Software flaw threatens Linux servers

A vulnerability in the most widely used FTP server program for Linux has left numerous sites open to online attackers, a situation worsened when Red Hat mistakenly released information on the flaw early, leaving other Linux companies scrambling to get a fix out.

"Other vendors didn't have a patch," said Alfred Huger, vice president of engineering for network security information provider SecurityFocus. The company has been working with vendors to fix the vulnerability after computer security company Core Security Technologies alerted them to the problem Nov. 14.

"The fix is not rocket science," Huger said. "But we weren't working at a breakneck pace to get a patch out, because everyone was working together."

The software flaw affects all versions of wu-FTP, a program originally created at Washington University at St. Louis for servers running FTP (file transfer protocol) functions for transferring files over the Internet.

While the exact number of active FTP servers on the Internet is not known, the software is the most commonly installed file server and accompanies most major Linux distributions, including those from Red Hat, SuSE, Caldera International, Turbolinux, Connectiva, Cobalt Networks, MandrakeSoft and Wirex.

The problem, known in security circles as the wu-FTP Globbing Heap Corruption Vulnerability, allows attackers to get remote access to all files on a server, provided they can access the FTP service. Since most such servers provide anonymous access to anyone on the Internet, a great number will be vulnerable.

The impact of the software vulnerability was exacerbated because many Linux software companies were caught flat-footed by a surprise early release of information regarding the vulnerability.

While the group that discovered the flaw, Core ST, informed Linux software companies and the open-source group that manages development for wu-FTP of the flaw, Red Hat mistakenly released a security advisory to its customers on Tuesday.

Normally, an advisory is a good thing, but other Linux software sellers had expected any advisories to be published Dec. 3, giving them time to work on fixes. Instead, the surprise announcement left the customers of other companies' products vulnerable.

"We were releasing some advisories on the same day, and an overzealous administrator pushed this out as well," said Mark Cox, senior engineering director for Red Hat. The company is adding new safeguards to its publishing system to avoid similar problems in the future, he said.

"We put a stop to this," Cox said. "This will not happen again. It was a bad mistake."

Huh? The point of the article seemed to imply that the real problem was with Red Hat releasing their patch before everyone else

My point was not in reference to the specifics of this article. It was a broad observation about open source versus commercial. Commercial entities tend to favor withholding, hiding and supressing information--assuming they can get away with doing so. The Open Source community tends to favor the opposite.

Here is a case in point.

It's Time to End Information Anarchy

Commercial entities tend to favor withholding, hiding and supressing information--assuming they can get away with doing so. The Open Source community tends to favor the opposite.

In the article you quote Microsoft is arguing that security companies shouldn't provide an step by step instruction manual on how to exploit a new bug. I and most other IT professionals agree.

It is sufficient for the software company to say there is a problem, explain (in general terms) how the exploit is performed, and provide the patch. There is no need to provide script kiddies with an instruction manual.

Ah come on... no one wants to play anymore on this thread?

Just speaking for myself, I've gotta be painfully honest and tell you that this thread has made me completely re-evaluate the worth of having technical discussions with this group of MS-ites. I believe I now understand how ya'll can be MS-only.

I no longer see much point trying to explain and discuss complex technical issues to ya'll anymore. It appears ya'lls understanding of this is on a very different level than I had previously given ya'll credit for.

I do, and will, lurk. And will still post. Just not likely in response to any of ya'll anymore. Anymore than I'm going to argue with someone who believes in witchcraft about Harry Potter.

I'm sorry, but that's where I, personally, am.

Ya'll may now get back to your regularly scheduled diet of insults, misunderstandings and blind defense of the indefensible. Thank you.

shouldn't provide an step by step instruction manual on how to exploit a new bug.

That's Microsoft's characterization. Not everyone agrees that's what security companies are doing.

I and most other IT professionals agree.

You can stop right there. You don't speak for most IT professionals. Can you cite a survey or some other evidence to back up the claim that most IT profesionals agree with withholding information on security problems?

It is sufficient for the software company to say there is a problem, explain (in general terms) how the exploit is performed, and provide the patch.

You want software companies to offer fixes with no specifics on what is being fixed? Sorry, but that's a lousy idea.

There is no need to provide script kiddies with an instruction manual.

Again, that's Microsoft's loaded characterization. And, as usual, they have an agenda since the overwhelming majority of the problems are with their software.

Microsoft. You gotta love em. Up till now, the only ones in favor of withholding information on security problems has been the malicious hackers. Go figure.

