Marcelo Tosatti has released the final 2.4.24 stable Linux kernel unchanged from 2.4.24-rc1. The main reason for the release was a local vulnerability in mremap() syscall, that can cause local users to gain privileges. It’s recommended that all users upgrade their kernel. 2.4.24 is available from numerous kernel.org mirrors.
Linux Stable Kernel 2.4.24 Released
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
While there is a terrible news, it’s good to see how quickly a patch was produced. I wonder how long the vulnerability was known about before this was brought to the kernel maintainers attention. Do we know if this was figured out by the black hat community (the “many eyes”) first? And, also, note that XP is not affected by this security hole.
And, also, note that XP is not affected by this security hole.
Its specific to Linux, why would it be?? Just like Linux isn’t vulnerable to any XP specific exploits either. Duh.
Please don’t troll here.
Um hello, earth to above poster? If you are going to troll it has to be discrete. What do you mean that XP is not affected by this security hole, of course it is not, and it borders on stupid to say something like, well, gee whiz and linux vulnerability is not valid in XP. And how many “hundreds” of XP vulnerabilities are there compared to those in open-source operating systems??? Ya so now what do you say mister 12.242.164.XXX????
That isn’t trolling, he is pointing out that Linux holes would not effect XP because they are two separate OS’s.
Just because he pointed out the fault in your post doesn’t make him a troll
And how many “hundreds” of XP vulnerabilities are there compared to those in open-source operating systems???
Since most of them originate from the same services, does that reduce the number ?
Is it trolling to mention that XP is unaffected? Just as every Microsoft security has the obligatory “install Linux” comment, I am merely mentioning that Windows XP Professional and Windows XP Home are not affected by this serious root vulnerability. No one is currently out there exploiting vulnerabilities for Windows at the moment, but there is currently at least one gaping hole in Linux (yes the kernel). I can see how you guys would be sensitive though, with the multiple security vulnerabilities of Linux distributors.
And good job to the “many eyes making bugs shallow,” but we can only wonder how many not-so well intentioned many eyes have been exploiting this security vulernability.
I find it interesting that you ignored the other questions I pose. Yes, let’s focus on Windows. Maybe if we ignore the root vulnerability in Linux, and make fun of Microsoft, we will be unaffected.
“serious root vulnerability”
It’s not _serious_. First, it isn’t a remote hole — a user already needs access to the system to exploit this, and if people can run user commands on your web/mail server you’re already in trouble.
Secondly, there are no known exploits in the wild at present. Again, typical web/mail/ftp etc. servers won’t have a problem.
Lastly, it was fixed very quickly, and distros have released updated kernel packages.
Yes, it’s all a bit unpleasant, but semantically speaking it’s crazy to say this is very serious. I call ‘serious’ a hole that affects _everybody_, right from a fresh installation, and allows anyone to execute any code on your computer. That’s serious. Blaster was serious.
Actually the vulnerability in the linux kernel is not remotely exploitable, making it not particularly serious. XP (and all versions of windows except possible .NET server 2003) has local root exploits that are in-built functionality of the OS (such as the timer message allowing anyone to execute any code anywhere by simply sending a message to a process that is listening on the event queue).
Microsoft themselves used this information during their anti-trust trial as a reason not to open their source code.
I agree with much of what you said. But since the source is available to everyone (“in the wild”), how do you know that it was not exploited previously? Maybe I found this bug, and did not report it to anyone, and then compromised all of the Linux servers I could find.
“compromised all of the Linux servers I could find”
How would you do this?
As mentioned above windows has got at least 1 local root exploit that will never be fixed because it is a “feature” of the OS.
Lets report people for abuse to squelch our own biasedness. You’ll never hear this from me again (mainly because i can’t believe i’m saying it), but lets stay on topic.
At any rate, I’m glad its fixed and that WINDOWS XP PRO AND HOME ARE NOT AFFECTED BY THIS LINUX VULNERABILITY. I can rest easy now knowing the computer i’m using cannot be haxored by me.
As I said, it is a “local root exploit”, if you do not understand the subject then do not post comments.
I see. Continue avoiding the question. Hope you don’t get hacked. As for me, I’m still waiting.
But since the source is available to everyone (“in the wild”), how do you know that it was not exploited previously? Maybe I found this bug, and did not report it to anyone, and then compromised all of the Linux servers I could find.
Could have happened, but lets use common sense for once. There are companies with much interest in Linux who work on the kernel. When possible exploits are discovered (even if it’s a remote chance of it working) they are fixed very quickly because the source is open.
Very interesting. It isn’t “commen sense” that whoever discovered this bug first will report it immediately. The presence of corporations working on Linux does not affect third parties who may or may not have good intentions. I guess its just “common sense” to assume that someone could have been exploiting this problem for months.
You are correct, someone could have been exploiting it for months. Who cares, I don’t use Linux I am not effected. Patch is availible and the Linux systems can be protected. No need to worry abou the past shall we
Despite claims that there are numerous remote root vulnerabilities in Windows XP, and me having posted my full and complete IP address for any malicious user to have their way with, I am still fine over here. MP3 music is playing smoothly, accelerated 3D drivers working great, and Mozilla Firebird is browsing just fine.
And, also, note that XP is not affected by this security hole.
Wow, and you figured that out all by yourself! But you did miss the fact that OS X isn’t mentioned, and FreeBSD isn’t mentioned, oh, and Solaris isn’t mentioned either.. Go research some more, please. You make us Windows (Yes, me too) users look bad, bub.
Linux hackers know what they’re doing. They fixed this problem fast, and from what I hear the fixes for 2.6 and 2.2 are coming very shortly as well.
We’ve given the trolls an awful lot to eat today 🙂
And to whoever posted their IP address, just because there are exploits available doesn’t mean everyone hanging out on this board is a 1337 |-|aX0r who knows how to exploit the… exploit.
And I’m not sure you understand that earlier, someone was trying to tell you that this is a local exploit. This means you need to have access to the system before you can do anything. Put real simple, you need an account on the computer, whereas a “remote exploit” allows anyone who knows how to gain access to your machine without an account.
>Despite claims that there are numerous remote root >vulnerabilities in Windows XP, and me having posted my full >and complete IP address for any malicious user to have their >way with, I am still fine over here.
The original post, and numerous other responses, have repeatedly told you that XP has numerous active _local root_ exploits. (I’m not saying it does or it doesn’t, but that was the claim being made.) Not remote exploits.
If you don’t know the difference between the two, fine, but should you really be running your mouth off?
After all those troubles, it is not that safe after all.
Thank you for your concern, but my system is still running fine. I guess for me the “few, but very well trained eyes” reviewing the source code of Windows XP Professional worked out a little better than those poor folks exploited by this root vulnerability.
That’s great if your system is still running fine… but we just don’t care. Why should we give a flying duck of it? It’s a thread on the release of Linux 2.4.24! Sure, many people making are making similar comments in Windows threads but most of them are trolls. You don’t need a Master in Communications to realise that doing the opposite in a Linux thread is still trolling…
Anyway, it looks like 2.6 is also affected by this flaw so we might see a 2.6.1 release sooner than expected.
Do you know the difference between “local” and “remote” exploits? I’d be curious to hear your definitions, because you seem to believe that they are one and the same.
No one claimed in this thread that XP had numerous “remote” exploits (go back and read the posts again), but that they had various “local” ones that were actually done on purpose.
A local exploit requires access to the machine first (i.e. it will not let a hacker gain access to your machine remotely). The “local” exploit being fixed on Linux is therefore not a serious security problem, not any more serious than the multiple “local” exploits in XP.
And how many “hundreds” of XP vulnerabilities are there compared to those in open-source operating systems???
*cough* actually Linux has past XP recently in number of security holes found this year *cough*. I’ve read this on several places, could someone adress source of any statistics please who has it bookmarked?
Cheers!
These results are skewed because a) they consider vulnerabilities for Linux applications as well as OS-only bugs and b) they count the same vulnerabilities in various distros as different bugs, when they’re really the same.
If you were to take into account OS-only vulnerabilities Linux vs. Windows vulnerabilities you’d have a fair comparison. Otherwise it’s apples and oranges.
And, also, note that XP is not affected by this security hole.
Really?
[sarcasm]
if you hadn´t said something i wouldn´t have noticied!!
[/sarcasm]
BSDero.
Are you trying to camouflage your post, or something? You can hid (no pun intended), but you can’t run from the fact that Linux is and has been vulnerable to remote root exploit, for an unknown amount of time. Maybe instead of deriding other users in online forum, you should patching your system, doing your part to make the internet more secure.
March 2003 – The ptrace() race condition:
http://www.secunia.com/advisories/8337/
(also keep in mind a similar vulnerability was found in 2002: http://www.kb.cert.org/vuls/id/176888)
December 2003 – The brk() integer overflow:
http://www.kb.cert.org/vuls/id/301156
January 2004 – Bad mremap() input validation:
http://isec.pl/vulnerabilities/isec-0013-mremap.txt
3 root compromises in Linux system calls within a year… not a very impressive record for a kernel that’s supposedly over a decade mature.
2.4 kernel is out for some 3 years, so even though there is a “quick fix”, it still suggest that nobody look at the source code hard enough for so long.
Anyone can read the source doesn’t equal anyone will actually do the reading
Here, I’m going to have to disagree with you. It seems like lots of people do the reading, I mean there are lots of people posting here. But maybe they aren’t well qualified enough to be able to find security problems.
Keep in mind that this vulnerability also affects the implementation of mremap() in the 2.6 kernel series as well, however the only exploits for the vulnerability in the wild are 2.4 specific at this time.
It isn’t an issue of the 2.4 code’s age… it’s merely demonstrative of a lack of proper auditing of the Linux system call implementations in general. There’s really no excuse for buffer overflows in basic system calls like brk() at this point… changes being made to any code doing input validation for system calls should be thoroughly audited and scrutinized before being allowed to be committed.
This is where IBM, SGI, and Novell really need to pick up the ball and start dedicating coders to auditing all Linux system call implementations and any changes being made to them during the course of Linux development.
*cough* actually Linux has past XP recently in number of security holes found this year *cough*. I’ve read this on several places, could someone adress source of any statistics please who has it bookmarked?
Actually, it’s not a bad thing! Windows had a buttload of bugs in the 90s but it’s now getting better and better as more and more bugs are fixed. Linux is maturing so I believe it’s normal to see that.
You can hid (no pun intended), but you can’t run from the fact that Linux is and has been vulnerable to remote root exploit, for an unknown amount of time. Maybe instead of deriding other users in online forum, you should patching your system, doing your part to make the internet more secure.
Again, the bug we’re discussing it is a LOCAL exploit, not a REMOTE one. Patching the system won’t make the Internet any more secure.
Again, you’re demonstrating that you can’t make the difference between a remote and a local exploit. Or you can, and are just trolling.
This is where IBM, SGI, and Novell really need to pick up the ball and start dedicating coders to auditing all Linux system call implementations and any changes being made to them during the course of Linux development.
So, OSS couldn’t do it by their own, or at least in a timely fasion, I guess.
So, OSS couldn’t do it by their own, or at least in a timely fasion, I guess.
IBM, Novell and SGI are part of OSS. So OSS actually did it “on its own” (whatever that means) and in a timely fashion.
So, OSS couldn’t do it by their own, or at least in a timely fasion, I guess.
The kernel developers didn’t discover the brk() vulnerability until it had been used to compromise the servers of major distributions. The traditional OSS approach to testing and locating such flaws, described by adage “many eyes make all bugs shallow”, is a double-edged sword, whereby anyone may audit the source, but when a problem is found the person who discovered it may either decide to report it, or use it maliciously.
It’s not _serious_. First, it isn’t a remote hole — a user already needs access to the system to exploit this, and if people can run user commands on your web/mail server you’re already in trouble.
Yes, it is serious. A local root exploit doesn’t mean that you have to be sitting at a shell to get root access. All it means is that it requires a separate entry vector in order to wreak havoc. So someone has an unpatched Apache, but it’s in a properly suexec’d environment and can’t really do any harm if it’s compromised? That’s okay, because this person can arbitrarily execute this root exploit and wipe the entire filesystem.
They are part of OSS to make money for the most part, not to fix bugs.
They are part of OSS to make money for the most part, not to fix bugs.
Well, they have to fix bugs in order to convince people to use their products and thus make money! The two are interrelated.
You can tell how much Linux is improving by the increasing level of aggressivity of Windows zealots…
You can tell how much Linux is improving by the increasing level of aggressivity of Windows zealots…
Yep, look at all those security holes being fixed in the Linux kernel. Some of them even before there are public exploits!
“Thank you for your concern, but my system is still running fine. I guess for me the “few, but very well trained eyes” reviewing the source code of Windows XP Professional worked out a little better than those poor folks exploited by this root vulnerability.”
For you.
I will expect that those “few, but very well trained eyes” are going to stay there, or be replaced by newer, few, very well trained eyes when the profit starts to run out?
I’ve got lots of proprietary software at home that no longer has *any* trained eyes on it.
As for Linux vs. Windows security:
When I can put in systems running Windows, and expect that all the necessary security settings are made correctly, right out of the box, *including* permissions on file systems, and:
when I can expect that application developers don’t compromise such efforts by their *own* sloppy work:
Then, and only then, will I consider being paranoid about some guy not bothering to report a bug in an open-source program for purposes of compromise, vs. some guy figuring out a way to compromise a proprietary OS and just exploiting it without notification (to the tune of hundreds of thousands of e-mail viruses?)
Besides, let’s not be quiet about it. Make sure the kernel developers understand clearly what you are saying. If they change their methods accordingly, then what will you have to say? They’ve done it before.
“many eyes make all bugs shallow”
Thats the whole point, shallow. No-one is saying there will be no bugs. And no-one is saying the “many eyes” are limited to the kernel developers.
“a double-edged sword” – true but openess breeds trust, closed breeds the opposite.
The fact that “black hats” can find a bug and exploit it before its discovered applies to Closed Systems too.
Even with the aid of the source code, the crackers have found very few vunerablilties. Security researchers and developers have found the rest.
