Flaws raise red flag on Linux security

ComputerWorld ^ | JANUARY 09, 2004 | Jaikumar Vijayan

[Bush2000]

Flaws raise red flag on Linux security

But many users remain confident about the security of the open-source environment

Story by Jaikumar Vijayan

JANUARY 09, 2004 ( COMPUTERWORLD ) - A report earlier this week about a critical flaw in the Linux kernel was the latest in a series of recently discovered security problems with the popular open-source operating system. But many users were unfazed by the report and said Linux remains a solid and secure environment for running enterprise applications.

Poland-based iSec Security Research on Monday said it had found a critical flaw in a function used to manage virtual memory on Linux systems (see story). The flaw affects the 2.2, 2.4 and 2.6 versions of the Linux kernel, according to iSec.

The vulnerability could allow attackers to take administrative control of compromised systems and run attack code of their choice, an iSec advisory stated. ISec claimed that it had developed and successfully tested code that was capable of exploiting the flaw, although it added that actually launching such an attack wouldn't be easy.

The news follows the discovery of a similar flaw in the Linux 2.4 kernel last fall. In November, unknown attackers used that flaw to take down several servers belonging to the Debian Project, which produces a noncommercial Linux distribution. And last month, an attack on the Gentoo Linux Project compromised a server that was being used to download copies of Gentoo's Linux source code by users.

The rise in such incidents can be attributed to Linux's growing popularity, which makes it a more attractive target for malicious attackers, said David Wreski, CEO of Linux security vendor Guardian Digital Inc. in Allendale, N.J.

"The underground hacker community is very interested in Linux as a potential target," he said. "Because of the accessibility of the source code to everyone, it provides an equal opportunity for malicious attackers to find vulnerabilities and ways to exploit them."

Even so, Linux remains a secure environment, said John Cahill, senior network security engineer at Piedmont Natural Gas in Charlotte, N.C.

"I would say it is more secure than Microsoft and other environments because the code is looked over by so many people and it's so widely available that any vulnerabilities can be quickly identified and patched," Cahill said. Piedmont uses Linux for several e-mail-related functions and is considering its use for antispam purposes.

"There's not very much we've needed to do to secure Linux [applications]," said Joe Poole, manager for technical support at Boscov's Department Stores LLC in Reading, Pa. The company runs several virtual Linux servers on its mainframes that are protected by network and internal firewalls. All nonessential services, such as file transfers and Telnet, have been disabled. But there has been no need for the kind of constant patching and maintenance required for Windows, Poole said.

Linux distributors in general are also doing a better job of shipping products that have nonessential services disabled by default, said Paul Schmel, adjunct information security officer at the University of Texas at Dallas.

"The biggest plus that Linux has is that it's designed to allow users to be users and not administrators," Schmel said. "What Linux has that Windows doesn't have is ease of configuration from an administrator's standpoint. Stopping and starting services, configuring services to only respond on certain ports and interfaces is dramatically easier than it is with Windows."

[antiRepublicrat]

Gee, I wonder whether Amazon or the FBI or the CIA or the NSA would care about a local exploit capability in the Linux kernel

Did either of these people use a privilege elevation exploit? In the Australian case, why did he have an account to elevate in the first place?

[antiRepublicrat]

There you go again: Attributing flaws in IIS to Windows. You do realize that IIS is a server-based web server, right? You might as well talk about Apache, if you're going to talk about IIS.

You don't want to do that. If you take a W2K server with IIS and compare it to basic GNU/Linux with Apache, set up to be only a Web server, the Windows installation will have far more vulnerabilities.

[Bush2000]

You can't sell Linux, but you can sell services related to it. This is the basis for the whole business model you can't understand.

Oh, I certainly understand it. Develop a product for some non-zero cost, tell people they can sell it (if they can) or dump it into the market at below cost.

[Bush2000]

Then stop using apache and open_ssl in Linux

That would include the vast majority of Linux web servers.

[Bush2000]

IIS ain't turned on by default -- and it's used by servers (not desktops), so there's really no point in blathering about a non-threat.

[N3WBI3]

And AD, IIS, and MSSQL are most microsoft servers..

[Bush2000]

Do you count ILoveYou, SQL Slammer and Sobig in those statistics, or do you treat each as one instance?

Those are primarily, for all practical purposes, denial of service attacks. The statistics that I'm talking deal with network intrusions, where hackers intend to steal information and/or commit fraud.

I didn't know that, but I'm not surprised at others making up for Microsoft's laxity. Same with the IIS wrappers we use. We always made our own accounts.

Time to update your resume: MS has tools to do precisely what I described.

[Bush2000]

Did either of these people use a privilege elevation exploit? In the Australian case, why did he have an account to elevate in the first place?

You don't need an account. A kernel buffer overflow can be hijacked to create an account with elevated privilege.

[antiRepublicrat]

It ain't. Dell or whoever configured the box made that choice for their own convenience.

That's the default, even if you buy Windows and install it. I wouldn't be surprised if the OEM contracts preclude this messing around with the defaults.

Meanwhile, Linux and Mac come relatively secure out of the box. This problem of poor default security settings, except for the administrator problem, will be somewhat alleviated in XP SP2.

[antiRepublicrat]

For the millionth time, it has nothing to do with Windows

For the millionth time, these are things that are included with Windows by default, and often you don't even know it. While I was working at a regional security emergency response team (overseeing mostly Windows boxes, over 50,000 of them), one of the problems we came across was that IIS would be installed by accident if you installed other components. This was a problem in that organization since running web services was forbidden without permission.

[Bush2000]

Bush2000, you seem to be the one that wants it both ways here. Your position seem highly hypocritical.

