Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Flaws raise red flag on Linux security
ComputerWorld ^ | JANUARY 09, 2004 | Jaikumar Vijayan

Posted on 01/10/2004 12:20:46 PM PST by Bush2000

Flaws raise red flag on Linux security

But many users remain confident about the security of the open-source environment

Story by Jaikumar Vijayan

JANUARY 09, 2004 ( COMPUTERWORLD ) - A report earlier this week about a critical flaw in the Linux kernel was the latest in a series of recently discovered security problems with the popular open-source operating system. But many users were unfazed by the report and said Linux remains a solid and secure environment for running enterprise applications.

Poland-based iSec Security Research on Monday said it had found a critical flaw in a function used to manage virtual memory on Linux systems (see story). The flaw affects the 2.2, 2.4 and 2.6 versions of the Linux kernel, according to iSec.

The vulnerability could allow attackers to take administrative control of compromised systems and run attack code of their choice, an iSec advisory stated. ISec claimed that it had developed and successfully tested code that was capable of exploiting the flaw, although it added that actually launching such an attack wouldn't be easy.

The news follows the discovery of a similar flaw in the Linux 2.4 kernel last fall. In November, unknown attackers used that flaw to take down several servers belonging to the Debian Project, which produces a noncommercial Linux distribution. And last month, an attack on the Gentoo Linux Project compromised a server that was being used to download copies of Gentoo's Linux source code by users.

The rise in such incidents can be attributed to Linux's growing popularity, which makes it a more attractive target for malicious attackers, said David Wreski, CEO of Linux security vendor Guardian Digital Inc. in Allendale, N.J.

"The underground hacker community is very interested in Linux as a potential target," he said. "Because of the accessibility of the source code to everyone, it provides an equal opportunity for malicious attackers to find vulnerabilities and ways to exploit them."

Even so, Linux remains a secure environment, said John Cahill, senior network security engineer at Piedmont Natural Gas in Charlotte, N.C.

"I would say it is more secure than Microsoft and other environments because the code is looked over by so many people and it's so widely available that any vulnerabilities can be quickly identified and patched," Cahill said. Piedmont uses Linux for several e-mail-related functions and is considering its use for antispam purposes.

"There's not very much we've needed to do to secure Linux [applications]," said Joe Poole, manager for technical support at Boscov's Department Stores LLC in Reading, Pa. The company runs several virtual Linux servers on its mainframes that are protected by network and internal firewalls. All nonessential services, such as file transfers and Telnet, have been disabled. But there has been no need for the kind of constant patching and maintenance required for Windows, Poole said.

Linux distributors in general are also doing a better job of shipping products that have nonessential services disabled by default, said Paul Schmel, adjunct information security officer at the University of Texas at Dallas.

"The biggest plus that Linux has is that it's designed to allow users to be users and not administrators," Schmel said. "What Linux has that Windows doesn't have is ease of configuration from an administrator's standpoint. Stopping and starting services, configuring services to only respond on certain ports and interfaces is dramatically easier than it is with Windows."


TOPICS: Business/Economy; Culture/Society; Front Page News; Technical
KEYWORDS: computersecurity; linux; lowqualitycrap
Navigation: use the links below to view more comments.
first previous 1-20 ... 41-6061-8081-100 ... 181-186 next last
To: Bush2000
http://www.kb.cert.org/vuls/id/363715 CAN-2002-0071 Microsoft Internet Information Server (IIS) vulnerable to heap overflow during processing of crafted ".htr" request by "ISM.DLL" ISAPI filter
http://www.kb.cert.org/vuls/id/883091 CAN-2002-0074 Microsoft Internet Information Server (IIS) contains cross-site scripting vulnerability in IIS Help Files search facility
http://www.kb.cert.org/vuls/id/886699 CAN-2002-0148 Microsoft Internet Information Server (IIS) contains cross-site scripting vulnerability in HTTP error page results
http://www.kb.cert.org/vuls/id/520707 CAN-2002-0075 Microsoft Internet Information Server (IIS) contains cross-site scripting vulnerability in redirect response messages
http://www.kb.cert.org/vuls/id/412203 CAN-2002-0073 Microsoft Internet Information Server (IIS) vulnerable to DoS via malformed FTP connection status request
http://www.kb.cert.org/vuls/id/454091 CAN-2002-0150 Microsoft Internet Information Server (IIS) vulnerable to buffer overflow via inaccurate checking of delimiters in HTTP header fields
http://www.kb.cert.org/vuls/id/721963 CAN-2002-0149 Microsoft Internet Information Server (IIS) buffer overflow in server-side includes (SSI) containing long invalid file name
http://www.kb.cert.org/vuls/id/521059 CAN-2002-0072 Microsoft Internet Information Server (IIS) vulnerable to DoS when URL request exceeds maximum allowed length
http://www.kb.cert.org/vuls/id/610291 CAN-2002-0079 Microsoft Internet Information Server (IIS) buffer overflow in chunked encoding transfer mechanism
http://www.kb.cert.org/vuls/id/669779 CAN-2002-0147 Microsoft Internet Information Server (IIS) buffer overflow in chunked encoding transfer mechanism

and that just for one cert..
61 posted on 01/11/2004 2:48:10 PM PST by N3WBI3
[ Post Reply | Private Reply | To 55 | View Replies]

To: Bluntpoint
I am going to Lindows 4.5 next week on my personal computer.

