Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Flaws raise red flag on Linux security
ComputerWorld ^ | JANUARY 09, 2004 | Jaikumar Vijayan

Posted on 01/10/2004 12:20:46 PM PST by Bush2000

Flaws raise red flag on Linux security

But many users remain confident about the security of the open-source environment

Story by Jaikumar Vijayan

JANUARY 09, 2004 ( COMPUTERWORLD ) - A report earlier this week about a critical flaw in the Linux kernel was the latest in a series of recently discovered security problems with the popular open-source operating system. But many users were unfazed by the report and said Linux remains a solid and secure environment for running enterprise applications.

Poland-based iSec Security Research on Monday said it had found a critical flaw in a function used to manage virtual memory on Linux systems (see story). The flaw affects the 2.2, 2.4 and 2.6 versions of the Linux kernel, according to iSec.

The vulnerability could allow attackers to take administrative control of compromised systems and run attack code of their choice, an iSec advisory stated. ISec claimed that it had developed and successfully tested code that was capable of exploiting the flaw, although it added that actually launching such an attack wouldn't be easy.

The news follows the discovery of a similar flaw in the Linux 2.4 kernel last fall. In November, unknown attackers used that flaw to take down several servers belonging to the Debian Project, which produces a noncommercial Linux distribution. And last month, an attack on the Gentoo Linux Project compromised a server that was being used to download copies of Gentoo's Linux source code by users.

The rise in such incidents can be attributed to Linux's growing popularity, which makes it a more attractive target for malicious attackers, said David Wreski, CEO of Linux security vendor Guardian Digital Inc. in Allendale, N.J.

"The underground hacker community is very interested in Linux as a potential target," he said. "Because of the accessibility of the source code to everyone, it provides an equal opportunity for malicious attackers to find vulnerabilities and ways to exploit them."

Even so, Linux remains a secure environment, said John Cahill, senior network security engineer at Piedmont Natural Gas in Charlotte, N.C.

"I would say it is more secure than Microsoft and other environments because the code is looked over by so many people and it's so widely available that any vulnerabilities can be quickly identified and patched," Cahill said. Piedmont uses Linux for several e-mail-related functions and is considering its use for antispam purposes.

"There's not very much we've needed to do to secure Linux [applications]," said Joe Poole, manager for technical support at Boscov's Department Stores LLC in Reading, Pa. The company runs several virtual Linux servers on its mainframes that are protected by network and internal firewalls. All nonessential services, such as file transfers and Telnet, have been disabled. But there has been no need for the kind of constant patching and maintenance required for Windows, Poole said.

Linux distributors in general are also doing a better job of shipping products that have nonessential services disabled by default, said Paul Schmel, adjunct information security officer at the University of Texas at Dallas.

"The biggest plus that Linux has is that it's designed to allow users to be users and not administrators," Schmel said. "What Linux has that Windows doesn't have is ease of configuration from an administrator's standpoint. Stopping and starting services, configuring services to only respond on certain ports and interfaces is dramatically easier than it is with Windows."


TOPICS: Business/Economy; Culture/Society; Front Page News; Technical
KEYWORDS: computersecurity; linux; lowqualitycrap
Navigation: use the links below to view more comments.
first 1-2021-4041-6061-80 ... 181-186 next last

1 posted on 01/10/2004 12:20:46 PM PST by Bush2000
[ Post Reply | Private Reply | View Replies]

To: Bush2000
Flaws raise red flag on Linux security

Well! I guess that settles that. I'd never use an operating system with flaws. I'm sticking with windows.

2 posted on 01/10/2004 12:28:35 PM PST by FreePaul
[ Post Reply | Private Reply | To 1 | View Replies]

To: FreePaul
Just to be on the safe side, we'd better use Windows. ;-p
3 posted on 01/10/2004 12:29:25 PM PST by Bush2000
[ Post Reply | Private Reply | To 2 | View Replies]

To: All
Did you do well in the market this year?
If so, then maybe you can afford to make a donation to Free Republic!

4 posted on 01/10/2004 12:29:27 PM PST by Support Free Republic (Freepers post from sun to sun, but a fundraiser bot's work is never done.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
Because of the accessibility of the source code to everyone, it provides an equal opportunity for malicious attackers to find vulnerabilities and ways to exploit them.