Not at all. I just want us to make fair comparisons.

If you want to make apples to apples comparisons, or oranges to oranges comparisons, that's fair. For example, it's fair compare security issues with the Linux Kernel (only) with security issues with the Windows Operating System (only). It's also fair to compare Linux/Apache/MySQL with Windows/IIS/SQL Server, or Linux/Mozilla with Windows/Internet Explore/Outloook Express.

Agreed.

And don't deny that you do this. For example, on another thread Friday, you gave a list of "Linux" security patches from Debian, and the first security patch on your list showing "Linux vulnerabilities" was a patch for a voice response system for ISDN connections, a package which is rarely installed, requires special hardware, and the exploit required a user account on the target machine with sufficient access to write scripts for the system. The exploit allowed such a user on such a system to escalate their privileges and possibly gain root access to the system.

I will agree not to attribute flaws in Linux add-ons to Linux, provided that your side agrees not to do the same with Windows. But, frankly, I'm not all that hopeful that it will happen ... because your side routinely posts statements like "The best course of action would be to format your drive and install Debian/Mandrake" in response to an IE our Outlook Express bug; as if IE or Outlook Express were equivalent to "Windows" and the only solution were to replace it with "Linux". See what I mean?

[Bush2000]

That's the default, even if you buy Windows and install it.

Practically nobody buys Windows retail and installs it themselves. This is the domain of geeks only. Windows installs a single account when you install it yourself: an administrator account. It doesn't force the installer to run as administrator. The installer is able to create a lower-privilege account at any time.

I wouldn't be surprised if the OEM contracts preclude this messing around with the defaults.

Nope. Dell, Gateway, and other OEMs are able to customize practically any aspect of Windows. The reason that they choose not to, by default, is that (as I said before) they know from experience that having a user run as a lower-privileged user will result in a greater number of support calls when the user tries to install ProductA, discovers that ProductA won't install, and calls Dell/etc asking why they can't install ProductA. It's simply a higher support burden for Dell to create a restricted user account by default.

Meanwhile, Linux and Mac come relatively secure out of the box.

Linux is the province of geeks only. Practically no desktop users are using it. So, it's of marginal interest for purposes of comparison. Servers are made to be custom-configured. This isn't an issue on servers at all.

This problem of poor default security settings, except for the administrator problem, will be somewhat alleviated in XP SP2.

The "administrator problem", as you call it, needs to be solved by OEMs, not Microsoft.

[Bush2000]

For the millionth time, these are things that are included with Windows by default, and often you don't even know it. While I was working at a regional security emergency response team (overseeing mostly Windows boxes, over 50,000 of them), one of the problems we came across was that IIS would be installed by accident if you installed other components. This was a problem in that organization since running web services was forbidden without permission.

Coming from a guy who doesn't even know about Windows security templates, I'm not surprised you don't know what's running on your servers.

[antiRepublicrat]

In case anyone is interested in learning more about security templates in Windows, here's a link: Windows security templates Follow the links to obtain pointers to tools that can edit the templates

We used to make them ourselves. Unfortunately to lock Windows down enough to make us somewhat happy with the security (they were locked down hard) caused a lot of support calls when people couldn't do various things on their machines. We had several baselines for several computer roles with different things locked down, but it still caused problems.

We didn't really have that problem with the Sun, HP/UX and Linux systems.

[antiRepublicrat]

A fair comparison would be every security patch from a Linux distributor compared to every security patch from Microsoft for any Windows related product.

I think a fairer comparison would be the usual configuration for a specific role. For Web it would likely be Win/IIS/MSSQL or Linux/Apache/PHP/MySQL. For desktop it would likely be Windows/Office/IE vs. Linux/OpenOffice/Mozilla. etc. I can tell you now the Linux desktop is far more secure. At least you won't get hacked while trying to download clipart.

[antiRepublicrat]

Develop a product for some non-zero cost, tell people they can sell it (if they can)

Okay, let's try this again, it is illegal to sell something under the GPL, such as Linux. BTW, it is not a non-zero cost, as millions of programming hours by otherwise high-paid programmers go into Linux. The only difference is that this time and talent is donated in the very American spirit of volunteerism.

Before you go off on Finland again, Linux may have originated there, but the license it is under -- and the whole spirit of free software -- was originated by an American.

[antiRepublicrat]

IIS ain't turned on by default -- and it's used by servers (not desktops),

Actually, read my other post about accidental enabling of IIS on desktops when installing other services. Our first hint was a rash of unauthorized IIS boxes popping up all over the place (we scanned with ISS regularly).

[antiRepublicrat]

The statistics that I'm talking deal with network intrusions, where hackers intend to steal information and/or commit fraud.

And the ones I'm talking about are any time someone compromises your box.

Time to update your resume: MS has tools to do precisely what I described.

They're not good enough. IISLockdown for example, was only our starting point.

[antiRepublicrat]

"The best course of action would be to format your drive and install Debian/Mandrake" in response to an IE our Outlook Express bug; as if IE or Outlook Express were equivalent to "Windows" and the only solution were to replace it with "Linux". See what I mean

This is an overly extreme solution too often suggested by Linux zealots. But in this case only a partial move away from Microsoft is necessary -- dump both and use Mozilla. Wait, you can't dump IE, oops. But you can cut your exposure a bit by at least not using it.

[the invisib1e hand]

But many users remain confident about the security of the open-source environment

in other news, the Titanic entered the frigid waters of the north Atlantic at full speed. Asked about the dangers of icebergs, the captain dismissed the subject with wave. "She's unsinkable," he said.