Sorry, I can't help you. I've never done Lindows. I've heard good things though if you you're an average user who wants to transition from Windows without much headache.

62 posted on 01/11/2004 2:51:59 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 48 | View Replies]

To: N3WBI3
There you go again: Attributing flaws in IIS to Windows. You do realize that IIS is a server-based web server, right? You might as well talk about Apache, if you're going to talk about IIS.
63 posted on 01/11/2004 2:52:25 PM PST by Bush2000 (tro)
[ Post Reply | Private Reply | To 61 | View Replies]

To: antiRepublicrat
But with servers, Windows still can't touch Linux or BSD for continuous uptime.

As long as you cover your eyes and forget about the last two critical Linux kernel vulnerabilities.

To begin with, there are the DLLs which cause conflict and require reboots after updates (say hello to downtime).

Actually, these don't require a reboot. The DLLs can actually be renamed and replaced. The fact that the installer asks you to reboot is really a bug in the installer.

Then there's the lack of the Unix equivalent of the separation of Administrator and Root so if you want to do anything, you're running with more privileges than you need. Then you have various installers that turn on services previously turned off.

Wrong. You can create Windows users with arbitrarily complex masks of capabilities -- which provides the same functionality.
64 posted on 01/11/2004 2:56:39 PM PST by Bush2000 (tro)
[ Post Reply | Private Reply | To 56 | View Replies]

To: Bush2000
Bush, here's one you'll like. After Israel's finance ministry threatened to move to Linux because MS was far too expensive, MS brought out the big guns (and possibly the slush fund too) to get them to stay.

People are getting tired of Microsoft's normal terms, high prices and bundling, and they're looking to switch. Looks like all you need to get terms and prices amenable to you from Microsoft is to threaten to switch. Still, I wonder what's going to happen at the next Software Assurance cycle.
65 posted on 01/11/2004 2:57:00 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
My numbers for linux included Apache, OpenSSL, ... as did all of your numbers when talking about Linux.. I unlike you compare apples to apples..
66 posted on 01/11/2004 2:57:14 PM PST by N3WBI3
[ Post Reply | Private Reply | To 63 | View Replies]

To: antiRepublicrat
Yes it is. They could have administrator and root like with Linux and Mac. 99%+ of Mac users don't even know root exists, yet they can do everything they generally need to do with their computers.

As with SwordMaker, don't make the mistake of assuming that, because your Windows box comes preconfigured with you as Administrator that it's a flaw in the OS. It ain't. Dell or whoever configured the box made that choice for their own convenience.
67 posted on 01/11/2004 2:58:42 PM PST by Bush2000 (tro)
[ Post Reply | Private Reply | To 60 | View Replies]

To: antiRepublicrat
Bush, here's one you'll like. After Israel's finance ministry threatened to move to Linux because MS was far too expensive, MS brought out the big guns (and possibly the slush fund too) to get them to stay.

This is a reasonable thing for customers to do. And you guys shouldn't be bothered by the existence of a slush fund. After all, you're dumping a product into the market at below cost. You should have nothing to complain about there.
68 posted on 01/11/2004 3:00:05 PM PST by Bush2000 (tro)
[ Post Reply | Private Reply | To 65 | View Replies]

To: N3WBI3
My numbers for linux included Apache, OpenSSL, ... as did all of your numbers when talking about Linux.. I unlike you compare apples to apples..

For the millionth time, it has nothing to do with Windows.
69 posted on 01/11/2004 3:00:57 PM PST by Bush2000 (tro)
[ Post Reply | Private Reply | To 66 | View Replies]

To: Bush2000
As long as you cover your eyes and forget about the last two critical Linux kernel vulnerabilities.

You mean like the one you don't have to apply if there's physical security for the system, as is for most server farms? I don't know enough about these particular bugs, do you have to reboot after applying the patches?

Actually, these don't require a reboot. The DLLs can actually be renamed and replaced. The fact that the installer asks you to reboot is really a bug in the installer.

Then it's been a bug for many years, and even Microsoft isn't that bad. The fact is that if you don't reboot you risk DLL Hell, and some things do absolutely require reboots.

You can create Windows users with arbitrarily complex masks of capabilities -- which provides the same functionality

Then from the point of any user except for places where a Windows expert has taken hours to create a new group, it's a flaw.

70 posted on 01/11/2004 3:04:11 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 64 | View Replies]

To: Bush2000
After all, you're dumping a product into the market at below cost.

No, they're using free software and selling services. You apparently only understand the proprietary software model -- there is another viable one. But in the end this is good, as it forces Microsoft to be more competitive, lessening its usual monopolistic attitude and practices.

71 posted on 01/11/2004 3:06:53 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 68 | View Replies]

To: antiRepublicrat
You mean like the one you don't have to apply if there's physical security for the system, as is for most server farms? I don't know enough about these particular bugs, do you have to reboot after applying the patches?

