Flaws raise red flag on Linux security

ComputerWorld ^ | JANUARY 09, 2004 | Jaikumar Vijayan

[antiRepublicrat]

Gee, I wonder whether Amazon or the FBI or the CIA or the NSA would care about a local exploit capability in the Linux kernel

Did either of these people use a privilege elevation exploit? In the Australian case, why did he have an account to elevate in the first place?

[antiRepublicrat]

There you go again: Attributing flaws in IIS to Windows. You do realize that IIS is a server-based web server, right? You might as well talk about Apache, if you're going to talk about IIS.

You don't want to do that. If you take a W2K server with IIS and compare it to basic GNU/Linux with Apache, set up to be only a Web server, the Windows installation will have far more vulnerabilities.

[Bush2000]

You can't sell Linux, but you can sell services related to it. This is the basis for the whole business model you can't understand.

Oh, I certainly understand it. Develop a product for some non-zero cost, tell people they can sell it (if they can) or dump it into the market at below cost.

[Bush2000]

Then stop using apache and open_ssl in Linux

That would include the vast majority of Linux web servers.

[Bush2000]

IIS ain't turned on by default -- and it's used by servers (not desktops), so there's really no point in blathering about a non-threat.

[N3WBI3]

And AD, IIS, and MSSQL are most microsoft servers..

[Bush2000]

Do you count ILoveYou, SQL Slammer and Sobig in those statistics, or do you treat each as one instance?

Those are primarily, for all practical purposes, denial of service attacks. The statistics that I'm talking deal with network intrusions, where hackers intend to steal information and/or commit fraud.

I didn't know that, but I'm not surprised at others making up for Microsoft's laxity. Same with the IIS wrappers we use. We always made our own accounts.

Time to update your resume: MS has tools to do precisely what I described.

[Bush2000]

Did either of these people use a privilege elevation exploit? In the Australian case, why did he have an account to elevate in the first place?

You don't need an account. A kernel buffer overflow can be hijacked to create an account with elevated privilege.

[antiRepublicrat]

It ain't. Dell or whoever configured the box made that choice for their own convenience.

That's the default, even if you buy Windows and install it. I wouldn't be surprised if the OEM contracts preclude this messing around with the defaults.

Meanwhile, Linux and Mac come relatively secure out of the box. This problem of poor default security settings, except for the administrator problem, will be somewhat alleviated in XP SP2.

[antiRepublicrat]

For the millionth time, it has nothing to do with Windows

For the millionth time, these are things that are included with Windows by default, and often you don't even know it. While I was working at a regional security emergency response team (overseeing mostly Windows boxes, over 50,000 of them), one of the problems we came across was that IIS would be installed by accident if you installed other components. This was a problem in that organization since running web services was forbidden without permission.

[Bush2000]

Bush2000, you seem to be the one that wants it both ways here. Your position seem highly hypocritical.

Not at all. I just want us to make fair comparisons.

If you want to make apples to apples comparisons, or oranges to oranges comparisons, that's fair. For example, it's fair compare security issues with the Linux Kernel (only) with security issues with the Windows Operating System (only). It's also fair to compare Linux/Apache/MySQL with Windows/IIS/SQL Server, or Linux/Mozilla with Windows/Internet Explore/Outloook Express.

Agreed.

And don't deny that you do this. For example, on another thread Friday, you gave a list of "Linux" security patches from Debian, and the first security patch on your list showing "Linux vulnerabilities" was a patch for a voice response system for ISDN connections, a package which is rarely installed, requires special hardware, and the exploit required a user account on the target machine with sufficient access to write scripts for the system. The exploit allowed such a user on such a system to escalate their privileges and possibly gain root access to the system.

I will agree not to attribute flaws in Linux add-ons to Linux, provided that your side agrees not to do the same with Windows. But, frankly, I'm not all that hopeful that it will happen ... because your side routinely posts statements like "The best course of action would be to format your drive and install Debian/Mandrake" in response to an IE our Outlook Express bug; as if IE or Outlook Express were equivalent to "Windows" and the only solution were to replace it with "Linux". See what I mean?

[Bush2000]

That's the default, even if you buy Windows and install it.

