Re: 30 Linux "security advisories" in just one week?

From: Rex Ballard (r.e.ballard_at_usa.net)
Date: 06/08/04 

Date: 7 Jun 2004 16:34:19 -0700

"DFS" <nospam@nospam.com> wrote in message news:<10c2p25cfoasrd8@corp.supernews.com>...
> What's wrong with this OS?
>
> http://www.linuxsecurity.com/articles/forums_article-9355.html

Yet another round of "bounty hunters" trying to collect a bit of cash
from Microsoft for finding "bugs" or "security flaws" in Linux.

Most of these 34 "security holes" are impossible to trigger on a
properly configured Linux system. While there is the possibility that
you **could** bypass all of the protections built into the drivers,
kernel, libraries, and toolkits, it would take a recompile of nearly
all of these components to create the vulnerability.

Most of these **theoretical** holes are things like using malloc to
create a buffer, then doing a gets into the buffer. This would pull
up to the next newline, which could be more bytes than originally
expected.

In a windows system, this could lead to a "root" of the system, where
the hacker gets control of the box.

On a Linux system, there is a very real possibility that such a hack
would, at most cause a segmentation fault and core dump. This is a
denial of service opportunity, but only stops the one service, not the
entire system. Furthermore, such hacks are easily traced back to
their point of origin using the built-in auditing tools of Linux.

Even if a hacker were to get control of an application, the damage
would be limited to the files owned by that application's user.
Unless an idiot ignores all warnings and defiantly refuses to access
the Internet as anything other than "root", the damages rarely affect
anything other than that user's account. Again, the attack can be
easily traced back to it's origin, which makes such hacks extremely
risky.

Most of these hacks require such obvious misconfigurations as setting
the MTU to rediculous values, putting '*' in /etc/hosts.equiv or
~/.rhosts, or running anonymous FTP and setting a path to include the
directory to which outsiders can "put".

Of course anyone who did that and caused significant damage could
easily be traced and would probably be fired or even prosecuted for
violation of several federal laws. The perpetrator could find himself
facing several years in prison.

Since Linux directories are designed to ease the process of backing
up, especially user accounts, and since it was designed to support the
ability to read or move files while they are opened by other
applications, it is much easier to back up Linux systems, and much
easier to restore them if they should be damaged.

Windows doesn't have detailed auditing tools, it doesn't have setuid
scripts and controlled access to who can use them, it doesn't have
files defaulted to be unwritable. It doesn't allow back-ups from
running systems, or restorations to running systems. In fact, even a
simple upgrade from one laptop to another can take days, or even
weeks, and often critical information (including registry settings)
are usually lost.

Of course, Microsoft absolutely insists that any commercial publisher
who publishes a count and description of the known bugs on Microsoft
systems should publish at least as many Linux flaws, or risk being
sued for damage to the Microsoft brand.

A close examination of all of these "security flaws" on both systems,
and the number of successful exploits on each system, and the number
of impacted systems (as a percentage of the installed base) generally
shows a clear pattern. Linux flaws are identified and fixed before
they are ever exploited, and those rare attempts to exploit have
typically impacted less than 1 tenth of 1 percent of the available
targets. Microsoft flaws are often known for years, but are almost
never fixed until a virus or worm has successfully exploited the
vulnerabilities so repeatedly and reliably that antivirus software
cannot be trusted to prevent the damage (sasser, nimda, melissa,
iloveyou...)

Microsoft was very aware of the risks associated with ActiveX
controls, and was warned by numerous qualified interests. When those
warnings were ignored, they attempted to warn the public at large,
including reccomendations as to how to mitigate the risk. Microsoft
responded by dispatching it's legal team to use attrition, motions,
discoveries, and administrivia to force the target to accept a gag
order, or to get the judge to order a preliminary injunction which
would be made permanent in a settlement.

Microsoft even tried to claim that those who published such security
warnings, especially examples of how much damage trivially programmed
code could cause, was a form of terrorism. The even tried to have
district attourneys help them with their fraud and deception campaign.

Ironically, ActiveX is much like putting a public share or public FTP
directory into your path and letting a web page call programs loaded
to that directory from web pages while you are browsing. If a UNIX
administrator set up a server or workstation to do this, he would
probably be fired on the spot. But a Windows security officer will
tell the CTO, CIO, and CEO that ActiveX controls are perfectly safe,
that VBScript files embedded in HTML are so good, that they should be
used on the company web site. Not only that, but customers should be
forced to accept this risk in order to get full service from the
company. There are people telling their executive management that
applications should be written in .NET to the exclusion of trustworthy
technologies that may be less "spectacular" but are much safer.

Relevant Pages