PDA

View Full Version : Serious Linux Security Flaw Found


RobertoOrtiz
12-02-2003, 07:13 PM
Quote:
"A serious vulnerability in the Linux (news - web sites) 2.4 kernel has been discovered. The flaw allows users on a Linux machine to gain unlimited access privileges, according to a security advisory posted by developers of the noncommercial Debian Linux distribution.

The bug affects versions of the Linux kernel prior to 2.4.23, and was the method used during a recent attack on Debian's servers, according to the advisory. In that attack four Linux servers that hosted Debian's bug tracking system, mailing lists, and various Web pages were compromised."

>>link<< (http://story.news.yahoo.com/news?tmpl=story&cid=1093&ncid=1093&e=3&u=/pcworld/20031202/tc_pcworld/113700)

-R

halo
12-02-2003, 08:32 PM
yeh, note that its unpatch systems that are affected....

Ckerr812
12-03-2003, 01:09 AM
I gotta say...I like linux, I love the idea microsoft has competition.

With that said, Linux is made by hackers for hackers. I know a few people working for a major linux company, and I gotta say these people are downright shady with a deep passionate dis-like for microsoft.

That being said, there are alot more linux flaws then people know, but they are not broadcast over the net like microsoft vulnerabilites are because linux is "open", so it's kinda like honour amoung theifs, keep it silent and nobdy knows, the best hack is the one nobody knows about.

Probably people won't agree with me, and that's cool, but I have met these people and saw it with my own eyes a major corporation using linux compromised. I will never ever get linux for my home pc unless I was a huge hardcore software engineer and could compile everything custom.

MCronin
12-03-2003, 01:42 AM
You're right people won't agree with you. Linux is not created by hackers for hackers. Linux developers are very organized, bugs and security issues are announced and fixed immediately, the kernel is audited often, and all code is thoroughly scrutinized and voted on by the development group before being included into the standard kernel. You should take a look at the Linux developer list before making ill-informed statements like this. Yes there are people in their basements and bedrooms writing code for Linux, but many major corporations and government agencies and institutions of higher education around the world are involved in development and have a lot riding on Linux. There will always be bugs and security holes in every piece of software but saying that Linux developers have a conspiracy to keep them secret is ridiculous.

Ckerr812
12-03-2003, 02:03 AM
Originally posted by MCronin

saying that Linux developers have a conspiracy to keep them secret is ridiculous.

hehe..Yea..I know I would get some die hard linux people defending linux to the death!, believe me, I say I use microsoft and I get a 2 hour lecture from this group of people everyday...it's funny..lol, they really need girlfriends!

I am not one to argue to often so..whatever..I just laugh it off and use whatever I am given :) I am sure there are legitamate linux devs out there....but the downside of open source is that there are also some shady devs out there.

Edit- BTW mcronin, I agree with you, it's just that there is a down side to linux that dosen't get played up on the net as much as microsoft, that's all I am saying, nothing more :)

malducin
12-03-2003, 05:28 AM
I know I would get some die hard linux people defending linux to the death! ... they really need girlfriends!

Just the same for Microserfs.

but the downside of open source is that there are also some shady devs out there.

probably much less than on the MS side. After all if you have the source you can personally check if there is anything shady. What about in tthe MS world where you have countless virus and worm writers, spyware, apps that contact home, and even MS putting stuff to track users without letting them know or not disclosing vulnerabilities nd when they do they take ages to patch them.

Sure there are a few shady opensource people, but unless you got better facts I don't know how can you ignore the more serious flaws in the MS side. Most good open source developers will tell you about the models weaknesses.

RealThing
12-03-2003, 09:39 AM
Windows will always have bugs. Linux will always have bugs. Our 2d and 3d software will always have bugs. As long as humans are writing the code this is a fact of life that all software users and developers have to live with. Now having said that I run and like both Windows and Linux but my experience with both has taught me that Linux is the more secure of the two. Response time to security issues are about the same between the two but both are capable of reacting quickly if something critical is brought to their attention. The major difference is how the 2 camps deal with the issue when it comes up...more on this later.

I'm just talking about OS security issues not http, ftp, ssh, or mail servers security issues here.

The typical *nix security issue almost always requires that someone with an account on the machine run something on purpose with ill intent as is the case with the flaw that started this thread. So this is a very deliberate and targeted attack which requires some user interaction. This is of course the most difficult type of attack to protect against since the attacker has an account granting them access to the computer. This is also an area where Windows really has more trouble than Linux does. The typical windows security flaw these days tend to result in an exploit capable of spreading themselves nondiscriminatory across the internet. In most cases the users are unaware that they have been infected and are in turn infecting other users so this type of attack is not deliberate and requires no user interaction. That is by far the most dangerous type of security issue.

As I said earlier it's hard to tell how fast fixes come out for problems once they are found b/c of Microsoft's security through obscurity approach. I personally prefer the open source disclosure approach to the issue and I do know that security issues are typically dealt with in a more proactive manner in open source software due to the fact that you have alot more eyes watching the code. These eyes are not hackers as you suggest but in many cases are very skilled programmers who work on linux full time at large corporations which have a vested interest in making linux an enterprise level OS such as IBM, SGI, SUN, and Novell. In fact even this linux security flaw was discovered and fixed a month ago. Now MS likes to pretend that they fix security issues quickly but in fact they only disclose security issues when a fix is available and even then they don't get into details. But rest assured the people who shouldn't know about the exploits like virus writers and hackers know all about them. What difference does this make you may ask. Well the whole MSBlaster family of worms could have been avoided if they had just let users know that there were security concerns so that users could take steps to protect themselves until a proper fix was released. All they had to do was tell the users to block port 158 or whatever it was and virus writers wouldn't have wasted their time since it would have taken away their easy target. MS's idea of security through obscurity just doesn't work. The only ones left in the dark are the potential victims.

Now I don't know about you but if there's a potential security exploit out there I'd much rather know what to be on the look out for, how to avoid it, or how to detect it. So that I can have my guards up instead of getting sucker punched.

playmesumch00ns
12-03-2003, 09:51 AM
RealThing: Hear hear!:applause:

CGTalk Moderation
01-16-2006, 08:00 PM
This thread has been automatically closed as it remained inactive for 12 months. If you wish to continue the discussion, please create a new thread in the appropriate forum.