of Windows Administrator access to install aftermarket software. Windows Administrator access does not equal OSX Administrator level.

[Bush2000]

The Shatter class of attacks are inherent windows architecture problems. Have you heard of them? Very interesting stuff, from an IT security perspective.

Not really. In order to execute these kinds of attacks, you need to get code running on the box in question. Since you have no practical means of forcing me to run your malicious code, it's not a credible threat. Nice try.

[Bush2000]

I think I have told you before that on an OSX platform one does not have to have the equivalent of Windows Administrator access to install aftermarket software. Windows Administrator access does not equal OSX Administrator level.

Irrelevant, Mac boy. Read the thread: Windows security profiles allow you to create user accounts with arbitrary privilege sets.

[Swordmaker]

Of the advisories, only 7 are remote exploits; the rest depend upon an improbable chain of events, such as (a) browsing to a malicious webpage in IE or (b) running a malicious piece of software. Which means that practically no users are affected. Nice try, though.

This is so funny, Bushie. You seemed not to understand us when we were pointing out an even greater improbable chain of events when you were crowing about a "security issue" in Mac OSX!

Just how many pieces of "malicious software" are there for Windows? How many spyware programs invade Windows computers and run without their owners' permissions? Hilarious!

[Swordmaker]

Certainly having a default administrator setting for a user is an issue -- but it isn't an operating system design flaw. OEMs configure these machines.

Gee... just the other day you were howling about a single OEM configured default setting on OSX that, in your opinion, was a "Critical" security issue, that might, after an extremely improbable chain of events, allow a local area user access to root level... and that, according to you, was a heinous flaw in the OS!

Suddenly SEVERAL flaws in WINDOWS are not "an operating system design flaw!"

You, Sir, are again hoist on your own petard!

[Swordmaker]

oops... I think I pinged the wrong anti to a reply two before this...