If this is true then why does Windows, where people can't see the source, have even more vulnerabilities?

5 posted on 01/10/2004 12:32:50 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
The vulnerability could allow attackers to take administrative control of compromised systems and run attack code of their choice, an iSec advisory stated. ISec claimed that it had developed and successfully tested code that was capable of exploiting the flaw, although it added that actually launching such an attack wouldn't be easy.

Do you know of an article that actually details the flaw and how it can be exploited?

6 posted on 01/10/2004 12:34:49 PM PST by Gunslingr3
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
Ghads, that Linux must really scare people. We all must conform, we all must use the one true operating system, we all must have broken windows.
7 posted on 01/10/2004 12:35:35 PM PST by kingu (Remember: Politicians and members of the press are going to read what you write today.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: antiRepublicrat
If this is true then why does Windows, where people can't see the source, have even more vulnerabilities?

Logical fallacy. There aren't "more vulnerabilities" in Windows (Linux Actually Less Secure Than Windows?, http://securityfocus.com/vulns/stats.shtml).
8 posted on 01/10/2004 12:40:26 PM PST by Bush2000
[ Post Reply | Private Reply | To 5 | View Replies]

To: Gunslingr3
Do you know of an article that actually details the flaw and how it can be exploited?

http://isec.pl/vulnerabilities03.html
9 posted on 01/10/2004 12:42:50 PM PST by Bush2000
[ Post Reply | Private Reply | To 6 | View Replies]

To: antiRepublicrat
"If this is true then why does Windows, where people can't see the source, have even more vulnerabilities?"

Microsoft (historically) ignores flaws like democrats ignore communists spys. Once a flaw is widely publicized, everybody sits tight waiting for Microsoft to issue a security patch. This is known as security by obscurity. LINUX however is open source and is scrutinized by an army of really weird and talented people. If you find a flaw, some little elf fixes it pronto. Adam Smith's invisible hand is helped along by some other force - the fingers of network externality.
10 posted on 01/10/2004 12:45:03 PM PST by reed_inthe_wind (That Hillary really knows how to internationalize my MOJO.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Bush2000
Just the tip of the iceberg. By the way, what will linus do when MSFT releases the next version of Windows? "Innovate" by trying to replicate it in open-source too???
11 posted on 01/10/2004 12:47:14 PM PST by E=MC<sup>2</sup>
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
There were a whole load of local root exploits in the BSDs, including the much-vaunted OpenBSD back in 2001. I haven't heard how insecure the BSDs are because of that, strangely.

These things do happen from time to time, in every operating system. They just don't tend to cause a massive net-slowing wormfest.

12 posted on 01/10/2004 12:57:57 PM PST by B Knotts (Go 'Nucks!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
>Just to be on the safe side, we'd better use Windows

Let's face it: It's clear
we were wrong to ever leave
the CP/M world...

13 posted on 01/10/2004 1:02:55 PM PST by theFIRMbss
[ Post Reply | Private Reply | To 3 | View Replies]

To: FreePaul
I'm sticking with windows.

You are talking about the dual pane type, right?

giggle.

LVM

14 posted on 01/10/2004 1:05:14 PM PST by LasVegasMac (most running backs like to run where the holes are...I like to run where the people are. LC / MD)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Bush2000
So now you're posting in bold? What's next ALL CAPS?

And what's with the Linux vitrol of late?

Could it be:


15 posted on 01/10/2004 1:19:24 PM PST by Justa (Politically Correct is morally wrong.)
[ Post Reply | Private Reply | To 9 | View Replies]

To: Bush2000
What a content free post. I believe the "flaw" that is being discussed is a local exploit, unlike most of the recent hacks against windows that can be remotely executed, that requires the user to already have an account on the box.

The lack of specifics in this article are typical of what I expect from the microsofties. I didn't know you worked on saturday.

