Flaws raise red flag on Linux security

ComputerWorld ^ | JANUARY 09, 2004 | Jaikumar Vijayan

[Bush2000]

Flaws raise red flag on Linux security

But many users remain confident about the security of the open-source environment

Story by Jaikumar Vijayan

JANUARY 09, 2004 ( COMPUTERWORLD ) - A report earlier this week about a critical flaw in the Linux kernel was the latest in a series of recently discovered security problems with the popular open-source operating system. But many users were unfazed by the report and said Linux remains a solid and secure environment for running enterprise applications.

Poland-based iSec Security Research on Monday said it had found a critical flaw in a function used to manage virtual memory on Linux systems (see story). The flaw affects the 2.2, 2.4 and 2.6 versions of the Linux kernel, according to iSec.

The vulnerability could allow attackers to take administrative control of compromised systems and run attack code of their choice, an iSec advisory stated. ISec claimed that it had developed and successfully tested code that was capable of exploiting the flaw, although it added that actually launching such an attack wouldn't be easy.

The news follows the discovery of a similar flaw in the Linux 2.4 kernel last fall. In November, unknown attackers used that flaw to take down several servers belonging to the Debian Project, which produces a noncommercial Linux distribution. And last month, an attack on the Gentoo Linux Project compromised a server that was being used to download copies of Gentoo's Linux source code by users.

The rise in such incidents can be attributed to Linux's growing popularity, which makes it a more attractive target for malicious attackers, said David Wreski, CEO of Linux security vendor Guardian Digital Inc. in Allendale, N.J.

"The underground hacker community is very interested in Linux as a potential target," he said. "Because of the accessibility of the source code to everyone, it provides an equal opportunity for malicious attackers to find vulnerabilities and ways to exploit them."

Even so, Linux remains a secure environment, said John Cahill, senior network security engineer at Piedmont Natural Gas in Charlotte, N.C.

"I would say it is more secure than Microsoft and other environments because the code is looked over by so many people and it's so widely available that any vulnerabilities can be quickly identified and patched," Cahill said. Piedmont uses Linux for several e-mail-related functions and is considering its use for antispam purposes.

"There's not very much we've needed to do to secure Linux [applications]," said Joe Poole, manager for technical support at Boscov's Department Stores LLC in Reading, Pa. The company runs several virtual Linux servers on its mainframes that are protected by network and internal firewalls. All nonessential services, such as file transfers and Telnet, have been disabled. But there has been no need for the kind of constant patching and maintenance required for Windows, Poole said.

Linux distributors in general are also doing a better job of shipping products that have nonessential services disabled by default, said Paul Schmel, adjunct information security officer at the University of Texas at Dallas.

"The biggest plus that Linux has is that it's designed to allow users to be users and not administrators," Schmel said. "What Linux has that Windows doesn't have is ease of configuration from an administrator's standpoint. Stopping and starting services, configuring services to only respond on certain ports and interfaces is dramatically easier than it is with Windows."

[Bush2000]

Gee... just the other day you were howling about a single OEM configured default setting on OSX that, in your opinion, was a "Critical" security issue, that might, after an extremely improbable chain of events, allow a local area user access to root level... and that, according to you, was a heinous flaw in the OS!

Considering the fact that all that's needed to exploit your flaw was to plug in a notebook running an LDAP server on your segment, that's a pretty big freakin' flaw.

[Swordmaker]

As with SwordMaker, don't make the mistake of assuming that, because your Windows box comes preconfigured with you as Administrator that it's a flaw in the OS. It ain't. Dell or whoever configured the box made that choice for their own convenience.

Excuse me, Bush... on second thought DON'T excuse me... but exactly what access level does a new installation of Windows, on either an old or new computer, present to the user at completion? Oh, Administrator Access... thought so.

[Bush2000]

Excuse me, Bush... on second thought DON'T excuse me... but exactly what access level does a new installation of Windows, on either an old or new computer, present to the user at completion? Oh, Administrator Access... thought so.