…note that those “hundreds and thousands of viruses” are being spread largely by people running older versions of Windows which are no longer supported.
Where are those “few, very-well-trained eyes” for those users?
“So, basically, OSS is crap. If linux has zero bugs, it would be a lot easier to convince potential customers.”
That hasn’t been the case for other proprietory OSes – seems completely the opposite for Microsoft OSes.
Post me a URL where someone of relevance has stated Linux has zero bugs.
When you understand OSS then post an arguement. Trolling is for kids.
If linux has zero bugs, it would be a lot easier to convince potential customers.
Well, lots of potential customers use Windows, and it is far from having zero bugs! Windows has local root exploits (similar in effect to the one we’re concerned with here) by design!
When GNU servers, Debian servers, Gentoo servers are owned by hackers
Well, I use Mandrake, so I’m fine! 🙂 Also, to be honest, none of the code in those instances you mentioned was compromised. So in fact, these failed attacks are proof that the system works!
Meanwhile, there are proportionately to market share 50 times more viruses and worms for Windows than Linux…Gee, I wonder which OS is more secure! 🙂
You still haven’t shown us that you understand the distinction between local and root exploits. Either you don’t (and therefore should learn more before talking about it) or you do (and are trolling).
I’m still waiting.
Making Linux better makes them more money. They have just as much of an incentive to fix bugs in Linux as they do in other products. IBM and SGI, especially, because Linux is eventually slated to replace AIX and IRIX.
@Bascule
Well, let’s compare the local and remote root exploits found in Windows this year (I’m sure there are more than the ones I quickly dug up).
Dec. 11, 2003: Workstation Service Remote Exploit:
http://www.securiteam.com/windowsntfocus/6Q00F0K8UM.html
Nov. 9, 2003: Two different RPC remote exploits:
http://www.securiteam.com/securitynews/5LP0B0AB5C.html
Apr. 16, 2003: Kernel Messagage Handling local exploit:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/…
All software has security flaws. We should be encouraging preemptive patches like these instead of deriding them. Or would you rather have the Linux kernel developers do like Microsoft and avoid releasing a patch until a flaw is actually exploited?
It would appear that this problem goes all the way back to kernel 2.2
http://isec.pl/vulnerabilities/isec-0013-mremap.txt
Anyway, I don’t see what the fuss is about… No known exploits, and the chances are that on an unknown machine (though kind of thing is way above my head) you would just end up crashing the box by writing crap throughout virtual memory rather than getting root.
I’ll be watching malicious expert unix sysadmins very closely when they are sitting at my home computer though.
This was actually because earlier kernel developers didn’t thought it was vulnerable and later because the MPLayer team did not publicated information about their compromise in early novembre (2 weeks before Debian’s compromise). Had they used their brains and investigated it futher, they’d have found out what happened. Instead, they remained a compromised box untouched — left it online. WTF? The compromise of Debian project was also because of a user compromised passwd. Had the MPlayer team reported this earlier in some way the ball would have rolled earlier. Instead, they blame Debian. All of this can be readed in replies of the MPLayer thread where they flame on Debian being replaced by Slackware. The last mail, which asks a straightforward question about what they did after the box was compromised, was NEVER replied.
*cut MSIE rant*
The 2-edged sword analogy. How cute. Blackhats can also be programmers working for the company in question. Throw in some nice trojan code, DRM function, exploitable code, and such. Examples: WMP9.0, MSIE 6.0, Windows + NSA, Miami 3.0d TCP/IP stack, Borland/Inprise Interbase trojan (for 8 years). The question is when there’s intention for such, in what kind of project will it be more likely to be found by a whitehat: in the case of open source or in the case of closed source?
You completely missed the point of my post. 3 system level compromises in a kernel’s system call implementations within one year is ridiculous. Of the three Windows exploits you linked, it appears that one is a system level compromise resulting from a system call implementation. Can you point to two others? If you’re comparing vulnerabilities of “standard” services, I can certainly link you to dozens more vulnerabilities found in applications bundled with the major Linux distributions.
Windows aside, what other operating system has seen so many system level compromises in its system call implementations in such a short period of time? It’s been over a year since the BSDs or Solaris have seen any such vulnerability, much less three within a year’s span.
While no OS is bug free, Linux has been toasted by lin-zealots as “has better security” than windows. Now with more and more security holes uncovered, the drum is coming to an end.
How many more of these bug do we have to look forward to? Doesn’t anyone actually read these patches before applying them or has this bug been in the kernel since 2.2.x?
2.4.24 folks. 2.4.7 was the first 2.4.x kernel that RedHat considered stable. Anything before that was not production quality IMO. Most of 2.4 isn’t production quality IMO. But to find security holes like this one concerns me deeply.
Part of protecting a system is trying to keep an attacker from gaining root access to your system. If you have to keep them from getting user access too it makes our job all that much more difficult.
We use things like chroot environments and running servers under usernames besides ‘root’ because we don’t want a user to be able to break out of the jail we put them into whenever they attempt to hack our systems. But our jail now has a key in every cell, giving them root access, which in turn can let them break out.
Would the work the NSA put into the Linux kernel possibly protect against this sort of nightmare?
What nightmare? The nightmare of running several million lines of code without any assurance that its secure. The same nightmare we get to deal with in the commercial world, only OSS was supposed to prevent this type of problem. Many eyes, etc.
Any recommendations? Can the kernel or any software be trusted to be secure or should we always assume the worst and plan for redundancy (even in security) with no single point of failure?
No, Windows does not have many vulnerabilities resulting from the implementation of system calls. That’s because many services in the Windows kernel are not implemented as system calls, but as daemons communicating via message passing. Remember, the Windows NT design was somewhat microkernel inspired. However, all the vulnerabilities I listed give you Local System access, which is pretty much as good as a Linux kernel vulnerability.
Moreover, most of these services are critical system components that are on by default, cannot be disabled without losing important functionality (file sharing), and not easily replacable. That makes them as bad as a Linux kernel exploit. You cannot replace the kernel in a Linux system, but it is quite possible to replace sendmail with qmail. How do you replace the Workstation Service?
Btw, there are more:
July 9, 2003: SMB Remote (requires account) exploit:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/…
May 30, 2003: ntdll.dll exploit through WebDAV:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/…
Feb 5, 2003: Windows Redirector vulnerability:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/…
Partly, its an argument against Microsoft’s policy of running so many high-level services in the lowest levels of the OS. Even if something is not part of the kernel, but exploiting it is just as good as exploting the kernel, then the system isn’t any more secure, it just has its weaknesses in a different place.
Such poor moderating. Oh well.
I hate to feed the arguments, but get a grip. Linux is not pefect, but it is designed to be a secured system. User experience is a secondary concern. Windows is designed for user experience, but can be secured.
Neither are perfectly secure, get over it. This is an article about a new Linux Kernel, not about the whether Windows or Linux is more secure.
Given local access, root or equivalent privileges can be gained on either. Linux is a bit harder to exploit than Windows, but not impossible. Remote exploits are a bit trickier to define since most remote exploits in Linux are not kernel based so dependent on what services are running.
On this board you don’t see many pro-Linux trolls so please do not flood it with pro-MS trolls. Generally OSnews keeps to the topic with out the childish arguments about which is better, and it is better for the absence. If you want to argue go to /. or other such boards.
Or would you rather have the Linux kernel developers do like Microsoft and avoid releasing a patch until a flaw is actually exploited?
Generally OSnews keeps to the topic with out the childish arguments about which is better, and it is better for the absence. If you want to argue go to /. or other such boards.
I mean you Mr. Anonymous @12.242.164. (BTW the addrss you listed was a router for comcast by all appearances so either you were lying or have no clue. Given your inability to distinguish between remote and local exploits nothing you have said so far has really been constructive or even valid.)
Rayiner OTOH has been a fairly consistent and thoughtful contributor to these forums for the most part, though I do not always agree with him.
i dont see around any exploit for the bug yet? wonder if anybody works on it?
this bug is not trivial to exploit at all !
Or would you rather have the Linux kernel developers do like Microsoft and avoid releasing a patch until a flaw is actually exploited?
That’s some high minded idealism about the Linux kernel developers, however apparently you haven’t noticed that even though the vulnerability also affects the 2.6 kernels, there hasn’t been an accompanying Linux 2.6.1 release to fix the vulnerability in that branch. Why? Well, probably because at this time the only exploits in the wild are 2.4 specific (most likely due to the massive changes in the 2.6 VMM structure)
i dont see around any exploit for the bug yet? wonder if anybody works on it?
this bug is not trivial to exploit at all !
From http://isec.pl/vulnerabilities/isec-0013-mremap.txt :
Impact:
=======
Since no special privileges are required to use the mremap(2) system call any process may misuse its unexpected behavior to disrupt the kernel memory management subsystem. Proper exploitation of this vulnerability may lead to local privilege escalation including execution of arbitrary code with kernel level access. Proof-of-concept exploit code has been created and successfully tested giving UID 0 shell on vulnerable systems.
The exploitability of the discovered vulnerability is possible, although not a trivial one. We have identified at least two different attack vectors for the 2.4 kernel series. All users are encouraged to patch all vulnerable systems as soon as appropriate vendor patches are released.
Or maybe the kernel developers just have not finished the patch yet? Perhaps due to the aforementioned changed in the VMM structure?
Also you mention exploits in the wild? From what I read there is only the proof of concept exploit which was non-trivial to use. I don’t doubt you, just could not find a reference to an exploit in the wild.
I see you are talking about the proof of concept as in the wild. Since they did not publish the code and there are no reports of successful exploits outside of the report itself I did not think of that as in the wild. I would think you would be far more likely to flatline the system than gain escalated privileges since it looks to me like you are basically blindly poking around kernel memory space. Of course a user space program flatlining the kernel is pretty bad a well.
what do you meant by “flatline the system”? never heard that word before
yes, according to discussion at linux-kernel, this bug doesnt lead to privileges escalation (?)
i am interested in how the bug can be exploited. hopefully more information will come soon from the mailing lists
“flatline” means crash. It comes from the flatline you see on a EKG (or whatever the acronym for heart monitor is) when someone dies.
I thought the isec.pl link above explained the problem pretty thoroughly. Have you tried reading that yet?
http://www.theinquirer.net/?article=13420
The number of vulnerabilities in Linux and its applications should be ringing alarm bells for anyone considering using it. The Aberdeen Group has estimated that Linux open source accounted for about half of all security vulnerabilities identified in 2003, down from 70% in 2002.
yes, i read the ipsec.pl message, but they didnt provide in detailed the way to exploit it.
So, what you’re saying is that the situation has greatly improved, from 70% to 50%…Yeah, we know Linux is getting better all the time, thanks for reminding us.
Also from the article:
Despite the fewer vulnerabilities in Microsoft’s products I see no reason to cheer for Microsoft. It is responsible for the majority of the application software that runs on its various versions of Windows and so regardless of where the erroneous software might be located it only has itself to blame.
But, I wonder, what about viruses? Don’t viruses count as security issues anymore? That’s right, they do. And by themselves they are enough to award the crown of computer insecurity to Windows.
Moderators please mod parent (and this) down…
Narrow the scope of the count to the kernel, a web server, browser, mail client, and mail server and the comparison mught have more validity. Better yet break it down by local vs remote, severity, and difficulty of exploit. Also keep in mind not all third party vulnerabilities are included.
The author lost credibility for me when he argued that an OS written in Assembler is inherently more secure. OS/400 is more secure because of the platform and narrow purpose of the OS, not because it is inherently more secure. (V5R6 of OS/400,relaesed last year, included a security update BTW. Guess iy did not get reported wherever the list was generated from.)
Yes they do, they just did not give a sample program. It is fairly easy to replicate the vulnerability. Though it is beyond my ability to gain root with it, I could probably crash a system. It would be too much work to find the entry vectors for it and then figure out how to leverage them.
This is not the kind of vulnerability that a script kiddis could take advantage of if I understand correctly. Of course I could be wrong.
There is a difference between “Linux” exploits and Windows exploits. The majority of “Linux” exploits are /not/ Linux specific, but rather applications that run on Linux such as apache, BIND, sendmail, etc etc. Few are Linux specific – the above mentioned kernel exploit is one such example of a Linux specific exploit. A new “Linux” apache exploit, if there was one, would also apply to BSD or Mac OS X or Solaris. Its a Unix app that happens to be bundlded with many distros. However, Windows exploits are almost always OS specific – not app specific. How many dozens of updates and patches have been released for IE alone in the last two years? Remember that IE is now part of the OS. Everytime I install XP I have to download dozens of patches, I rarely need to do that with Linux. Unless I’m running a service I don’t need to download the updated samba, since I’m not running it. So yeah, the claims that in the last year Linux exploits now outnumber XP exploits is patently false. I don’t think many people would include Exchange exploits as an “XP” exploit so why do the same with Linux and some random app that happens to run on it? Remember the difference between OS and app. MS has trouble keeping a freaking web browser secure, why should I trust their OS? I only recall one or two Mozilla security issues since I started using it well before 1.0, and what of Opera? Its had issues, but not the bi-weekly issues that MS has with their gem. A web browser is a simple app, and yet…
When druming up the “linux is better than windows” beats, security and thousands of packages always come to top reasons, yet when linux/gnu/oss get caught with their pants off, there comes this “throw out packages” argument.
Smell like lin-zealots are trying to cheat to the general public.
Now who is cheating when one said “throw out packages” argument IS working?
What Microsoft is suffering in mono-culture of environment, everybody uses the same piece of software: IE, Outlook, IIS, RPC service (for Blaster exploit).
Now Apache can run on Linux, BSD and Solaris, you can use sendmail or qmail to run email service; and then you can use Kernel 2.2 if you feel you don’t need the features of Kernel 2.4 or 2.6. Will the same Kernel/system vulnerabilities propagate like what is happening in Windows world? It is just very clear it will not because they are not the same system config.
Why is throwing out or stop using a problematic package a problem? No system is perfectly secure, period. Anybody who said [whatever name you put it] system is more secure than the others all the time is more an zealout than anybody else he claimed to be.
As we shall see, Microsoft has an engineering problem as well as a continuity maintainenance problem with their product. Car companies can scratch the design of old/flawed cars and design a new one, but Microsoft somehow needs to maintain backward compatibility – it just can’t throw away the Windows system design EVEN it finds a new and better/secure OS design WITHOUT causing painful adjustment from its customers. Linux and many libraries used to break things but with source they are free to re-compile again, now we shall see how Microsoft will be able to come up with a solution against this maintenance nightware by balancing backward compatibility vs introducing new security function to the OS itself.
Linux and many libraries used to break things but with source they are free to re-compile again, now we shall see how Microsoft will be able to come up with a solution against this maintenance nightware by balancing backward compatibility vs introducing new security function to the OS itself.
Basically it is this: there are the screws, nuts and scrap metals, so if your linux car is broken, you fix it.
Some geeks will sure enjoy the challenges, but most users don’t like it.
Windows is now light years ahead of linux/gnu desktop in terms of backward compatibility. We got apps that requires Novell 3.12, btrieve over IPX/SPX and they work smoothly on a win2k3 box.
This “source code available” thing only looks good on paper, if a company gives its users 4 million lines of source code, it is still a pain in the neck to tweak it to a new platform. Users would rather the company does the firty job.
Sigh. Windows is lightyears ahead of Linux in backward compatibility? I don’t know how to respond, as I really don’t need to run old apps under Linux but I will say that Mac OS has Windows beat dead in backwards compatibility. I can run apps written for Mac OS in 1985 that will run in Panther under Classic on my G5 without a hitch. Can you run any Windows 1.x apps in XP? What about on a Opteron? Good luck. Considering how often things change in Linux it may in fact not be as good, but I do remember running KDE 1 apps in 2 without any problem so…or GTK 1 apps in Gnome 2, so maybe its not a problem at all.
Windows cannot run Novell apps, though if you mean it works with IPX/SPX then sure, it will. So will Linux among others. But I don’t know if merely being able to speak the /protocol/ extends to accessing Netware shares let alone running Novell /binaries/. Being that Win NT is essentially OS/2 stolen and renamed it could, at least before, run OS/2 binaries (I don’t know if 2000 or XP can, but NT 4 and earlier could) as well as work with OS/2 networks. You could authenticate a Win NT box against a OS/2 PDC and vice versa. Being able to work with non-native networks is not the samething as binary compatibility. Linux, however, can run non-Linux binaries just fine depending on what they are. BSD even more so.
Having source code availible vs not at all is a huge advantage, even if your not a programmer. As Bob Young was fond of saying, “would you buy a car with its hood welded shut?” I’m not a mechanic either, but having free access to the inner pinnings of my own car is a huge advantage when need be. The stated security problem that 2.4.24 fixes has not yet been exploited, which means it was run into through the source code when reviewed. What if this was a closed platform, the problem would likely not be addressed until exploited – which could take how long? This issue has existed since 2.2 they say, thats a /long/ stretch of time. Yes, its embarrassing that this problem exists at all and has been in the open for so long but that it has been addressed before any known exploitation is not someting to snuff at. I do take small comfort that its a local, not a remote, exploit so the vast majority of servers should be okay.
Can you run any Windows 1.x apps in XP?
As far as I know, this is possible, but you have to edit the headers so XP thinks those are Windows 2.x programs.
Ontopic: Linux seems to do something right, seeing as how many sophisticated trolls have started to bash it.
By now you should have figured out that he’s not interested in rational debate, but only in attacking Linux. He has yet to acknowledge the fact that there are – proportionately to market share – 50 times more viruses for Windows than Linux, and that this does represent a severe security threat, one that general users do care about, too.
> Windows is now light years ahead of linux/gnu desktop in
> terms of backward compatibility. We got apps that requires
> Novell 3.12, btrieve over IPX/SPX and they work smoothly
> on a win2k3 box.
For what is worth, Exchange & SQL Server 2000 does not work quite right on Windows 2003 when it was released earlier last year, I am not quite sure if it got fixed by now, or, if Microsoft advised you to upgrade to whatever Server 2003 version.
> This “source code available” thing only looks good on
> paper, if a company gives its users 4 million lines of
> source code, it is still a pain in the neck to tweak it to
> a new platform. Users would rather the company does the
> firty job.
A company who gives source to programmers out there who can serve their customers, friends, and peer geeks alike. Not everybody will touch source code 1st hand, period. But it is _also_ a pain when programmers want to fix a program with their technical knowledge but _without_ source code available. And you didn’t answer this question: how to add new security function and feature, or redesigning the system to become more secure yet WITHOUT breaking backward compatibility?
Microsoft still faces a problem very different from other companies – it can’t create or bring a new product line by designing a secure system from scratch without maintaining backward compatibility, or its customers facing painful adjustment in doing so. It can’t restart a new product line like a car or game console company can.
I haven’t seen so many of them in a long time, and most of them are “anonymous.” Hmmm….I wonder where they’re coming from?
Hey…go back to work anf fix your file permission issues, and get your application programmers to stop being so sloppy. Then you won’t feel so threatened.
Oh..and btw, be careful what you wish for from the OSS/Free-Software community.
Regarding the number of system-call issues in Linux: How many of these are we not aware of in Windows, because no one can *find* them since the source is closed? And how many of them will suddenly appear if this “my security is better than yours” war continues?
…and what about the fact that Windows has a *fundamental flaw* whereby anyone can get hold of a window handle and give themselves all the priveleges of that window’s owning process? When is *that* going to be fixed?
So, here’s my point: If you’re going to use the “how many bla bla bla don’t we know about” bait, then at least have the courtesy to indentify yourself. That way, we won’t have to wonder what *company* you’re trolling for.
So, here’s my point: If you’re going to use the “how many bla bla bla don’t we know about” bait, then at least have the courtesy to indentify yourself. That way, we won’t have to wonder what *company* you’re trolling for.
Typical rantings of a paranoid Linux user. Obviously my work is sponsored by teh M$ and they are out to assassinate you and Linux’s character. Or I could just be a college student laughing at all of your ridiculous responses.
I hope your work isn’t sponsored by MS, because they’re not getting their money’s worth. You couldn’t even prove to us that you knew the difference between a remote and a local exploit, and in fact seem to think that they are one and the same. When confronted with this fact, you chose to ignore it.
Nah. I don’t think you’re a paid MS shill. If you were, then MS would be in even more desperate than I thought.
Oh, and if you think Chuck is “paranoid” for thinking that MS would hire people to pollute web boards, then perhaps you should be reminded that MS has done this kind of dirty tricks before, creating fake “grassroots” movements to protest against its anti-trust trial (I guess they couldn’t find any real grassroots support) and stuffing Internet polls to favor their interests.
Now, since MS wasn’t above using such underhanded tactics before, why wouldn’t they still be using them today? In fact, believing that they wouldn’t would be incredibly naive, IMO.
Just to let everyone know, this issue is addressed in 2.6.1-rc2
Read the last entry in the changelog on kernel.org. It’s nice to see a fix so quick… now only if they’d include the cramfs initrd patch for Debian so that building packages for kernels ( with initrd ) wouldn’t be as painful!
Go Linux! Now let’s hope there aren’t any new remote vulnerabilities ready to surface in some major third party service. Those are what we need to worry about most at this point.
“Just because you’re not paranoid doesn’t mean no one’s out to get you.”
“Typical rantings of a paranoid Linux user”.
What makes you think so? I don’t know of any “typical Linux users” that tried to wipe out other people’s companies by violating anti-trust laws, do you?
I also don’t know of any “typical Linux users” who rant and rave about how standards bodies are too slow, and that’s why “we” have to implement our own version of an anthentication system, and then turn around and claim patent rights on it. Do you?
Sorry, “anonymous”, but I’m not at all paranoid. In fact, I used to be a very strong supporter of Microsoft, and had a great deal to do with getting its products used at my job.
I would never do that again, though.
“Go Linux! Now let’s hope there aren’t any new remote vulnerabilities ready to surface in some major third party service. Those are what we need to worry about most at this point.”
Good luck. Every system I’ve ever worked on is placed at risk by the application developers more than anything else. “User Space,” Linus calls it.
Windows is no exception; in fact, I know that Windows has often been “compromised” because some important application violated some interface rule, then Microsoft had to accommodate them because users were very dependent on that product.
While I don’t expect to see too much backpedaling from the kernel developers that way, I do expect to see app developers “get around” whatever they have to if they want to sell something. Why would that be different because of a different platform?
Good luck. Every system I’ve ever worked on is placed at risk by the application developers more than anything else. “User Space,” Linus calls it.
Client apps in user space don’t concern me. But all services listening to ports should be chrooted by default, IMO.
…I see no reason anyone should care whether “anonymous” is still waiting, since “anonymous” is obviously in business to raise the already high (to him, apparently) level of paranoia amongst “linux users.”
I’m reminded of the idiot who tries to scare new bycycle riders by reminding them, over and over again, that there might be a NAIL sticking out of the road somewhere, which would blow out their tire and make them fall down.
What I’m waiting for is to see if a person who feels he has to be so nasty about Linux is courageous enough to identify himself.
I figure I’ll probably be waiting forever, and meanwhile the Linux volunteers will do their best to prevent further incursions into their systems, and to improve their coding skills.
Which is, after all, the only point worth considering in any of this.