Most hacks occur by insiders -- not external users. I'm not surprised that you wouldn't know this -- or care.

Then from the point of any user except for places where a Windows expert has taken hours to create a new group, it's a flaw.

Again, you show your ignorance. There are widely available tools which make creating a user with a custom rights mask no more difficult than point and click.
72 posted on 01/11/2004 3:10:23 PM PST by Bush2000 (tro)
[ Post Reply | Private Reply | To 70 | View Replies]

To: antiRepublicrat
No, they're using free software and selling services. You apparently only understand the proprietary software model -- there is another viable one. But in the end this is good, as it forces Microsoft to be more competitive, lessening its usual monopolistic attitude and practices.

I'm sure you'd like to paint it that way but the fact of the matter is that many vendors are selling Linux. And the rest are dumping the product onto the market at below cost.
73 posted on 01/11/2004 3:11:13 PM PST by Bush2000 (tro)
[ Post Reply | Private Reply | To 71 | View Replies]

To: antiRepublicrat
Gee, I wonder whether Amazon or the FBI or the CIA or the NSA would care about a local exploit capability in the Linux kernel.... /SARCASM
74 posted on 01/11/2004 3:28:56 PM PST by Bush2000 (tro)
[ Post Reply | Private Reply | To 71 | View Replies]

To: All
In case anyone is interested in learning more about security templates in Windows, here's a link:

Windows security templates

Follow the links to obtain pointers to tools that can edit the templates.
75 posted on 01/11/2004 3:43:52 PM PST by Bush2000 (tro)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
Bush2000 wrote:
There you go again: Attributing flaws in IIS to Windows. You do realize that IIS is a server-based web server, right? You might as well talk about Apache, if you're going to talk about IIS.
Ah, yes. The usual "but-it-isn't-Windows defense. This game is getting a little tired. You guys constantly slam Linux security over things such as Apache, WUFTP, and other applications that aren't part of the Linux kernel, including some really obscure and rarely used applications like ISDN voice response systems and command line MP3 players. And then you have the gall to turn around and say that, because Outlook Express, Internet Explorer, SQL Server, IIS , and countless other Windows OS Components and add-ons and applications distributed by Microsoft that are often distributed as part of the "Windows Operating System" (IE and OE), or as part of a "Plus Pack," or as part of a "solution suite" specifically designed for use with the Windows operating system, that it "isn't Windows". See how this little game works?1

Bush2000, you seem to be the one that wants it both ways here. Your position seem highly hypocritical.

If you want to make apples to apples comparisons, or oranges to oranges comparisons, that's fair. For example, it's fair compare security issues with the Linux Kernel (only) with security issues with the Windows Operating System (only). It's also fair to compare Linux/Apache/MySQL with Windows/IIS/SQL Server, or Linux/Mozilla with Windows/Internet Explore/Outloook Express.

However, you want to compare every patch and security update released by any Linux distributor to only those security patches from Microsoft that deal with the Windows Kernel. That's not a fair comparison. A fair comparison would be every security patch from a Linux distributor compared to every security patch from Microsoft for any Windows related product.

And don't deny that you do this. For example, on another thread Friday, you gave a list of "Linux" security patches from Debian, and the first security patch on your list showing "Linux vulnerabilities" was a patch for a voice response system for ISDN connections, a package which is rarely installed, requires special hardware, and the exploit required a user account on the target machine with sufficient access to write scripts for the system. The exploit allowed such a user on such a system to escalate their privileges and possibly gain root access to the system.


1. This paragraph adapted from http://www.freerepublic.com/focus/f-news/1053778/posts?page=37#37 by Bush2000

76 posted on 01/11/2004 4:18:49 PM PST by cc2k
[ Post Reply | Private Reply | To 63 | View Replies]

To: Bush2000
Then stop using apache and open_ssl in Linux
77 posted on 01/11/2004 4:31:40 PM PST by N3WBI3
[ Post Reply | Private Reply | To 69 | View Replies]

To: cc2k
Thanks, I appreciate you taking the time to reply.
78 posted on 01/11/2004 4:39:58 PM PST by Gunslingr3
[ Post Reply | Private Reply | To 57 | View Replies]

To: Bush2000
I'm sure you'd like to paint it that way but the fact of the matter is that many vendors are selling Linux. And the rest are dumping the product onto the market at below cost.

Your ignorance. General Public License: "You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee."

You can't sell Linux, but you can sell services related to it. This is the basis for the whole business model you can't understand.

79 posted on 01/11/2004 5:16:00 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 73 | View Replies]

To: Bush2000
Most hacks occur by insiders -- not external users.

Do you count ILoveYou, SQL Slammer and Sobig in those statistics, or do you treat each as one instance?

There are widely available tools which make creating a user with a custom rights mask no more difficult than point and click.

I didn't know that, but I'm not surprised at others making up for Microsoft's laxity. Same with the IIS wrappers we use. We always made our own accounts.

80 posted on 01/11/2004 5:19:32 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 72 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-20 ... 41-6061-8081-100 ... 181-186 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson