OT: Linux most breached OS

Fairlight fairlite at fairlite.com
Sun Nov 21 18:50:39 PST 2004


Is it just me, or did John Esak say:
> 
> s.  I'd say 80% of the time or better, everyone else has
> > their bugs acknowledged and patches out the door--and MS has yet to even
> > verify that their bugs exist.  Bill, you read those alerts--am I wrong
> > about this trend?
> 
> Mark, I'm sorry, but you could not be more wrong. I have been getting
> updates on all of our 2000 and XP systems for the past couple years now.
> They come in daily, weekly, monthly... whenever they are needed. These are
> security patches, o/s fixes, etc. Microsoft is far and away ahead of any
> other company or o/s in keeping its systems up to date... and making it easy
> for millions of people to avail themselves of these fixes/patches in a
> variety of automated/manual ways. You are just dead wrong.

They've gotten better in recent years.  I remember WinNuke though--a month
and a half extra for a patch for win9x, after a month-long wait for a patch
to NT4.  In recent times...as I said, subscribe to the SANS security
digests.  Most vulnerabilities are reported responsibly--giving vendors a
chance to react.  You'll see Sun, SGI, IBM, even SCO releasing patches, or
at least having verified the bug in question.  You'll also see 5 or more
holes in Windows, and I can honestly say that many times they haven't even
verified the existance of a bug.

Sure, auto-update works when the patch is available.  Of course, you only
find -out- about it that way once the patches are available.  If you track
the course of security holes from the time of public disclosure forward,
you'll see a much different picture of discovery to patch time than you
would if you just pay attention to the fact that MS indeed does release
patches when they show up in Windows Update.

I won't argue the point.  If you're satisfied with their security update
cycle is adequate, that's your comfort level.  I can deal with it for a
firewalled home machine, but it would never do for me in a production
corporate environment.  That's just my own comfort level.

Oh...one extra thing you should be aware of.  I know that you and I both
prefer win2k to winxp.  I don't know if you're aware, but they've said
they will -not- release further IE patches against anything earlier than
IE on XP with SP2 installed.  This is borne out by their reaction in the
SecurityFocus article in the link cited below.  You'll also note that this
was reported on 10/25.  The only systems they've apparently taken care of
for the following is XP SP2 and Windows 2003.  The rest are all wide open.
And as of the first of the month when this was posted on the SANS bulletin,
as you can see, MS didn't even confirm its existance.  That happens quite
a bit.  Don't take my word for it though--subscribe to SANS and watch the
silence from Redmond for weeks at a time on many issues.  I believe the
JPEG hole is still unpatched, unless I missed a critical announcement
sometime this last week.  That's been an open case for a while now.

The following is a perfect example, excerpted from the SANS digest:

-----
Description: Internet Explorer reportedly contains an overflow when
processing "IFRAME" tag with overlong "SRC" and "NAME" attributes. A
malicious webpage can possibly exploit the flaw to execute arbitrary
code on a client system (not confirmed). The flaw was discovered while
testing Internet Explorer with an HTML fuzzer. The fuzzer generates a
number of HTML test pages that contain tags with malformed attributes.
The reporter of this flaw has warned that a working exploit for this
flaw would not take too long to surface.

Status: Microsoft has not confirmed and no updates are available.

Council Site Actions:  All sites are waiting for confirmation from
Microsoft and a patch, if appropriate.

References:
Posting by Berend Jan-Wever
http://www.securityfocus.com/archive/1/379341/2004-10-25/2004-10-31/0
IE HTML Fuzzer Script
http://felinemenace.org/~nd/htmler.py
SecurityFocus BID
http://www.securityfocus.com/bid/11515
-----

Remote arbitrary code exploit?  That's serious.  I've read (in the last
week) of at least three different attacks that exploit this.  And they
wouldn't even confirm it inside six days (or more, if they had prior
warning, assuming it was reported responsibly)?  That just doesn't cut it.
This is a prime example of what I'm talking about.

> Incidentally, it is a matter of usability and convenience. JP mentioned the
> other day that he uses HylaFax because we were talking about VSI*FAX and a
> small thing in one of their scripts that I wanted to change. I asked him if
> HF had a package that could just be installed from a disk or a download file
> and immediately administered by any user/administrator.  His response was
> interesting. He said, no, that was not the nature of free software.  Hmmm.

