Posted on 11/28/2001 1:28:10 PM PST by Don Joe
A vulnerability in the most widely used FTP server program for Linux has left numerous sites open to online attackers, a situation worsened when Red Hat mistakenly released information on the flaw early, leaving other Linux companies scrambling to get a fix out.
"Other vendors didn't have a patch," said Alfred Huger, vice president of engineering for network security information provider SecurityFocus. The company has been working with vendors to fix the vulnerability after computer security company Core Security Technologies alerted them to the problem Nov. 14.
"The fix is not rocket science," Huger said. "But we weren't working at a breakneck pace to get a patch out, because everyone was working together."
The software flaw affects all versions of wu-FTP, a program originally created at Washington University at St. Louis for servers running FTP (file transfer protocol) functions for transferring files over the Internet.
While the exact number of active FTP servers on the Internet is not known, the software is the most commonly installed file server and accompanies most major Linux distributions, including those from Red Hat, SuSE, Caldera International, Turbolinux, Connectiva, Cobalt Networks, MandrakeSoft and Wirex.
The problem, known in security circles as the wu-FTP Globbing Heap Corruption Vulnerability, allows attackers to get remote access to all files on a server, provided they can access the FTP service. Since most such servers provide anonymous access to anyone on the Internet, a great number will be vulnerable.
Huger called the flaw "serious."
The impact of the software vulnerability was exacerbated because many Linux software companies were caught flat-footed by a surprise early release of information regarding the vulnerability.
While the group that discovered the flaw, Core ST, informed Linux software companies and the open-source group that manages development for wu-FTP of the flaw, Red Hat mistakenly released a security advisory to its customers on Tuesday.
Normally, an advisory is a good thing, but other Linux software sellers had expected any advisories to be published Dec. 3, giving them time to work on fixes. Instead, the surprise announcement left the customers of other companies' products vulnerable.
"We were releasing some advisories on the same day, and an overzealous administrator pushed this out as well," said Mark Cox, senior engineering director for Red Hat. The company is adding new safeguards to its publishing system to avoid similar problems in the future, he said.
"We put a stop to this," Cox said. "This will not happen again. It was a bad mistake."
My point was not in reference to the specifics of this article. It was a broad observation about open source versus commercial. Commercial entities tend to favor withholding, hiding and supressing information--assuming they can get away with doing so. The Open Source community tends to favor the opposite.
Here is a case in point.
Yeah..let's all defer to oc-flyfish on technology. That's the ticket.
Please feel free to defer to me on all technical matters. I do a brisk business in consulting and would love to have you as a client. :-)
In the article you quote Microsoft is arguing that security companies shouldn't provide an step by step instruction manual on how to exploit a new bug. I and most other IT professionals agree.
It is sufficient for the software company to say there is a problem, explain (in general terms) how the exploit is performed, and provide the patch. There is no need to provide script kiddies with an instruction manual.
Just speaking for myself, I've gotta be painfully honest and tell you that this thread has made me completely re-evaluate the worth of having technical discussions with this group of MS-ites. I believe I now understand how ya'll can be MS-only.
I no longer see much point trying to explain and discuss complex technical issues to ya'll anymore. It appears ya'lls understanding of this is on a very different level than I had previously given ya'll credit for.
I do, and will, lurk. And will still post. Just not likely in response to any of ya'll anymore. Anymore than I'm going to argue with someone who believes in witchcraft about Harry Potter.
I'm sorry, but that's where I, personally, am.
Ya'll may now get back to your regularly scheduled diet of insults, misunderstandings and blind defense of the indefensible. Thank you.
and only an idiot would suggest that this exploit makes Linux as prone to failure as Windows,
and only an idiot would argue that commercial companies and the open source community are equally willing to discuss sofware defects in public,
at last we agree on something, such a poster would definitely be an idiot.
That's Microsoft's characterization. Not everyone agrees that's what security companies are doing.
I and most other IT professionals agree.
You can stop right there. You don't speak for most IT professionals. Can you cite a survey or some other evidence to back up the claim that most IT profesionals agree with withholding information on security problems?
It is sufficient for the software company to say there is a problem, explain (in general terms) how the exploit is performed, and provide the patch.
You want software companies to offer fixes with no specifics on what is being fixed? Sorry, but that's a lousy idea.
There is no need to provide script kiddies with an instruction manual.
Again, that's Microsoft's loaded characterization. And, as usual, they have an agenda since the overwhelming majority of the problems are with their software.
Microsoft. You gotta love em. Up till now, the only ones in favor of withholding information on security problems has been the malicious hackers. Go figure.
Well... let's see... We have some of the big security firms pushing this like Guardent Inc., @stake Inc., Internet Security Systems Inc., BindView Corp., and Foundstone Inc. I guess none of these companies count in your little myopic view of the world, eh?
You want software companies to offer fixes with no specifics on what is being fixed? Sorry, but that's a lousy idea.
Guess you didn't understand my point. I don't have a problem with s/w companies saying that xyz components is vulernable to an exploit. My objection is providing a step by step procedure that any script kiddie can follow to run the exploit. Heck, I don't even mind if they give them 4 out of 5 steps, as long as they withhold some aspect that won't let the kiddies compromise the system.
Again, that's Microsoft's loaded characterization. And, as usual, they have an agenda since the overwhelming majority of the problems are with their software.
Wrong again. Gartner Group stated "Gartner believes there is almost never a need for any responsible entity to release attack scripts that provide the tools to launch attacks." Please don't tell me that Gartner is a big fan of Microsoft because it won't fly.
The Code Red and Nimda viruses were incapable of executing on non-Windows machines, and they caused billions of dollars worth of damage to production data. Tell me, what vulnerability that is specific to all flavors of UNIX/Linux and only to UNIX/Linux has ever caused that kind of financial pain?
This campaign against information anarchy isnt about "being responsible." It's about public relations. Otherwise, why characterize anyone who disagrees with the Microsoft position as an anarchist? Do you advocate INFORMATION TOTALITARIANISM?
I would note that published attack scripts are not a threat anyone running a secure OS.
Bottom line: this is about Micro$oft advancing its agenda. It is an attempt to sweep security risks under the rug, while still charging an arm and a leg for subscriptions to a technically inferior product.
Ho hum. You quote your experts, Ill quote mine.
Did you miss Bruce Schneier's evaluation of this issue? He as was recently quoted as saying:
Microsoft has always treated security threats as a public relations problem, so it would do anything it could not to publicize its susceptibility. Companies like Microsoft would ignore security researchers who quietly informed them of security vulnerabilities. They would lie to the public and say that the vulnerabilities were 'theoretical only' or 'impractical.'"
Obviously were dealing with a dangerous information anarchist" here. For those of you that dont know Scheiners work, you can read his bio here.
Damn anarchists. :-)
A lot of the security research that has gone on with Windows seems to be focused on embarrassing Microsoft at the expense of customers. That's wrong. Exploiting customers because you hate MS isn't sufficient justification.
What is your main argument or evidence for this claim? I am skeptical that someone carried out security research that damaged real people just to embarass Microsoft. This isn't an attempt to bait you, just curiosity.
Indeed, in some cases this line is clear while in others it's not. And sometimes (albeit rarely) even when it clear there may be legitimate reasons to cross it and let the chips fall where they may.
An example of the latter type of judgement, albeit in a different venue, was Newsweek's publication of the answers for a current college entrance exam. Newsweek's reporters had found that there were [illegitimate] copies of the exam floating around in some circles and suggested to the testing firm that they should replace the test, but the firm refused. By releasing the answers, Newsweek made the test 'obviously' worthless (whereas before it would have been 'deliably' worthless, since there was bound to be an unknown and unmeasurable amount of cheating). Good call IMHO, even though the testing firm argued in court (IIRC) that the published copies of the answers could serve no purpose except to help people cheat [actually, they did the reverse, since the testing form changed the test, thus preventing those who'd bought copies from cheating].
One problem with having any particular piece of operating system, networking, or security software be nearly ubiquitous is that such a ubiquitous item becomes a very attractive and rewarding target for hackers. IMHO, the Justice Department's case against Microsoft, if it was to be pursued at all, should have focused on this issue.
If I were to just hire some guy to write me a crude networking operating/security system, then unless I was using it to protect something highly worthwhile to hackers it wouldn't matter too much if it had more security holes than Windows since it's unlikely any hackers would bothering to attack it and find them. Unfortunately, in the last few years as Windows machines have become more and more ubiquitous on the net not only has the hacker's "reward" for finding security holes increased, but larger populations of 'infectable' machines can be turned into larger populations of worms and zombies.
In a very real sense, the real security "problem" with Windows is simply that it's become so popular. I should mention, btw, that the Microchip 16C84 microcontroller, like most others, has hardware to prevent its code from being read out. A few years ago, someone came up with a 16C84-based satellite decoder. Very attractive target. Soon thereafter, someone else figured out how to read the code from a "code-protected" 16C84.
This should not be taken as a sign that the 16C84's protection was necessarily weaker than any other micros of the time. The notion of unlimitted "free" satellite viewing, however, was too much for hackers to pass up, and so they spent more effort trying to crack that particular chip than they would for e.g. a microwave oven controller.
I don't know what the solution to these problems is, but I think having a healthy mix of operating systems in use would help minimize the effects of rogue software.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.