Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Flaws raise red flag on Linux security
ComputerWorld ^ | JANUARY 09, 2004 | Jaikumar Vijayan

Posted on 01/10/2004 12:20:46 PM PST by Bush2000

Flaws raise red flag on Linux security

But many users remain confident about the security of the open-source environment

Story by Jaikumar Vijayan

JANUARY 09, 2004 ( COMPUTERWORLD ) - A report earlier this week about a critical flaw in the Linux kernel was the latest in a series of recently discovered security problems with the popular open-source operating system. But many users were unfazed by the report and said Linux remains a solid and secure environment for running enterprise applications.

Poland-based iSec Security Research on Monday said it had found a critical flaw in a function used to manage virtual memory on Linux systems (see story). The flaw affects the 2.2, 2.4 and 2.6 versions of the Linux kernel, according to iSec.

The vulnerability could allow attackers to take administrative control of compromised systems and run attack code of their choice, an iSec advisory stated. ISec claimed that it had developed and successfully tested code that was capable of exploiting the flaw, although it added that actually launching such an attack wouldn't be easy.

The news follows the discovery of a similar flaw in the Linux 2.4 kernel last fall. In November, unknown attackers used that flaw to take down several servers belonging to the Debian Project, which produces a noncommercial Linux distribution. And last month, an attack on the Gentoo Linux Project compromised a server that was being used to download copies of Gentoo's Linux source code by users.

The rise in such incidents can be attributed to Linux's growing popularity, which makes it a more attractive target for malicious attackers, said David Wreski, CEO of Linux security vendor Guardian Digital Inc. in Allendale, N.J.

"The underground hacker community is very interested in Linux as a potential target," he said. "Because of the accessibility of the source code to everyone, it provides an equal opportunity for malicious attackers to find vulnerabilities and ways to exploit them."

Even so, Linux remains a secure environment, said John Cahill, senior network security engineer at Piedmont Natural Gas in Charlotte, N.C.

"I would say it is more secure than Microsoft and other environments because the code is looked over by so many people and it's so widely available that any vulnerabilities can be quickly identified and patched," Cahill said. Piedmont uses Linux for several e-mail-related functions and is considering its use for antispam purposes.

"There's not very much we've needed to do to secure Linux [applications]," said Joe Poole, manager for technical support at Boscov's Department Stores LLC in Reading, Pa. The company runs several virtual Linux servers on its mainframes that are protected by network and internal firewalls. All nonessential services, such as file transfers and Telnet, have been disabled. But there has been no need for the kind of constant patching and maintenance required for Windows, Poole said.

Linux distributors in general are also doing a better job of shipping products that have nonessential services disabled by default, said Paul Schmel, adjunct information security officer at the University of Texas at Dallas.

"The biggest plus that Linux has is that it's designed to allow users to be users and not administrators," Schmel said. "What Linux has that Windows doesn't have is ease of configuration from an administrator's standpoint. Stopping and starting services, configuring services to only respond on certain ports and interfaces is dramatically easier than it is with Windows."


TOPICS: Business/Economy; Culture/Society; Front Page News; Technical
KEYWORDS: computersecurity; linux; lowqualitycrap
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-80 ... 181-186 next last
To: zeugma
Sorry, but it is you astroturfers for microsoft who constantly claim that liux distributions be measured against windows. I'm perfectly happy though, to go along with your game, providing that the comparisons be made against a level playing field.

If Linux kneepadders want to compare kernel against kernel, they're going to find more exploits in Linux. This is provable.

I'd still stand Debian, Mandrake, or RedHat against microsoft.

Of course you would. That's the nature of bigotry.

I'm not the one who made the initial claim that you made earlier comparing microsoft windows itself against an entire distribution of over 3000 separate packages that are distributed with RedHat.

I'm making no such argument. It was an illustration only, meant to show people that the ill-informed that solely comparing the Linux kernel against every add-on component in Windows isn't valid -- because there are plenty of flaws in Linux add-ons, too.