Well... let's see... We have some of the big security firms pushing this like Guardent Inc., @stake Inc., Internet Security Systems Inc., BindView Corp., and Foundstone Inc. I guess none of these companies count in your little myopic view of the world, eh?

You want software companies to offer fixes with no specifics on what is being fixed? Sorry, but that's a lousy idea.

Guess you didn't understand my point. I don't have a problem with s/w companies saying that xyz components is vulernable to an exploit. My objection is providing a step by step procedure that any script kiddie can follow to run the exploit. Heck, I don't even mind if they give them 4 out of 5 steps, as long as they withhold some aspect that won't let the kiddies compromise the system.

Again, that's Microsoft's loaded characterization. And, as usual, they have an agenda since the overwhelming majority of the problems are with their software.

Wrong again. Gartner Group stated "Gartner believes there is almost never a need for any responsible entity to release attack scripts that provide the tools to launch attacks." Please don't tell me that Gartner is a big fan of Microsoft because it won't fly.

This is all pretty sad. I use Windows NT on my desktop, and it has proved to be a great desktop environment. Requires a reboot every couple of days, but I can live with that. I am sitting in front of it all the time anyway, why not lean back and relax when it is rebooting, claiming back all the memory leaked out and what-not. This machine needs constant care, and is able to perform desktop duties quite reliably. A plethora of software exists to make my development more rapid and easy. Desktop environment++

But when the day is done, my deployment goes off to a UNIX server (FreeBSD, Linux, UNIX, anything but a windows based 'server') These UNIX servers have;

-reliable remote administration
-uptime in excess of 600 days (obviously not windows servers then)
-power, scalability and very, very few exploits. Notice how happy the MS women are when _one_ UNIX-related exploit finally makes press (this software also runs on windows motards)...and this is one which can only be used when anonymous access is turned on anyway, so it doesn't pose a threat to any admin worth a damn. compare this to the win32 exploits which have come down the pipe this year, which _all_ windows servers were vulnerable to.

I know some of the windows people on this list are happy to finally see something bad come down the pipe re a UNIX-type server, but that is because they so desperately cling to their world where clicking a next button qualifies them as being a system administrator.

Setting up enterprise level software _is_ difficult. It can be made easier by introducing WYSIWYG admin tools, and fancy GUI, but for the most part, you get what you give. and when you give next to nothing (setting up a windows server) you get next to nothing (a windows server)

Windows owns when it comes to the desktop (after all, the command line interface which dominates UNIX admin is easily emulated, so the power of UNIX is with you while you work on an OS as easy to use as a fisher price toy) but when you want a server to do its job (reliability and performance are key here [qualities usually associated with UNIX not windows for those in the know]), you need qualified administrators , not inept fools. don't scrimp because your tech staff consists of some next-button-pressing idiots who aren't worth the paper their pay check is printed on.

few more points worth making; -people that know _both_ windows and UNIX agree that UNIX is the superior server. -script-kiddies are morons -very very few enterprise level organizations, where uptime and reliability are key, run windows server side (check www.netcraft.com for your favorite bank, government or educational institution [ or any other organization which _requires_ stability and security])

The "big" security firms are as tangled up with Microsoft as everyone else, and they would also probably like to see their lives made easier too. After all, malicious attackers have been laying waste to Windows for years.

The Code Red and Nimda viruses were incapable of executing on non-Windows machines, and they caused billions of dollars worth of damage to production data. Tell me, what vulnerability that is specific to all flavors of UNIX/Linux and only to UNIX/Linux has ever caused that kind of financial pain?

This campaign against “information anarchy” isn’t about "being responsible." It's about public relations. Otherwise, why characterize anyone who disagrees with the Microsoft position as an “anarchist”? Do you advocate INFORMATION TOTALITARIANISM?

I would note that published attack scripts are not a threat anyone running a secure OS.

Wrong again. Gartner Group stated "Gartner believes there is almost never a need for any responsible entity to release attack scripts that provide the tools to launch attacks."

Ho hum. You quote your experts, I’ll quote mine.

Did you miss Bruce Schneier's evaluation of this issue? He as was recently quoted as saying:

Microsoft has always treated security threats as a public relations problem, so it would do anything it could not to publicize its susceptibility. Companies like Microsoft would ignore security researchers who quietly informed them of security vulnerabilities. They would lie to the public and say that the vulnerabilities were 'theoretical only' or 'impractical.'"

Obviously we’re dealing with a dangerous “information anarchist" here. For those of you that don’t know Scheiner’s work, you can read his bio here.