And it's not.  He's right.  However, "free" software has an accountability
factor.  People -can- audit the source, find problems, notify the authors,
release patches, etc.  You can't get at the guts of Windows so you have
zero idea how vulnerable any particular subsystem (or sub-subsystem, or
smaller, if you look at things like the JPEG handlig exploit) actually is.

While it's true that there's increased risk of people digging up exploits
via the same virtue-turned-vice, the virtue part wins out in that people
are able to readily patch things quite quickly--and there is a lot more
manpower working on OSS software in general than MS has at its disposal
internally.

It's never bothered me that OSS software doesn't necessarily have "a box",
or even a central vendor.  I've gotten faster responses from the principle
author of centericq (who lives in the Ukraine, of all places). than I have
from Red Hat regarding kernels that don't boot and their perl that -still-
segfaults--despite the fact that someone paid for the commercial support on
the Red Hat Enterprise system.  Konst (the aforementioned developer) fixed
my Sparc endian issues with centericq inside two days.  Red Hat has gone on
several months and has presented one excuse after another for not fixing
their own hacked version of perl, which I can segv on demand.  Packaged and
centralised doesn't necessarily mean better.  Even having a Responsible
Party doesn't make it better--RH isn't standing behind their perl port as
far as I'm concerned.

> Very telling. When and if Linux(et al) has to supply an o/s that is
> administratable (is that a word?) by non-guru-programmer types... then we
> can compare apples to apples. For now and until then Linux and its offering
> will not be in the same ball game with Microsoft who is playing on a much
> larger field. I suppose the next big shot will be the Novell release of
> SuSe. More power to it. I hope it does a better job than *all* the other
> Linux's thus far.

I wasn't the one that started comparing in this case.  The press did that
number.  :)  But given the doctored presentation that some places
apparently released (thanks for showing the context, Bill...I couldn't
agree more with laying it at admins' feet), one has to put it in context
and carry it to its real logical conclusion.

Novell has already released a version of SuSE under Novell's ownership.
9.2 came out a few weeks back.  Aside from being based on the 2.6 kernel
that I don't think will be fully ready for prime time inside another year,
it's probably very good based on what I've seen with 9.0 and heard of 9.1.

Actually, you have to have very little programming experience to admin a
modern linux system.  You do need solid *nix knowledge, however.  Then
there's Windows, where the monkey flips the switch and hits autoupdate, or
breezes through a few wizards, and you just pray it works for them.  And
generally when it doesn't, it -really- doesn't.

> As for Free BSD... I like it and I like Verio's implementation of it as a
> virtual machine for me.  It has a really good on-line management tool for

I've been less than pleased with what I've seen of Verio's virtual hosting
scenario.  I don't mind the FBSD at all.  No problem.  It's their
implementation and policies that are lacking.  Not telling people in
advance that they were updating proftpd was a huge mistake--it made
anonymous ftp unusable for one of my clients for a day until we found out
(on our own) that they'd upgraded.  They also tend to fail to limit
resources, letting one virtual machine run away with the physical resources
of the entire machine, making other virtuals--well, virtually unusable.

I've not been impressed with them, but I'm glad you've had a better
experience than I've observed.

> something I am truly appreciative for... I don't want to be doing make's and
> configuring and updates... I have better things to do for the company using
> the O/S than just supporting the O/S. At least that is a businessman's point
> of view.  And still, I ask the one and only unanswerable question.  What
> business could possibly run a Linux server/system *without* paying a
> programmer/administrator to constantly keep it together and updated?

We come at it from two different sides, John.  I -am- in the technical
programming and admnistrative side of things.  I'm in the business of
helping the business types' business keep going smoothly on their
platform.  I see the need to install something from source and don't even
blink.

You're coming at it from the opposite point of view, where you just want it
to be a binary installation that works--preferably with as close to zero
administrator input as possible.

I'll be the first to admit those are entirely different viewpoints.  You
don't enjoy what I end up doing most of the time, and I do.  And I'd
probably be driven nuts by the business side of half the things the
business types end up dealing with.  :)  To each their own.

