OSNews

True, but now Linux fan boys like me can take a different tack: The Worst Bug Ever in Linux is patched. UAC still has a gaping intentional loophole so Microsoft can let Notepad.exe run as admin. When a security hole is found in Linux, it gets fixed. When one is found in Windows, Microsoft either clam up, blame the users, or issue a patch years late.

LMFAO. Nice wording.

Admitting to being a fanboy while proving a point is always funny. [No real arguments against your point, though.]

Edited 2009-08-14 05:37 UTC

The problem is you think that *this* is the worst bug ever found.

You don't know what you don't know. There could be plenty more egregious ones out there, ones that can rival Windows ones.

You completely misunderstand UAC if you think that is the case.

Running apps with different privileges on the same desktop is risky on all major OSes. But it's actually less risky on Windows than on most other OSes thanks to the secure desktop consent prompt (much safer than the non-SAS password model used on most *nix OSes and OS X), UIPI, etc.

Still, on any OS, if you're super paranoid then you're best off using separate user accounts and avoiding sudo / UAC like mechanisms.

How is XP relevant to the Linux bug kernel being patched? Why go into snippets of opinions on a ongoing debate? All that matters is, it got fixed/patched. Even though this was Linux, it's still an eye opener for the industry in hole.

Hmm.. You would be right if it was a bug that was KNOWN for 8 years. Fact is - this bug is only discovered a short while ago and is already being taken care of...

I am sure there are a LOT of yet undiscovered bugs in EVERY OS now at this moment! If you are using Windows, OSX, Beos, BSD or whatever there WILL be undiscovered bugs in it - waiting to be exploited. No OS will escape that.

The problem is - you cannot use undiscovered vulnerability because - its undiscovered. Simple. So saying Linux was vulnerable for 8 years is simply not true, because to use this as a exploit you have to know it exists. And nobody know about it until very recently.

To put it differently - if you are saying Linux was vulnerable for 8 years, I can safely claim ever OS on this planet is absolutely 100% unsafe because there are bugs in it that have been not discovered yet. Nobody knows about them or how they will work, but they are there, so they can be exploited right at this moment!

I am not saying Linux is more safe because it is perfect. No - Linux is safe because the moment something like this is discovered it is published and everybody is going to work on it to solve the problem as soon as possible.

Sorry - I had to react to this...

That is a valid point, however, the fact that it was just published does not mean that no one else have known about it for years.

But I do see your point.

That's not quite true. Bugs that are not *public* might and are often already discovered and exploited by a few individuals only. It can stay like this for years.
There's not much you can do against it.
You can scratch your design and make one less bug-prone, or invent something no one else thought about that's 100% secure (good luck with that)
Meanwhile we patch and do our best to make things as secure as possible


edit: note that this is 100% true with Windows, MacOSX and what-not as well

Edited 2009-08-14 09:44 UTC

... All of this was true, it this exploit was a known exploit, and the Linux kernel devs decided to simply ignore it for the past 8 years.

As far as we -know- (and I'll ignore any type of non-educated guess or unfounded speculations), once Linus was aware of this vulnerability, a fix was issued within 2 hours.
So unless anyone has solid evidence that one of the Linux devs was aware of this vulnerability and somehow refused to fix it (why!?!?), the 8 years that passed since the introduction of the code that caused this vulnerability is meaningless. I'd assume that both Linux and Windows have vulnerabilities that date back to Linux 2.0 and Windows NT 3.1...

However, I'd point to you what we know - as in previous known track record:
On one hand, MS refuses to fix the UAC escalation problem and on the other, Linux vulnerabilities are usually patched within a day - if not hours (If you've used RHEL you know what I mean).

... Oh, and unlike Microsoft, a fix will most likely land in all the effected kernel trees (as far as 2.0 if it was required) and not just the latest (2.6) kernel tree.
Would have Microsoft released a similar fix for Windows 2000 - or even Windows NT 4.0, if such a long term vulnerability was found in all NT kernel since 4.0? I somehow doubt it.

- Gilboa

I think that you may be wrong.

This has nothing to do with MS, and why should MS fix NT 4.0 in the same situation? It is much older than anything that should be in use in the linux community, seeing as this exploit exists in 2.6 and 2.4, and updates are no longer being applied to the 2.2 kernel, which last saw a change in 2005.

I really doubt that anybody would bother patching such an old kernel, when upgrading to 2.4 would be a better plan anyway. Anybody still running such an old kernel (the same as running NT 4.0) is such a small percentage of their users, that the work runs into a serious amount of effort for no good reason.

Not really, WinXP still runs the user as admin unless you have an AD server. Nothing has changed. A flaw in the kernel of a different platform doesn't magically make this design fault in Windows go away.

In this case, Linux will be patched very quickly now that the fault is known. This very news article comes out after the bug patch is available. Now it's a matter of how fast the distributions can include the new kernel update.

Nothing fanboyish about it. I can still easily get admin on a windows box through known exploits where this exploit in a different platform will be addressed instead of called a "feature".

If running as admin wasn't a problem why, as of Vista, has Windows itself move away from this. You do understand that if you are running as admin, EVERYTHING that runs is running as admin. On any OS, that should scare you. Especially one where things are installed from random locations (i.e. not trusted repositories only). This Linux bug will be closed, and no doubt there will be others and they will also be closed, but no OS should just hand out admin without even trying to defend it.

There is a difference between trying to do the right thing and failing occasionally, and never trying at all.

Who do you want to design the next nuclear power plan in your back yard, a guy with years of experience in nuclear design and operation who, like many people occasionally make mistakes, or someone with an associates degree in marketing who doesn't believe radiation is a problem ?

If the expert screws up and kills everyone, your just as dead as if the marketing guy had done it. But, given the choice, I'd still rather go with the expert. Cleaver mistakes are always more interesting than obvious ones. It will make the investigation into the accident more interesting for the survivors. It will give them something to focus on, to dull the radiation induced pain.