Damn anarchists. :-)

I actually have a great deal of respect for Bruce Schneier. One of the reasons is his "Applied Cryptography" books, which sit on my bookshelf. Another is that he is a security purist without an apparent axe to grind. To some degree, his comments about Microsoft DO reflect the Microsoft of the past: arrogant, security-through-obfuscation, and often ignorant of security issues. HOWEVER, I have to tell you ... I have quite a few friends who still work with Microsoft and they tell me that security has been made a top priority within the organization -- particularly in light of Nimda/CodeRed, etc. A few years ago, reliability was the top priority for MS. Now, it's security. And just as they improved the reliability of Windows, I have no doubt that they will fix most of the security issues that continue to hound them. Granted, nobody can ensure bulletproof security. But I think they are taking steps as an organization which will be positive for the industry. One thing that will definitely help is that a big portion of MS server-side codebase is moving to managed code. This will greatly reduce the incidence of buffer-overruns, IMO.

Bottom line: this is about Micro$oft advancing its agenda. It is an attempt to sweep security risks under the rug, while still charging an arm and a leg for subscriptions to a technically inferior product.

This, I have to disagree with. I believe it's reasonable to call for a code of ethics among security researchers under which exploits are not described in so much detail that malicious script-kiddies can take advantage of them. There is definitely a dividing line between legitimate research and promoting mischief. A lot of the security research that has gone on with Windows seems to be focused on embarrassing Microsoft at the expense of customers. That's wrong. Exploiting customers because you hate MS isn't sufficient justification. There has to be a healthy medium between absolute disclosure and customer interests. If you are honest with yourself, you will agree. Software politics and ideology should be checked at the door on this issue.

Both of your posts were reasonable, and I can subscribe to most of what you wrote, with one exception:

A lot of the security research that has gone on with Windows seems to be focused on embarrassing Microsoft at the expense of customers. That's wrong. Exploiting customers because you hate MS isn't sufficient justification.

What is your main argument or evidence for this claim? I am skeptical that someone carried out security research that damaged real people just to embarass Microsoft. This isn't an attempt to bait you, just curiosity.

I believe it's reasonable to call for a code of ethics among security researchers under which exploits are not described in so much detail that malicious script-kiddies can take advantage of them.

Indeed, in some cases this line is clear while in others it's not. And sometimes (albeit rarely) even when it clear there may be legitimate reasons to cross it and let the chips fall where they may.

An example of the latter type of judgement, albeit in a different venue, was Newsweek's publication of the answers for a current college entrance exam. Newsweek's reporters had found that there were [illegitimate] copies of the exam floating around in some circles and suggested to the testing firm that they should replace the test, but the firm refused. By releasing the answers, Newsweek made the test 'obviously' worthless (whereas before it would have been 'deliably' worthless, since there was bound to be an unknown and unmeasurable amount of cheating). Good call IMHO, even though the testing firm argued in court (IIRC) that the published copies of the answers could serve no purpose except to help people cheat [actually, they did the reverse, since the testing form changed the test, thus preventing those who'd bought copies from cheating].

A lot of the security research that has gone on with Windows seems to be focused on embarrassing Microsoft at the expense of customers.

One problem with having any particular piece of operating system, networking, or security software be nearly ubiquitous is that such a ubiquitous item becomes a very attractive and rewarding target for hackers. IMHO, the Justice Department's case against Microsoft, if it was to be pursued at all, should have focused on this issue.

If I were to just hire some guy to write me a crude networking operating/security system, then unless I was using it to protect something highly worthwhile to hackers it wouldn't matter too much if it had more security holes than Windows since it's unlikely any hackers would bothering to attack it and find them. Unfortunately, in the last few years as Windows machines have become more and more ubiquitous on the net not only has the hacker's "reward" for finding security holes increased, but larger populations of 'infectable' machines can be turned into larger populations of worms and zombies.

In a very real sense, the real security "problem" with Windows is simply that it's become so popular. I should mention, btw, that the Microchip 16C84 microcontroller, like most others, has hardware to prevent its code from being read out. A few years ago, someone came up with a 16C84-based satellite decoder. Very attractive target. Soon thereafter, someone else figured out how to read the code from a "code-protected" 16C84.

This should not be taken as a sign that the 16C84's protection was necessarily weaker than any other micros of the time. The notion of unlimitted "free" satellite viewing, however, was too much for hackers to pass up, and so they spent more effort trying to crack that particular chip than they would for e.g. a microwave oven controller.

I don't know what the solution to these problems is, but I think having a healthy mix of operating systems in use would help minimize the effects of rogue software.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.