It is interesting that when I point out the apples/oranges nature of your claim that you resort to typical ad hominem.

It's not ad hominem to state facts. You guys are entrenched bigots.

I have great confidence that in the long run, the fine folks who have created the incredible wealth of OSS appliactions that already outstrip proprietary operating systems will overrun and overtake you despite your desperate attempts at sowing fear, uncertainty, and doubt.

Desperate? Hardly. Windows runs on more computers than Linux ever will. Still, I believe that there is a place for both open and closed systems. Each has its place, and I predict that the security issue will actually become less prominent over the next 5 years, as vendors on both sides adopt better strategies to address worms, trojans, and other malware. Just a few years ago, you OSS guys harped on stability constantly. The issue, itself, was really inconsequential. It was merely a peg to hang your hats on in order to attack Windows. Any issue would do. So you guys chose stability. Microsoft put resources into fixing the problem, and most people (assuming they have a clue) would agree that they have succeeded. Practically nobody on your side talks about stability anymore.

So you shifted to security. There are many losers out there who have made it their lifes' mission to find flaws in Windows. Sure, there are people who attack Linux, but the number pales next to those dedicated to attacking Windows. You have Microsoft's attention now. Security is a big deal there. Yeah, yeah, you can argue that it should have been all along, but that is merely an anecdotal footnote in the evolution of operating systems. Not so many years ago, desktop computers couldn't even be connected to distributed environments other than LANs. And while you may point out that Linux was designed with remote connectivity in mind, I will point out that Linux is seriously lacking as a desktop environment and, therefore, isn't currently suitable for desktop users; in other words, there is room for growth on both sides.

Shorterm, MS is doing something it should have done a long time ago: It's disabling all unnecessary remote services and turning on ICF (the built-in firewall) by default. Likewise, it's beefing up ICF to include both incoming and outgoing filters. Over time, this will virtually eliminate remote exploits -- but it will take time to happen, since service packs aren't applied universally overnight. In XP SP2, MS recompiled the entire operating system with a new compiler feature which prevents executing code on the stack; in theory, this eliminates buffer overflow attacks because (a) the code segment isn't writeable, and (b) it won't allow code to be executed from the stack segment. GCC added this capability recently, as well. Another one of the longterm ways that MS is addressing this threat is to replace the unmanaged Win32 API set with the managed .NET API in Longhorn, which centralizes security policy in a virtual machine environment; similar to the way that Java security sandboxes dangerous apps. I predict that, within a few short years, Win32 apps will run under emulation only -- based on MS's use of the VirualPC technology that they purchased -- which will further sandbox dangerous apps.

Windows is such a pitiful excuse for an operating system, it is inevitable that eventually people will come to understand that worms, viruses, trojans, and crashes are not normal consequences of a properly designed operatin system.

BS. There's nothing wrong with the design of Windows. If Linux users were to run as administrator and execute unsafe code, they would be infected with the same worms, viruses, and trojans.
41 posted on 01/11/2004 11:23:24 AM PST by Bush2000 (tro)
[ Post Reply | Private Reply | To 29 | View Replies]

To: Bush2000
cert.org
42 posted on 01/11/2004 12:25:55 PM PST by N3WBI3
[ Post Reply | Private Reply | To 38 | View Replies]

To: Bush2000
You OSS blowhards continually decry "Windows security" for flaws in IE, Outlook, IIS, etc

This is the "can 50,000,000 Frenchmen be wrong?" school of argument. The answer to this is "Yes, they can."

Microsoft put resources into fixing the problem . . .

You can actually admit that Windows HAD a problem. Good, now let's move on to "Windows HAS problems."

BS. There's nothing wrong with the design of Windows. If Linux users were to run as administrator and execute unsafe code, they would be infected with the same worms, viruses, and trojans.

But it DOESN'T, Bush, and it ISN'T... and Windows DOES and IS. That is one of the major points that makes them more secure than Windows.