End users don't install and configure their own Windows boxes. Dell or Gateway or Compaq/HP or Alienware does.

[Bush2000]

End users don't install and configure their own Windows boxes. Dell or Gateway or Compaq/HP or Alienware does.

And here's the proof: MSFT Fourth Quarter 2003 Earnings Report

Product Revenue

Client includes revenue from Windows XP, Windows 2000, other standard Windows operating systems, Tablet PC, Windows Media Center Edition, and classic operating systems licensed for embedded systems (operating system software for use in devices other than PCs). Client revenue was $2.53 billion in the fourth quarter, increasing 4% compared to $2.43 billion in the fourth quarter of the prior year. The quarterly revenue growth was driven by a 2 percentage point increase to 62% of the mix of the higher priced Windows Professional operating systems, the majority of which was in the OEM channel. Windows Professional revenue growth for the fourth quarter of fiscal 2003 was $201 million or 14% compared to the prior year fourth quarter, offset by a decline in other Windows operating systems.

Distribution Channels

OEM channel revenue represents license fees from original equipment manufacturers who pre-install Microsoft products, primarily on PCs. OEM revenue for the fourth quarter was $2.49 billion, up 6% from $2.34 billion in the comparable quarter of fiscal 2002. The OEM revenue growth reflects a 5% increase in reported licenses, a 25% increase in Windows Professional revenue due to an increase in the mix of the higher priced Windows Professional licenses, and 18% and 37% revenue growth for Office and Server products, respectively.

Allow me to break it down for you. Microsoft makes $2.53 billion from Windows sales -- and $2.49 billion of those sales originate in the OEM channel (ie. Dell, Gateway, etc). So OEMs account for 98.41% of all Windows installations; and hence, practically no end user installs Windows on his or her own box..

Thus, we can conclude that any security issues relating to user account configuration are caused by OEM failure to configure the boxes correctly. Game over.

[Swordmaker]

Dancin' and dodgin'

Bush you come across as ridiculous.

[Sockdologer]

"I'd still stand Debian, Mandrake, or RedHat against microsoft." Of course you would. That's the nature of bigotry. The nature of bigotry is to stand Debian, Mandrake or Redhat against Microsoft?

[Swordmaker]

Irrelevant, Mac boy. Read the thread: Windows security profiles allow you to create user accounts with arbitrary privilege sets.

No, Bush, it isn't. Go out, find 100 home or small business Windows users at random and check the percentage that are NOT running at Administrator level. I would be very surprised if the percentage was more the .1%... in other words, 99.9%+ are operating at Administrator level.

The vast majority of individual Windows users don't even know they can set up a seperate account for Junior, much less set "arbitrary privilege sets." On almost every small business LAN I have worked on where there was an internet router, even those set up by "consultants" or "experts," I have found that they are using the default addresses set by the router's manufacturer and the firewall is off.

[Swordmaker]

Considering the fact that all that's needed to exploit your flaw was to plug in a notebook running an LDAP server on your segment, that's a pretty big freakin' flaw.

No, Bush, it required connecting to a Local Network with a HOSTILE LDAP server... a very remote possibility... that can be prevented by changing ONE user setting.

[Swordmaker]

End users don't install and configure their own Windows boxes. Dell or Gateway or Compaq/HP or Alienware does.

Why don't you move into the REAL WORLD, Bush.

In the real world users are handed a box that boots into ADMINISTRATOR ACCESS and very few users are sophisticated enough to restrict their own default access.

In the real world Windows installers install Internet Explorer, Outlook, and a host of other applications that 99.9999% of Windows users think is part of their computer''s suite of WINDOWS software.

In the real world, Microsoft installers finish the job with the Messenger Service turned ON... so they and others can pop ads into your browser.

In the real world, Bush, many people buy an off-the-shelf upgrade so they can bring an older computer into the wonderful world of Windows XP.

In the real world, some even buy full installation versions so they can build their own boxes.

In the real world people want to install and USE software rather than just sit there and admire the Kernal of Windows doing nothing so they can be totally secure.

[Swordmaker]

So the revenues are 2.53 Billion... 2.49 Billion of which is OEM sales. Great, good for them. That still leaves .04 Billion, $40 million X 4 quarters, Call it $150 Million (to account for the growth in sales) for a year that was generated by sales outside of OEM. Assuming a $100 average wholesale price to the jobber/retailer (It's probably less) that translates into 1.5 million people who will self install Windows.

Of course, according to you, everyone of them is "practically no end user."

Then of course, Bush, there are the millions of users who aren't upgrading and are still using '98, 2000, NT, ME, etc. that are still Windows users at risk.

[adam_az]

You personally, perhaps. All it takes is a couple extra IQ points than the average bear. Of course, there's a lot of Yogi's out there. YOU aren't the entire universe of Windows users.

On the other hand, every day thousands of systems become infected by worms, trojans, spyware, and other malicious code. Shatter attacks are very handy for privilige escalation.

[cc2k]

Bush2000 wrote:

---

the rest depend upon an improbable chain of events, such as (a) browsing to a malicious webpage in IE or (b) running a malicious piece of software.

---

Actually, IE can be made to access a malicious web page if you view a maliciously constructed e-mail message in Outlook Express. That kind of exploit can affect a lot of users and compromise a whole bunch of Windows systems.

Also, many versions of Outlook Express were configured by default to open certain types of attachments automatically, and an email sent to a user who hasn't secured that "feature" can run a malicious piece of software. Again, this type of exploit will result in a whole bunch of compromised Windows systems.

Bush2000 wrote:

---

You don't need an account. A kernel buffer overflow can be hijacked to create an account with elevated privilege.

---

The exploit referred to in this article requires access to a local account on the target machine. It almost requires shell access to the target machine, though it might be possible, if you are very, very good and/or very, very lucky, to exploit this vulnerablility with a web hosting account or similar non-shell access account on a particularly poorly secured server.

The vulnerability addressed in this article doesn't allow an unauthenticated remote system to create an account on the target machine. This is true for most Linux Kernel vulnerabilities that have been discovered recently.

BTW, this is the opposite of the MS-Blaster exploit and several other recent exploits to MS Windows. Many of the Windows exploits that have been discovered recently allow unauthenticated remote connections to compromise the target Windows system.

[antiRepublicrat]

The IE attack is not really a threat because it is predicated on a user/app browsing to a malicious web page. Since the likelihood of that possibility occurring approaches zero, no threat. Nice try, though.

On a server, but likely on a desktop, of which there are millions. You can couple any of those malicious site exploits with the recent ability to disguise the URL of a link. Watch out for following links on bulletin boards like this one if you're on IE.

[antiRepublicrat]

Not! Are you seriously denying that the vast majority of people get Windows preinstalled with their machines

No, it's the upgrades which are usually purchased. But the upgrade is the same thing, just requires proof of an existing OS (whether installed or by having a CD).

That poor choice has nothing to do with the design of Windows.

Microsoft designed it to be insecure out of the box to make it possible for the average user to do anything he would normally want to, just as the OEMs do. I'd say it does.

Apple produces OSX. It is the OEM. Consequently, I'm not surprised that Apple preconfigures its machines with appropriate accounts. But blaming Microsoft for Dell or Gateway's failure is just BS

The basic architecture of a *nix system for years has had this better structure of user accounts. Microsoft has had their current poor structure since NT.

For Apple, "out of the box" means Apple has preconfigured the machine to its specifications and delivered it to the user.

They configure it to a pretty much standard *nix configuration for security. Dell and Gateway also configure their computers to a standard Windows configuration, as does Microsoft itself when they sell the product. Face it, Windows standards are deficient.

Given Microsoft's recent stress on security, you'd think this would be one good way to help, but hey haven't. Maybe they could up the privileges of Power User a bit and make that the standard user account. But they didn't. I am getting the feeling that, despite all the fine tuning possible with Windows user accounts, privileges are designed in such a way as to preclude being able to do the *nix equivalent of admin and root.

[Bush2000]

No, Bush, it isn't. Go out, find 100 home or small business Windows users at random and check the percentage that are NOT running at Administrator level. I would be very surprised if the percentage was more the .1%... in other words, 99.9%+ are operating at Administrator level.

Duh. As we've already discussed, over 98% of users get their PCs preconfigured from Dell and other OEMs. They just use whatever account was preassigned by Dell. In virtually all cases, that means using the default administrator account. That isn't Microsoft's doing -- nor is it a flaw in Windows.

[Bush2000]

Assuming a $100 average wholesale price to the jobber/retailer (It's probably less) that translates into 1.5 million people who will self install Windows. Of course, according to you, everyone of them is "practically no end user."

So what. That's fewer than 2% of all users who purchased Windows.

[Bush2000]

No, Bush, it required connecting to a Local Network with a HOSTILE LDAP server... a very remote possibility... that can be prevented by changing ONE user setting.

Look, it's not that difficult to understand. If I plug my notebook (running a hostile LDAP server) into your network, you're toast if you use Mac OSX out of the box. I can not only own your box but I can destroy it.

[Bush2000]

Actually, IE can be made to access a malicious web page if you view a maliciously constructed e-mail message in Outlook Express. That kind of exploit can affect a lot of users and compromise a whole bunch of Windows systems.

Only if you assume you're running an unpatched version of Outlook Express.

The vulnerability addressed in this article doesn't allow an unauthenticated remote system to create an account on the target machine. This is true for most Linux Kernel vulnerabilities that have been discovered recently.

Local exploits open the door to deploy malware which elevates privileges, etc. It's serious, despite what you're suggesting. Frankly, if you examine past Windows kernel vulnerabilities, you will find that practically none of them are remote exploits.

[antiRepublicrat]

So OEMs account for 98.41% of all Windows installations; and hence, practically no end user installs Windows on his or her own box..

Considering that Microsoft likely gets 50% of the end retail price for Windows XP, that's between 800,000 users (home edition upgrade) and 266,000 users (professional full purchase). Based on what I see on the shelves, probably 600,000 users got Windows from Microsoft in the fourth quarter, 2+ million last year. Doesn't sound like "practically no end user" to me, since we're talking over two million more poorly configured computers out of the box waiting to be exploited.

[Bush2000]

No, it's the upgrades which are usually purchased. But the upgrade is the same thing, just requires proof of an existing OS (whether installed or by having a CD).

Uh, dude. Use your brain for something other than a hat rack. I just showed you definitive proof that retail sales account for less than 2% of Windows sales. Upgrades are only a subset of that < 2% figure. You want to pretend that they represent a more significant portion of Windows sales. But you're wrong. My numbers prove it.

Microsoft designed it to be insecure out of the box to make it possible for the average user to do anything he would normally want to, just as the OEMs do. I'd say it does.

Wrong. Windows provides the ability to customize user accounts to whatever rights mask you require. If you're installing your own box, you need some fundamental skills -- just as you need some fundamental skils to perform brain surgery or litigate a case in court -- and if you're ignorant of critical aspects of security, it's your own fault. Don't blame the hammer because you let somebody else hit you in the head with it.

The basic architecture of a *nix system for years has had this better structure of user accounts. Microsoft has had their current poor structure since NT.

Disagree. The only thing that I will concede is that *nix user accounts have better defaults.

They configure it to a pretty much standard *nix configuration for security. Dell and Gateway also configure their computers to a standard Windows configuration, as does Microsoft itself when they sell the product. Face it, Windows standards are deficient.

I would like Microsoft to create lower-privileged accounts for users by default. This would be a good thing. But, on its face, that doesn't mean that the fundamental design of Windows is deficient. On that point, you're dead wrong.