Practically nobody buys Windows retail and installs it themselves. This is the domain of geeks only. Windows installs a single account when you install it yourself: an administrator account. It doesn't force the installer to run as administrator. The installer is able to create a lower-privilege account at any time.

I wouldn't be surprised if the OEM contracts preclude this messing around with the defaults.

Nope. Dell, Gateway, and other OEMs are able to customize practically any aspect of Windows. The reason that they choose not to, by default, is that (as I said before) they know from experience that having a user run as a lower-privileged user will result in a greater number of support calls when the user tries to install ProductA, discovers that ProductA won't install, and calls Dell/etc asking why they can't install ProductA. It's simply a higher support burden for Dell to create a restricted user account by default.

Meanwhile, Linux and Mac come relatively secure out of the box.

Linux is the province of geeks only. Practically no desktop users are using it. So, it's of marginal interest for purposes of comparison. Servers are made to be custom-configured. This isn't an issue on servers at all.

This problem of poor default security settings, except for the administrator problem, will be somewhat alleviated in XP SP2.

The "administrator problem", as you call it, needs to be solved by OEMs, not Microsoft.

[Bush2000]

For the millionth time, these are things that are included with Windows by default, and often you don't even know it. While I was working at a regional security emergency response team (overseeing mostly Windows boxes, over 50,000 of them), one of the problems we came across was that IIS would be installed by accident if you installed other components. This was a problem in that organization since running web services was forbidden without permission.

Coming from a guy who doesn't even know about Windows security templates, I'm not surprised you don't know what's running on your servers.

[antiRepublicrat]

In case anyone is interested in learning more about security templates in Windows, here's a link: Windows security templates Follow the links to obtain pointers to tools that can edit the templates

We used to make them ourselves. Unfortunately to lock Windows down enough to make us somewhat happy with the security (they were locked down hard) caused a lot of support calls when people couldn't do various things on their machines. We had several baselines for several computer roles with different things locked down, but it still caused problems.

We didn't really have that problem with the Sun, HP/UX and Linux systems.

[antiRepublicrat]

A fair comparison would be every security patch from a Linux distributor compared to every security patch from Microsoft for any Windows related product.

I think a fairer comparison would be the usual configuration for a specific role. For Web it would likely be Win/IIS/MSSQL or Linux/Apache/PHP/MySQL. For desktop it would likely be Windows/Office/IE vs. Linux/OpenOffice/Mozilla. etc. I can tell you now the Linux desktop is far more secure. At least you won't get hacked while trying to download clipart.

[antiRepublicrat]

Develop a product for some non-zero cost, tell people they can sell it (if they can)

Okay, let's try this again, it is illegal to sell something under the GPL, such as Linux. BTW, it is not a non-zero cost, as millions of programming hours by otherwise high-paid programmers go into Linux. The only difference is that this time and talent is donated in the very American spirit of volunteerism.

Before you go off on Finland again, Linux may have originated there, but the license it is under -- and the whole spirit of free software -- was originated by an American.

[antiRepublicrat]

IIS ain't turned on by default -- and it's used by servers (not desktops),

Actually, read my other post about accidental enabling of IIS on desktops when installing other services. Our first hint was a rash of unauthorized IIS boxes popping up all over the place (we scanned with ISS regularly).

[antiRepublicrat]

The statistics that I'm talking deal with network intrusions, where hackers intend to steal information and/or commit fraud.

And the ones I'm talking about are any time someone compromises your box.

Time to update your resume: MS has tools to do precisely what I described.

They're not good enough. IISLockdown for example, was only our starting point.

[antiRepublicrat]

"The best course of action would be to format your drive and install Debian/Mandrake" in response to an IE our Outlook Express bug; as if IE or Outlook Express were equivalent to "Windows" and the only solution were to replace it with "Linux". See what I mean

This is an overly extreme solution too often suggested by Linux zealots. But in this case only a partial move away from Microsoft is necessary -- dump both and use Mozilla. Wait, you can't dump IE, oops. But you can cut your exposure a bit by at least not using it.

[the invisib1e hand]

But many users remain confident about the security of the open-source environment

in other news, the Titanic entered the frigid waters of the north Atlantic at full speed. Asked about the dangers of icebergs, the captain dismissed the subject with wave. "She's unsinkable," he said.