43 posted on 01/11/2004 1:33:34 PM PST by Swordmaker
[ Post Reply | Private Reply | To 41 | View Replies]

To: Bush2000
Note the term "may". Provide an example. There's no evidence of that.

There is no reason to have the disclaimer unless such things were not included. You're reaching here.

BTW, as a Windows zealot, the fact that Mac OS X Server had only one vulnerability in that entire timeframe must get on your nerves. Face it, Windows as opposed to either Mac or Linux is both more expensive and more vulnerable.

44 posted on 01/11/2004 1:36:27 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 36 | View Replies]

To: Bush2000
I also liked this part:
"The rise in such incidents can be attributed to Linux's growing popularity, which makes it a more attractive target for malicious attackers"
Linux is already more popular in the server world, and didn't make many inroads on the desktop last year, so that doesn't make much sense.
45 posted on 01/11/2004 1:39:30 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 1 | View Replies]

To: E=MC<sup>2</sup>
By the way, what will linus do when MSFT releases the next version of Windows? "Innovate" by trying to replicate it in open-source too???

Why wait until Microsoft "innovates" and steal it? Linux should just go directly to the source of Microsoft's innovation -- Apple.

46 posted on 01/11/2004 1:43:43 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 11 | View Replies]

To: N3WBI3
cert.org

Let's have a direct link; otherwise, I'm going to call bullsh*t on your numbers.
47 posted on 01/11/2004 1:48:22 PM PST by Bush2000 (tro)
[ Post Reply | Private Reply | To 42 | View Replies]

To: antiRepublicrat
I am going to Lindows 4.5 next week on my personal computer.

Good or bad Idea?
48 posted on 01/11/2004 1:49:12 PM PST by Bluntpoint
[ Post Reply | Private Reply | To 44 | View Replies]

To: antiRepublicrat
There is no reason to have the disclaimer unless such things were not included. You're reaching here.

Uh, you're the one who's reaching. All I'm asking you to do is provide a single example where this is the case. Is this really too much of a stretch for you?!?
49 posted on 01/11/2004 1:50:40 PM PST by Bush2000 (tro)
[ Post Reply | Private Reply | To 44 | View Replies]

To: Swordmaker
Bush hates Macintoshes even more than Linux!

Yeah, I remember. I just hope we don't have to explain to him again how administrator privileges in Mac (or Linux) != administrator privileges in Windows and how that relates to security.

50 posted on 01/11/2004 1:51:06 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 22 | View Replies]

To: antiRepublicrat
Linux is already more popular in the server world, and didn't make many inroads on the desktop last year, so that doesn't make much sense.

Wrong -- and repeating a lie doesn't make it any more true, dude.
51 posted on 01/11/2004 1:55:25 PM PST by Bush2000 (tro)
[ Post Reply | Private Reply | To 45 | View Replies]

To: Bush2000
http://www.cert.org/advisories/#2002

If you are too lazy to read the certs that does not make it BS it just makes you lazy...

52 posted on 01/11/2004 1:55:33 PM PST by N3WBI3
[ Post Reply | Private Reply | To 47 | View Replies]

To: N3WBI3
I love it when all you guys get together and talk computer stuff!!!!


53 posted on 01/11/2004 1:59:31 PM PST by Bluntpoint
[ Post Reply | Private Reply | To 52 | View Replies]

To: Swordmaker
But it DOESN'T, Bush, and it ISN'T... and Windows DOES and IS. That is one of the major points that makes them more secure than Windows.

Certainly having a default administrator setting for a user is an issue -- but it isn't an operating system design flaw. OEMs configure these machines. Dell, Gateway, etc preconfigure the machines this way because they don't want to field the support calls that would result if users were running at lower privilege levels and couldn't install aftermarket software. Nice try, but you can't blame administration failure on Windows.
54 posted on 01/11/2004 2:00:37 PM PST by Bush2000 (tro)
[ Post Reply | Private Reply | To 43 | View Replies]

To: N3WBI3
Of the advisories, only 7 are remote exploits; the rest depend upon an improbable chain of events, such as (a) browsing to a malicious webpage in IE or (b) running a malicious piece of software. Which means that practically no users are affected. Nice try, though.
55 posted on 01/11/2004 2:13:08 PM PST by Bush2000 (tro)
[ Post Reply | Private Reply | To 52 | View Replies]

To: Bush2000
I predict that the security issue will actually become less prominent over the next 5 years, as vendors on both sides adopt better strategies to address worms, trojans

I think so too. From what I've read of XP SP2, MS is rewriting its entire RPC system to slow the tide of vulnerabilities based on the current system's atrocious bounds checking. SP2 will contain a chunk of the rewrite. Maybe then they'll finally be able to go a month without a security update -- December was supposed to be the first month they did that but they had a couple anyway.

Practically nobody on your side talks about stability anymore.

They've made some great strides on the desktop. My XP system only freaks out once or twice a week with normal use, which is much better than 98 or 2000. But with servers, Windows still can't touch Linux or BSD for continuous uptime.

There's nothing wrong with the design of Windows

To begin with, there are the DLLs which cause conflict and require reboots after updates (say hello to downtime). Then there's the lack of the Unix equivalent of the separation of Administrator and Root so if you want to do anything, you're running with more privileges than you need. Then you have various installers that turn on services previously turned off.

If Linux users were to run as administrator and execute unsafe code, they would be infected with the same worms, viruses, and trojans.

You've forgotten already? Linux users often run as administrator, but still aren't vulnerable to many exploits. This is because administrator in Linux doesn't have the total system control that administrator in Windows does. This is one of the architectural flaws in Windows.

56 posted on 01/11/2004 2:20:58 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 41 | View Replies]

To: Gunslingr3
Gunslingr3 wrote:
Do you know of an article that actually details the flaw and how it can be exploited?
This particular flaw in the VM system is described at http://isec.pl/vulnerabilities/isec-0013-mremap.txt.

That doesn't really detail the vulnerability or the exploit, only the underlying flaw in the virtual memory remap routine tha allows an exploit.

To exploit this flaw, you need to have access to a user account on the target machine, and a way to compile programs for execution on the target machine (you could compile them elsewhere and transfer them to the target machine, though). If you have that, and you sucessfully exploit the somewhat unpredictable behavior of the VM system, you can under some circumstances execute code of your own choosing at the kernel level, possibly granting yourself root access or doing other things that are beyond what is allowed your acccount's access privileges.

By itself, this is a pretty limited vulnerability. To exploit this vulnerability, an attacker would have to use other means to gain access to a user account on the target machine before the attacker could launch an attack.

57 posted on 01/11/2004 2:22:49 PM PST by cc2k
[ Post Reply | Private Reply | To 6 | View Replies]

To: Bush2000
Uh, you're the one who's reaching. All I'm asking you to do is provide a single example where this is the case. Is this really too much of a stretch for you?!?

I can't provide it because they didn't provide the details of the methodology. All we can go off is why did they put a disclaimer there? Should I take my five year old to a movie with a disclaimer of "May contain scenes of graphic violence and nudity"? There was a "may" so there's still a chance the movie is G rated, right? Total BS.

58 posted on 01/11/2004 2:24:30 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 49 | View Replies]

To: Bush2000
Sorry, like you earlier, I was thinking Web. Linux is dominant and going up, while Windows is going down.
59 posted on 01/11/2004 2:43:06 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 51 | View Replies]

To: Bush2000
Certainly having a default administrator setting for a user is an issue -- but it isn't an operating system design flaw.

Yes it is. They could have administrator and root like with Linux and Mac. 99%+ of Mac users don't even know root exists, yet they can do everything they generally need to do with their computers.

60 posted on 01/11/2004 2:45:02 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 54 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-80 ... 181-186 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson