Flaws raise red flag on Linux security

ComputerWorld ^ | JANUARY 09, 2004 | Jaikumar Vijayan

[Bush2000]

Sorry, but it is you astroturfers for microsoft who constantly claim that liux distributions be measured against windows. I'm perfectly happy though, to go along with your game, providing that the comparisons be made against a level playing field.

If Linux kneepadders want to compare kernel against kernel, they're going to find more exploits in Linux. This is provable.

I'd still stand Debian, Mandrake, or RedHat against microsoft.

Of course you would. That's the nature of bigotry.

I'm not the one who made the initial claim that you made earlier comparing microsoft windows itself against an entire distribution of over 3000 separate packages that are distributed with RedHat.

I'm making no such argument. It was an illustration only, meant to show people that the ill-informed that solely comparing the Linux kernel against every add-on component in Windows isn't valid -- because there are plenty of flaws in Linux add-ons, too.

It is interesting that when I point out the apples/oranges nature of your claim that you resort to typical ad hominem.

It's not ad hominem to state facts. You guys are entrenched bigots.

I have great confidence that in the long run, the fine folks who have created the incredible wealth of OSS appliactions that already outstrip proprietary operating systems will overrun and overtake you despite your desperate attempts at sowing fear, uncertainty, and doubt.

Desperate? Hardly. Windows runs on more computers than Linux ever will. Still, I believe that there is a place for both open and closed systems. Each has its place, and I predict that the security issue will actually become less prominent over the next 5 years, as vendors on both sides adopt better strategies to address worms, trojans, and other malware. Just a few years ago, you OSS guys harped on stability constantly. The issue, itself, was really inconsequential. It was merely a peg to hang your hats on in order to attack Windows. Any issue would do. So you guys chose stability. Microsoft put resources into fixing the problem, and most people (assuming they have a clue) would agree that they have succeeded. Practically nobody on your side talks about stability anymore.

So you shifted to security. There are many losers out there who have made it their lifes' mission to find flaws in Windows. Sure, there are people who attack Linux, but the number pales next to those dedicated to attacking Windows. You have Microsoft's attention now. Security is a big deal there. Yeah, yeah, you can argue that it should have been all along, but that is merely an anecdotal footnote in the evolution of operating systems. Not so many years ago, desktop computers couldn't even be connected to distributed environments other than LANs. And while you may point out that Linux was designed with remote connectivity in mind, I will point out that Linux is seriously lacking as a desktop environment and, therefore, isn't currently suitable for desktop users; in other words, there is room for growth on both sides.

Shorterm, MS is doing something it should have done a long time ago: It's disabling all unnecessary remote services and turning on ICF (the built-in firewall) by default. Likewise, it's beefing up ICF to include both incoming and outgoing filters. Over time, this will virtually eliminate remote exploits -- but it will take time to happen, since service packs aren't applied universally overnight. In XP SP2, MS recompiled the entire operating system with a new compiler feature which prevents executing code on the stack; in theory, this eliminates buffer overflow attacks because (a) the code segment isn't writeable, and (b) it won't allow code to be executed from the stack segment. GCC added this capability recently, as well. Another one of the longterm ways that MS is addressing this threat is to replace the unmanaged Win32 API set with the managed .NET API in Longhorn, which centralizes security policy in a virtual machine environment; similar to the way that Java security sandboxes dangerous apps. I predict that, within a few short years, Win32 apps will run under emulation only -- based on MS's use of the VirualPC technology that they purchased -- which will further sandbox dangerous apps.

Windows is such a pitiful excuse for an operating system, it is inevitable that eventually people will come to understand that worms, viruses, trojans, and crashes are not normal consequences of a properly designed operatin system.

BS. There's nothing wrong with the design of Windows. If Linux users were to run as administrator and execute unsafe code, they would be infected with the same worms, viruses, and trojans.

[N3WBI3]

cert.org

[Swordmaker]

You OSS blowhards continually decry "Windows security" for flaws in IE, Outlook, IIS, etc

This is the "can 50,000,000 Frenchmen be wrong?" school of argument. The answer to this is "Yes, they can."

Microsoft put resources into fixing the problem . . .

You can actually admit that Windows HAD a problem. Good, now let's move on to "Windows HAS problems."

BS. There's nothing wrong with the design of Windows. If Linux users were to run as administrator and execute unsafe code, they would be infected with the same worms, viruses, and trojans.

But it DOESN'T, Bush, and it ISN'T... and Windows DOES and IS. That is one of the major points that makes them more secure than Windows.

[antiRepublicrat]

Note the term "may". Provide an example. There's no evidence of that.

There is no reason to have the disclaimer unless such things were not included. You're reaching here.

BTW, as a Windows zealot, the fact that Mac OS X Server had only one vulnerability in that entire timeframe must get on your nerves. Face it, Windows as opposed to either Mac or Linux is both more expensive and more vulnerable.

[antiRepublicrat]

I also liked this part:

"The rise in such incidents can be attributed to Linux's growing popularity, which makes it a more attractive target for malicious attackers"

Linux is already more popular in the server world, and didn't make many inroads on the desktop last year, so that doesn't make much sense.

[antiRepublicrat]

By the way, what will linus do when MSFT releases the next version of Windows? "Innovate" by trying to replicate it in open-source too???

Why wait until Microsoft "innovates" and steal it? Linux should just go directly to the source of Microsoft's innovation -- Apple.

[Bush2000]

cert.org

Let's have a direct link; otherwise, I'm going to call bullsh*t on your numbers.

[Bluntpoint]

I am going to Lindows 4.5 next week on my personal computer.

Good or bad Idea?

[Bush2000]

There is no reason to have the disclaimer unless such things were not included. You're reaching here.

Uh, you're the one who's reaching. All I'm asking you to do is provide a single example where this is the case. Is this really too much of a stretch for you?!?

[antiRepublicrat]

Bush hates Macintoshes even more than Linux!

Yeah, I remember. I just hope we don't have to explain to him again how administrator privileges in Mac (or Linux) != administrator privileges in Windows and how that relates to security.

[Bush2000]

Linux is already more popular in the server world, and didn't make many inroads on the desktop last year, so that doesn't make much sense.

Wrong -- and repeating a lie doesn't make it any more true, dude.

Microsoft's Server OS Market Growing

While Microsoft faces a number of lesser competitors, the software giant continues to garner share in server operating system markets. IDC said Microsoft will hold its dominant position in the worldwide market for providing operating systems for server environments through 2007.

[N3WBI3]

http://www.cert.org/advisories/#2002

If you are too lazy to read the certs that does not make it BS it just makes you lazy...

[Bluntpoint]

I love it when all you guys get together and talk computer stuff!!!!

[Bush2000]

But it DOESN'T, Bush, and it ISN'T... and Windows DOES and IS. That is one of the major points that makes them more secure than Windows.

Certainly having a default administrator setting for a user is an issue -- but it isn't an operating system design flaw. OEMs configure these machines. Dell, Gateway, etc preconfigure the machines this way because they don't want to field the support calls that would result if users were running at lower privilege levels and couldn't install aftermarket software. Nice try, but you can't blame administration failure on Windows.

[Bush2000]

Of the advisories, only 7 are remote exploits; the rest depend upon an improbable chain of events, such as (a) browsing to a malicious webpage in IE or (b) running a malicious piece of software. Which means that practically no users are affected. Nice try, though.

[antiRepublicrat]

I predict that the security issue will actually become less prominent over the next 5 years, as vendors on both sides adopt better strategies to address worms, trojans

I think so too. From what I've read of XP SP2, MS is rewriting its entire RPC system to slow the tide of vulnerabilities based on the current system's atrocious bounds checking. SP2 will contain a chunk of the rewrite. Maybe then they'll finally be able to go a month without a security update -- December was supposed to be the first month they did that but they had a couple anyway.

Practically nobody on your side talks about stability anymore.

They've made some great strides on the desktop. My XP system only freaks out once or twice a week with normal use, which is much better than 98 or 2000. But with servers, Windows still can't touch Linux or BSD for continuous uptime.

There's nothing wrong with the design of Windows

To begin with, there are the DLLs which cause conflict and require reboots after updates (say hello to downtime). Then there's the lack of the Unix equivalent of the separation of Administrator and Root so if you want to do anything, you're running with more privileges than you need. Then you have various installers that turn on services previously turned off.

If Linux users were to run as administrator and execute unsafe code, they would be infected with the same worms, viruses, and trojans.

You've forgotten already? Linux users often run as administrator, but still aren't vulnerable to many exploits. This is because administrator in Linux doesn't have the total system control that administrator in Windows does. This is one of the architectural flaws in Windows.

[cc2k]

Gunslingr3 wrote:

---

Do you know of an article that actually details the flaw and how it can be exploited?

---

This particular flaw in the VM system is described at http://isec.pl/vulnerabilities/isec-0013-mremap.txt.

That doesn't really detail the vulnerability or the exploit, only the underlying flaw in the virtual memory remap routine tha allows an exploit.

To exploit this flaw, you need to have access to a user account on the target machine, and a way to compile programs for execution on the target machine (you could compile them elsewhere and transfer them to the target machine, though). If you have that, and you sucessfully exploit the somewhat unpredictable behavior of the VM system, you can under some circumstances execute code of your own choosing at the kernel level, possibly granting yourself root access or doing other things that are beyond what is allowed your acccount's access privileges.

By itself, this is a pretty limited vulnerability. To exploit this vulnerability, an attacker would have to use other means to gain access to a user account on the target machine before the attacker could launch an attack.

[antiRepublicrat]

Uh, you're the one who's reaching. All I'm asking you to do is provide a single example where this is the case. Is this really too much of a stretch for you?!?

I can't provide it because they didn't provide the details of the methodology. All we can go off is why did they put a disclaimer there? Should I take my five year old to a movie with a disclaimer of "May contain scenes of graphic violence and nudity"? There was a "may" so there's still a chance the movie is G rated, right? Total BS.

[antiRepublicrat]

Sorry, like you earlier, I was thinking Web. Linux is dominant and going up, while Windows is going down.

[antiRepublicrat]

Certainly having a default administrator setting for a user is an issue -- but it isn't an operating system design flaw.

Yes it is. They could have administrator and root like with Linux and Mac. 99%+ of Mac users don't even know root exists, yet they can do everything they generally need to do with their computers.