But as for your question...  The answer is that they "more or less" could
if they trust autoupdates.  I don't.  I've seen failed autoupdates even
under SuSE 9.0.  Actually, the autoupdate function works, it's the RPM
that doesn't actually freshen the files sometimes.  It's rare (I've seen
it on two packages out of hundreds), but it happens occasionally.  Getting
a linux system up and running securely requires someone with knowledge
and experience.  No denying that.  Keeping one running after the initial
configuration really isn't too bad for -just- security maintenance, until
it hits end-of-life, when you have to migrate upwards or hold it together
manually with duct tape and baling wire.

But I -have- always maintained that people should either have someone
in-house with the necessary *unix skills, or outsource the work.  If they
won't do either, then there's always Microsoft for those folks.  And
I'm -not- just talking Linux.  I'm talking -any- *nix, be it SCO, FBSD,
whatever.  There may be alerts to install SCO's 506a, but I can remember
several sites that never installed that patch because they didn't know
any better.  If you run *nix of any flavour, commercial or otherwise, you
should have -someone- that knows what they're doing.

It's not just a Linux thing--it's a *nix thing.  The face of *nix is
changing, but short of OS/X from Apple, it's not changing -that- rapidly.
Actually, that's probably about the best you'll see for a while, I'd wager,
as far as non-techie administratability.  (Is that word?!)

> I knew this topic would be kindling... and so I am very happy you are
> keeping your arguments in the cool zone. :-) I mean, after all as OT as

Perfectly cool and relaxed.  :)  Likewise back atcha.  I feel no real need
to defend linux.  I use linux exclusively for server environments other
than my ISP shell account, which is Solaris, but I don't mind having a
Windows desktop--currently win95 and win2k, about to go all win2k in a
month or two.  Linux isn't there in terms of multimedia, and especially
getting native ports of games.  Desktop productivity doesn't mean too much
to me, but GIMP still wasn't at the state of being able to match Painter
5.5 last I played with it (it -has- been several years, granted), much less
Photoshop.  There's another area where you have more choices.  Windows
definitely has its place yet.  That's my personal desktop rationale.  I like
even my win95, honestly--as long as it's firewalled.  But Windows in a server 
role?  Not for me, thanks.

I think the distributions speak for themselves.  The only thing I take
objection with is the segment of the mass media that slants things towards
a particular agenda by taking something out of context.  That's certainly not
your fault, John.  They've been doing that for years--that's why I switched
from Mass Communications to English at university.  I couldn't stand the
hypocrisy and downright nastiness of the mass media.  It's (unfortunately)
nothing new.  It is, however, getting worse each year.

> coming here... I would venture to say a good 70% of them know nothing
> about Linux or SCO and could care less. MS exists and has its place. Its
> sort of like Israel... :-) (Oh jeez, what have I said now. :-) :-) :-)
> :-) )

Hahahahahah!  You wanted to buy a one fireplace home, or a two fireplace
home, John? *laugh* That was a good one...  Israel indeed.  :)  I think I'll
just take that as the tongue-in-cheek humour it was intended as, and leave
politics alone.  Not my forte.  :)

You're possibly right on the fP platform issue.  Perhaps because of when
and where I came to know filePro, my views on its user base distribution
may have been (indeed, -were-) slanted.  I've always considered it more or
less a *nix package that happened to have a DOS (and then Windows) port.
Particularly, I previously thought of it as mostly a heavily SCO-oriented
package, even though I knew of the AIX port in '93.  Yes, I know it started
out big back on the Tandy stuff...I learned all that later, after the fact.
It seems like these days we see more Windows folks than the old-time Tandy
or SCO folks though--at least as far as the newcomers go.  I wonder what
the actual percentages are.  Probably neither here nor there, but it's a
point of (mostly) academic interest.

And if anyone that uses 'par' is reading--how do you get it to leave -two-
spaces alone before and after a smiley when reformatting a paragraph?  I
hate having to adjust them manually if I re-edit several times.  Grrr.  The
only thing it does that I don't like is strip those areas down to one space.
It's fine on sentences, but when it hits an -emphasis- or *action* or
smiley it just refuses to leave the surrounding whitespace alone.  I'm open 
to reconfiguration suggestions on that matter.

mark->
-- 
Bring the web-enabling power of OneGate to -your- filePro applications today!

Try the live filePro-based, OneGate-enabled demo at the following URL:
               http://www2.onnik.com/~fairlite/flfssindex.html


More information about the Filepro-list mailing list