16 posted on 01/10/2004 1:21:20 PM PST by zeugma (The Great Experiment is over.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: All
Despite the widely-held belief that the open-source operating system Linux is hands-down more secure than Microsoft, statistics gathered by leading security company SecurityFocus on their NTBugTraq site say differently. According to the most recent statistics, available up to August 2001, Windows 2000 Server had far fewer security vulnerabilities than Red Hat or Mandrake Linux - less than half as many, in fact. Sun's Solaris OS was tied with Win2000. This information is not a fluke. Looking back over the last five years, Microsoft NT and Win2000 servers had fewer security violations than Linux, despite being used more widely.

I'd like to point out the rest the folks on the thread who might not be familiar with this particular FUD point. It is major apples to oranges comparison that b2k and other microsoft supporters trot out.

He's attempting to compare just the windows operating system itself, with an entire distribution that includes the OS, various editors, html production software, multiple browsers, firewall software, multiple firewall software, cd/dvd writers, 2 full office suites, web server, and scripting software, games, image editing/creation software and much other stuff that dosn't immediately come to mind. Microsoft doesn't even make software that is comparable with all the software that is included in a standard Red Hat distribution, but if you included everything that they do sell that has a RedHat equivalent, you'll find that the numbers to not compare favorably.

17 posted on 01/10/2004 1:46:05 PM PST by zeugma (The Great Experiment is over.)
[ Post Reply | Private Reply | To 8 | View Replies]

To: zeugma
... but if you included everything that they do sell that has a RedHat equivalent, you'll find that the numbers to not compare favorably.

Are you implying that the server security vulnerabilities from the report mistakingly included security vulnerabilities in RedHat's various editors, html production software, multiple browsers, firewall software, multiple firewall software, cd/dvd writers, 2 full office suites, web server, and scripting software, games, image editing/creation software and much other stuff that dosn't immediately come to mind. ...

18 posted on 01/10/2004 2:10:58 PM PST by rit
[ Post Reply | Private Reply | To 17 | View Replies]

To: Bush2000

"...statistics gathered by leading security company SecurityFocus on their NTBugTraq site say differently..."

Note that part of their site name is "NT". How impartial do you think that makes them. In fact, I follow their postings regularly, along with those of several other security sites. The one thing that I have noticed about NTBugTraq is that when there are several interrelated bugs in Microsloth Windows based OS's, they almost always bundle them together as only one event, but in similar situations, on non-Microsloth products, they always create separate incidents. That's the kind of diddling with the numbers that it takes to make Microsloth even appear to be somewhat secure. But, the picture is quite different, when viewed from the trenches.

I have run entire IT departments for very large corporations and have been a US security lead for a major oil company and in all those years, two things have become obvious. First, it not only takes significantly more security support staff to secure and keep secure Microsloth based systems, than any UNIX based systems, including LINUX, but the Microsloth security staff has to be much better trained than their UNIX counterparts. Secondly, even with that larger and better trained support staff, the few successful attacks that we experienced were almost exclusively on Microsloth based systems. At one company, we had one MCSE and two MCSE/MCSA's, who were all security specialists and who did nothing else. Those three highly trained specialists maintained security on one fifth as many servers as our single UNIX security man did and he had only a high school diploma and some practical experience and handled system admin work on several of those UNIX systems, as well. While I was there, we never had a single successful attack on a UNIX (or LINUX) based system, while successful NT attacks, though not common, were far from rare. And that's not even considering the Windows desktop attacks and the additional security staff that we had to deal with those problems.

I am now the Infrastructure Director of a new international natural resources exploration and development company. Some time back, we decided that all of our servers will be UNIX (or LINUX) based and our desktops and laptops will all be Macs (UNIX under the hood). Since we began operating in this environment, we have not had a single security event of any kind. I wonder how many companies can say the same of their Microsloth based networks.

 

19 posted on 01/10/2004 2:11:12 PM PST by Action-America (Best President: Reagan * Worst President: Klinton * Worst GOP President: Dubya)
[ Post Reply | Private Reply | To 8 | View Replies]

To: Bush2000
My, my. A vulnerability to a "local attacker." This makes me love MS again. I certainly prefer remote attacks. /sarcasm
20 posted on 01/10/2004 2:14:04 PM PST by Clara Lou
[ Post Reply | Private Reply | To 1 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-4041-6061-80 ... 181-186 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson