Major Linux security glitch lets hackers in at Claranet

Wasted half my coffee reading the comments.

"if operating systems were compared to, say, a mosquito net, Linux would be a mosquito net with a few small holes in it, while Windows would be a mosquito net made from chicken wire."

"whilst MS will develop and thoroughly test the patch behind closed doors"

Managed to spray coffee over the monitor on two occasions. Funniest comparison of windows to linux I've heard in a long time. While I'm not sure what planet Tim was on when writing the second comment. I've lost track of the times I've had roll back patches after MS Auto update ignored the settings and installed a patch onto a production server that promptly broke half the other software running on it or restarted the server in the middle of a backup run (Auto updates were set to ask before downloading or installing). While the recent debacle with Office, where a service pack stopped it from opening its own files, had the technical team dreading the phone ringing with another client moaning as they could no longer open their word documents. How the hell did that make it through "thorough testing".

I use both Windows and Linux for work and home. I use the one thats best for what I need, however I find myself cursing MS stupidity more and more lately while having less and less support calls from the clients using linux (desktop and server roles).

Nice one to the developers for getting the fix out so soon after the disclosure of the vunerability, rather than trying to bury the existence of it while taking months to develop the necessary patch.

Windows updates vs linux (any flavour)

The talk about the number of updates between the two systems, and the relative security offered by both need to be looked at in context.

Take two machines...

1) Install the standard WinXP (first release, not SP2, which was basically a complete re-write - or for that matter, use SP2, it still has holes) - DON'T use a seperate firewall, virus checker, or spyware detection, and don't bother updating - most users are still too dumb to bother - if you're really brave (should that be stupid?) try browsing a few salubrious sites.

2) Install linux (pick a flavour, any flavour). Don't update etc as above.

Stick both online, and see how long they last before they're completely owned by an unknown third party.

Going back 2 years or so, the lifespan of a "virgin" XP box was down to about 8 seconds of first being connected to the internet before it was well and truly rogered and turned into someone elses' bot-bitch.

If the linux machine lasts more than that, you have your winner.

statistics, more statistics and bull

This my OS is better than your OS ego tripping that goes on is getting very very boring.

The simple fact is that If the most popular operating system in the world was Linux, then all the hackers would be focusing on it instead of windows and I bet alot of vulnerabilities would crop up just as we see in windows all the time.

P.S. I use both.

The wonders of open source

The wonders of open source and the marvel at just how quick the security fixes come rather than the usual six to ten month wait from the Redmond Campus mob or the questionable thieves out Cupertino way who pay lip service to GPL for their operating systems !

Windows in perspective.

Just for perspective, Vista SP1 fixes 551 bugs (rolling in 551 separate hot fixes) and 23 security updates alone. Just something to keep in mind while comparing the security problem of Windows to Linux or to OS X or to xyz alternative.

Message to Jay

@Jay

XP SP1- updates from 24 security bulletins and 297 hotfixes

XP SP2- 60 security bulletins and a whopping 666 (no, I did not make that number up) fixes

Now do some basic math (hopefully your math skills are better than your IT knowledge) and add 297+ 666 + 60(taking your word on this) = 1023 +/-

Another windowz n00b skooled.

Half a league, half a league, half a league onward...

Into the Valley of Death plunged the bug hungry.

So Linux has a bug, I guess that proves it's inferior.

As to closed source versus open source, some of the arguments sound like "what you don't know (without a disassembler) can't hurt you". In other circles this is known as "security through obscurity" and generally avoided on principle.

In my personal experience I've seen a lot more BSODs than kernel panics, but your mileage may vary.

I'm also noticing that CentOS 5 seems a lot more solid than Fedora 8 (well, duh). So it's probably fairer to compare boring, stable, old, patched releases of Linux to boring, stable, old, patched releases of Windows.

I think it's perfectly fine to say "I like Linux/Windows because..." without feeling compelled to add "because Windows/Linux is a cartful of nightsoil, that none abideth the stench thereof."

(If I do, however, it's because the Devil made me do it...)

MS not as often to blame as you may think!

One of the biggest problems with Windows is it's popularity. Quite honestly, by far the biggest threats to your Windows based PC is running crappy software from verious sources that don't take security and reliability seriously. Good examples include Real, Adobe, Sun and Apple ... as evidenced on the Secunia site today (see below).

It doesn't matter what the OS is ... if it's pretty much #1 then chances are that it's going to see the largest volume of hackery. Just be glad Linux isn't the world's most used OS!

From Secunia (2/14/2008):

During the last 24 hours, we have seen security updates for some very popular Windows programs from four major vendors: Sun, Adobe, Apple, and Skype.

Based on these four security updates, we have gathered some statistics from our free Secunia PSI that shows a startling picture, detailing the amount of users who need to patch their computers, in order to safely do something as ordinary as surfing the Internet.

Currently, the Secunia PSI has been installed on 282,726 computers.

Unique installations, counting each application only once per. computer:

Adobe Reader 8.x 172,653 61.07% of all computers affected

Apple Quicktime 7.x 133,169 47.10% of all computers affected

Sun Java 1.5.x 98,618 34.88% of all computers affected

Skype 3.x 57,496 20.34% of all computers affected

Just a point

Linux flaws appear every week without fail, they just don't get reported as often as windows flaws as sites like this seem to be going along with the 'MS is evil' bandwagon.

As for comments like

'2.6.23 is a very new kernel to be running in a production environment'

For quite a while now, linux users have been crowing about how quickly things get fixed and their system automatically updates itself with the patches, while complaining about automatic updates from MS. Seeing as this is a new kernel, it's more than likely that the sysadmins had auto update enabled to save themselves time and effort so what's the difference between that and what MS offer? They both screw up occasionally.

