Flaws raise red flag on Linux security

ComputerWorld ^ | JANUARY 09, 2004 | Jaikumar Vijayan

[Bush2000]

Flaws raise red flag on Linux security

But many users remain confident about the security of the open-source environment

Story by Jaikumar Vijayan

JANUARY 09, 2004 ( COMPUTERWORLD ) - A report earlier this week about a critical flaw in the Linux kernel was the latest in a series of recently discovered security problems with the popular open-source operating system. But many users were unfazed by the report and said Linux remains a solid and secure environment for running enterprise applications.

Poland-based iSec Security Research on Monday said it had found a critical flaw in a function used to manage virtual memory on Linux systems (see story). The flaw affects the 2.2, 2.4 and 2.6 versions of the Linux kernel, according to iSec.

The vulnerability could allow attackers to take administrative control of compromised systems and run attack code of their choice, an iSec advisory stated. ISec claimed that it had developed and successfully tested code that was capable of exploiting the flaw, although it added that actually launching such an attack wouldn't be easy.

The news follows the discovery of a similar flaw in the Linux 2.4 kernel last fall. In November, unknown attackers used that flaw to take down several servers belonging to the Debian Project, which produces a noncommercial Linux distribution. And last month, an attack on the Gentoo Linux Project compromised a server that was being used to download copies of Gentoo's Linux source code by users.

The rise in such incidents can be attributed to Linux's growing popularity, which makes it a more attractive target for malicious attackers, said David Wreski, CEO of Linux security vendor Guardian Digital Inc. in Allendale, N.J.

"The underground hacker community is very interested in Linux as a potential target," he said. "Because of the accessibility of the source code to everyone, it provides an equal opportunity for malicious attackers to find vulnerabilities and ways to exploit them."

Even so, Linux remains a secure environment, said John Cahill, senior network security engineer at Piedmont Natural Gas in Charlotte, N.C.

"I would say it is more secure than Microsoft and other environments because the code is looked over by so many people and it's so widely available that any vulnerabilities can be quickly identified and patched," Cahill said. Piedmont uses Linux for several e-mail-related functions and is considering its use for antispam purposes.

"There's not very much we've needed to do to secure Linux [applications]," said Joe Poole, manager for technical support at Boscov's Department Stores LLC in Reading, Pa. The company runs several virtual Linux servers on its mainframes that are protected by network and internal firewalls. All nonessential services, such as file transfers and Telnet, have been disabled. But there has been no need for the kind of constant patching and maintenance required for Windows, Poole said.

Linux distributors in general are also doing a better job of shipping products that have nonessential services disabled by default, said Paul Schmel, adjunct information security officer at the University of Texas at Dallas.

"The biggest plus that Linux has is that it's designed to allow users to be users and not administrators," Schmel said. "What Linux has that Windows doesn't have is ease of configuration from an administrator's standpoint. Stopping and starting services, configuring services to only respond on certain ports and interfaces is dramatically easier than it is with Windows."

[eno_]

I can p0wN any NT/XP system I have physical access to in well under 5 minutes. Local attacks are not a big deal.

[Swordmaker]

. . . and our desktops and laptops will all be Macs (UNIX under the hood) . . .

Better watch out, Action. Bush hates Macintoshes even more than Linux!

[Bush2000]

He's attempting to compare just the windows operating system itself, with an entire distribution that includes the OS, various editors, html production software, multiple browsers, firewall software, multiple firewall software, cd/dvd writers, 2 full office suites, web server, and scripting software, games, image editing/creation software and much other stuff that dosn't immediately come to mind.

You OSS blowhards continually decry "Windows security" for flaws in IE, Outlook, IIS, etc which have nothing to do with the operating system. And then you turn around and have the gall to say, with every discovered flaw in a component distributed with Linux, that "it isn't Linux." In other words, you want your cake and you want to eat it, too. You want the freedom to slam Windows without being subject to the same treatment with regard to Linux. I'm one of the few here who have the balls to call you on it. It's pathetic sophistry and weaselry at its worst.

[Bush2000]

Note that part of their site name is "NT". How impartial do you think that makes them.

I dunno. What isn't objective about supplying bug reports?!? As for incident reports, give an example. I'd like to see exactly what you're complaining about.

[Bush2000]

I can p0wN any NT/XP system I have physical access to in well under 5 minutes. Local attacks are not a big deal.

Oh, puh-lease. You act as if the same isn't true of Linux and Mac boxes. Hint: They're equally vulnerable to physical intrusion.

[N3WBI3]

Stastical Crud, it includes Apache, and other apps that are not Linux where as the Win2K stats dont include SQL server, and ....

[Bush2000]

Stastical Crud, it includes Apache, and other apps that are not Linux ....

As well it should, since Linux primarily serves in a role as a web server running Apache.

[antiRepublicrat]

Logical fallacy. There aren't "more vulnerabilities" in Windows (Linux Actually Less Secure Than Windows?, http://securityfocus.com/vulns/stats.shtml).

Read more from SecurityFocus:

For instance, applications for Linux and BSD are often grouped in as subcomponents with the operating systems that they are shipped with. For Windows, applications and subcomponents such as Explorer often have their own packages that are considered vulnerable or not vulnerable outside of Windows and therefore may not be included in the count. This may skew numbers [big time].

Considering the vast number of Explorer, Outlook and IIS vulnerabilities that were out, the Windows number should have been quite higher, but they weren't counted. This also doesn't take into consideration that Windows enables most services and installs almost all packages by default, while usual Linux practice is to install only those packages and services that are needed, which for any one installation reduces the vulnerability count.

[zeugma]

Sorry, but it is you astroturfers for microsoft who constantly claim that liux distributions be measured against windows. I'm perfectly happy though, to go along with your game, providing that the comparisons be made against a level playing field. I'd still stand Debian, Mandrake, or RedHat against microsoft. I'm not the one who made the initial claim that you made earlier comparing microsoft windows itself against an entire distribution of over 3000 separate packages that are distributed with RedHat. It is interesting that when I point out the apples/oranges nature of your claim that you resort to typical ad hominem.

I have great confidence that in the long run, the fine folks who have created the incredible wealth of OSS appliactions that already outstrip proprietary operating systems will overrun and overtake you despite your desperate attempts at sowing fear, uncertainty, and doubt. Windows is such a pitiful excuse for an operating system, it is inevitable that eventually people will come to understand that worms, viruses, trojans, and crashes are not normal consequences of a properly designed operatin system.

[zeugma]

He must be worried about his options.

[N3WBI3]

Ok if we want to make this totally clear, I will give you Apache, Open SSH .... and if you count vulnerabilities (not CERTS) MS still get whipped..

According to cert.org in 2003 major issues
Windows 22
Linux 15
Unix 10
None 1
All 8

Now this take into account CERTS like CA-2002-09 which had 10 CAN issues..

[Swordmaker]

You OSS blowhards continually decry "Windows security" for flaws in IE, Outlook, IIS, etc

Seems to me that there is SWORN testimony from Microsoft representatives that Internet Explorer is an integral part of the Windows Operating System.

[Swordmaker]

Oh, puh-lease. You act as if the same isn't true of Linux and Mac boxes. Hint: They're equally vulnerable to physical intrusion.

Yeah, Bush, if I have that kind of access to a local computer I can use an AXE on it. So WHAT?

[Swordmaker]

You act as if the same isn't true of Linux and Mac boxes. Hint: They're equally vulnerable to physical intrusion.

I also might mention that the Mac G5 has an industrial strength locking system on it... might make it a little less vulnerable in the "physical intrusion" department than a PC or Linus box with screws...

[TechJunkYard]

Better watch out, Action. Bush hates Macintoshes even more than Linux!

Bushie hates everyone and everything that doesn't face Redmond and bow down to pray to Gates twice a day.

[Bush2000]

For instance, applications for Linux and BSD are often grouped in as subcomponents with the operating systems that they are shipped with. For Windows, applications and subcomponents such as Explorer often have their own packages that are considered vulnerable or not vulnerable outside of Windows and therefore may not be included in the count. This may skew numbers [big time].

Note the term "may". Provide an example. There's no evidence of that.

[Bush2000]

He must be worried about his options.

I have no stock options. But if you want to contribute some, I'd be happy to accept.

[Bush2000]

Ok if we want to make this totally clear, I will give you Apache, Open SSH .... and if you count vulnerabilities (not CERTS) MS still get whipped..

Is it too much to ask for -- provide a link so that your data can be evaluated...

[Bush2000]

Seems to me that there is SWORN testimony from Microsoft representatives that Internet Explorer is an integral part of the Windows Operating System.

It ain't part of the kernel -- which is the basis for what Linux blowhards to be considered part of "Linux". IE is integrated into the Windows shell. You do know the difference between the shell and the kernel, right?

[Bush2000]

Yeah, Bush, if I have that kind of access to a local computer I can use an AXE on it. So WHAT?

The point is that local access exploits affect ALL platforms, you bigots.

I also might mention that the Mac G5 has an industrial strength locking system on it... might make it a little less vulnerable in the "physical intrusion" department than a PC or Linus box with screws...

Will this "industrial strength locking system" prevent me from picking up the machine and removing it from the lab? Didn't think so, troll.