Nothing is perfect

MS engineers tend to focus more on the UI and the end user experience ...

Total utter and complete rubbish. Sorry, but you're utterly wrong here. For the vast majority of MS product groups, the internal guts of our apps and systems get FAR more attention than do the UI.

The difference between Microsoft and the Linux world, however, is that Microsoft gives a damn and does spend considerable effort making their apps and systems easy to use, easy to manage and easy to support.

A good example of this is that no Windows user has to recompile their OS' kernel to apply a patch.

And when it comes to patching issues in the OS ... the fact that the Linux community releases patches to it's kernel within a day or two of fixing an exploit clearly illustrates that you don't run full test and regression suites against your patched kernel. That's left to the distribution owner. And they rarely do this either because it takes care, time and money ... something that most distro's owners are relatively loath to give up. This IS a benefit of Windows - you can be considerably more sure that a fix doesn't break you, and if it does then it's for a damn good reason.

And to your latter point ... there are tons of vulnerabilities found in practically every OS in use today, and yes, not all are even interesting, let alone fatal. This applies to Windows too.

new banned worf for El Reg

'Fanboi"

Seriously. If this keeps up we will all start spelling like an AOL chatroom full of 12 year olds.

@AC Patching and all that.

"Seeing as this is a new kernel, it's more than likely that the sysadmins had auto update enabled to save themselves time and effort so what's the difference between that and what MS offer?"

Just a small point to explain. The update software used 'apt' or 'yum' by default doesn't auto upgrade the Kernel. To do that you would usually have to manually force a kernel update.

A standard distro of debian will have a cron job set to call apt-get each night to update using 'stable' lists and 'security update' lists stored in /etc/apt/lists/. So you don't get bleeding edge updates that can cause breakerage nastyness from unstable lists but you do get security fixes by default if an 'issue' arises as in this case. Hence my server in now auto patched, but without forcing a Kernel update to a bleeding edge version. :)

Apt is one of the smartest tools that I've seen on any platform for this purpose. If it can't resolve dependency issues without breaking another app then it will skip to the next update and leave you a message in the system logs to tell you what it didn't want to do. Hence my custom BIND and Sendmail hacks don't get wiped out by the auto-update process each time a newerer 'stable' version of said app is released.

@Slackware has

> the patched Kernel available now I would suggest getting it and installing it. If your

> lucky enough to be using Slackware.

Or you could go completely spartan and build the latest 2.6.24.2 kernel yourself. I did that two days ago with my Debian Sid machine (yes, I'm that insane to run something that experimental).

As for perfection, nothing is perfect. Linux does have flaws here and there. So does Windows, Mac, etc.

Correction?

There are TWO PoC's floating around, making 2.6.17 onwards vulnerable.

One is for the issue introduced between 2.6.23 ~ 2.6.24 (Diane Lane).

The other is for 2.6.17 ~ 2.6.24.1 (Jessica Biel).

Re: Linux is more secure - not completely secure

“It only effects the 2.6.23 kernel”

How does it cause a kernel? Do tell.

Anyway, 2.6.22.18 was also released on Monday, with a similar fix for the same bug (the fact that it wasn't the same fix drew some comment on the kernel mailing list). 2.6.21.*, which is also vulnerable, is no longer maintained by the kernel people so no fixed kernel has been released on kernel.org – DIY patch, or wait for your distribution to provide an update. Same goes for other kernels back to 2.6.17.

@"MS engineers tend to focus" AC

"A good example of this is that no Windows user has to recompile their OS' kernel to apply a patch."

No. But I've never compiled a single program on Linux, and yet I've been running it for years.. (for that matter, I've serviced many Linux installations, and am yet to see a single virus or piece of spyware or other malware.. whereas I've seen thousands for windoze, often on a single machine)

"And when it comes to patching issues in the OS ... the fact that the Linux community releases patches to it's kernel within a day or two of fixing an exploit clearly illustrates that you don't run full test and regression suites against your patched kernel. That's left to the distribution owner. "

True, but...

"This IS a benefit of Windows - you can be considerably more sure that a fix doesn't break you, and if it does then it's for a damn good reason."

Actually, again, I've never had a patch on Linux break anything. Nor have I heard of that happening, although it is likekly to happen eventually I guess. Whereas the reason i dumped that piece of foul shit known as "Vista" and installed XP a couple of weeks back is that an update to vista killed my favourite game (which is windoze only, for the moment), and a later update killed all the networking so no chance of further updates. So because windoze patches broke the whole system. I guess by locking out all networking it did make it more secure but....

Oh.. And the fact that m$ takes months and so forth to test the patches means that it takes months for a vulnerability to be fixed from the time it is discovered, whereas with Linux, generally you're looking at a few days..

m$ better? Only for making me enjoy using Linux.

(Oh, and thanks for vista. Really. The best windoze ever! I am getting to convert so many people to Linux because it is so rubbish! I really appreciate you guys putting that out like you did. Honest!)

A good reason?

"This IS a benefit of Windows - you can be considerably more sure that a fix doesn't break you, and if it does then it's for a damn good reason."

So I guess MS has "a damn good reason" for disabling poor ol' Gus Bains's sound?

See http://www.theregister.co.uk/2008/02/13/patch_tuesday_february/comments/#c_155002

:)

Another good reason?

"This IS a benefit of Windows - you can be considerably more sure that a fix doesn't break you, and if it does then it's for a damn good reason."

Also there's that other "David" a couple of messages below that? (Although having Nortons, his machine was probably pretty well broken anyway! :) )

Again, see :)

http://www.theregister.co.uk/2008/02/13/patch_tuesday_february/comments/#c_155002