back to article Major Linux security glitch lets hackers in at Claranet

A major security vulnerability in the Linux kernel, which was revealed on Sunday, has claimed its first confirmed UK victim in business ISP Claranet. Hackers used a bug in the sys_vmsplice kernel call, which handles virtual memory management, to gain root privileges and replace Claranet customers' index.html files with the …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Heart

    I hear...

    ...that it was domains starting with a number, A or B. Time to register zzzzz.com!

  2. Jamie Kitson

    I Wonder...

    I wonder what distro Claranet are using. Debian's only on 2.6.24 on unstable, and as far as I am aware odd numbers, eg, 2.6.23, are dev/testing only, no? What were they doing on 2.6.23/4 in the first place?

  3. Anonymous Coward
    Happy

    I thought Linux was secure

    And this is the problem. With all you Linux fanbois harping on constantly about how secure your system is you tend to forget that believing your own bullshit compromises your systems.

  4. Anonymous Coward
    Coat

    Uh-oh..

    Get your asbestos underwear on - here comes the flame war as the Windoze mob finally get to crow about a vulnerability in Linux!

  5. paul
    Stop

    bleeding edge

    "The affected system call first appeared in version 2.6.17, but wasn't left open to exploit until changes were made with the 2.6.23 kernel."

    2.6.23 is a very new kernel to be running in a production environment.

  6. Alan Donaly
    Linux

    Slackware has

    the patched Kernel available now I would suggest getting it and installing it. If your lucky enough to be using Slackware.

  7. Simon Painter
    Gates Halo

    Well it's a good job...

    It's a good job they were using Linux as I frequently hear that it is so much more secure than Windows.

  8. Martin Owens

    Fixed

    As far as I know I got a patch for my Ubuntu desktop's kernel yesterday; So it took less time to fix and distribute across several levels of community than it took for the hotfixing gunk to be made.

    I have to laugh because it's pretty much a few lines change to fix. Though I was quite impressed following the issue how transparent the whole process was.

  9. Anonymous Coward
    IT Angle

    I got hit...

    My hosting company in which I have a reseller account was hit on Sunday as well. And not of my domains start with a number, A or B, so it was much more than that. All the index.html, index.htm, index.php files were overwritten.

    Thankfully Linux is so secure and Windows is the only flawed OS on the earth.

  10. Chris
    Gates Halo

    Proof that Open Source Software is DANGEROUS

    This is exactly why closed-source proprietory software like Microsoft Windows is safer, because hackers don't even need to reverse engineer the cancer that is open source code in order to see how it works.

    And before any of you Linux fanboi losers sad enough to flame me suggest that I am a Microsoft employee, I am not. I can only count on two hands the number of times I have visited their HQ.

  11. Anonymous Coward
    Linux

    so few comments

    on a major security flaw affecting potentially thousands of users, oh thats right it isnt a microsoft product. I guess all those that go round telling people that "I use Linux so I dont need to worry about security" are not too keen to raise their voices?

  12. James Smith

    FreeBSD

    FreeBSD for the win.

    Linux is the ghey.

  13. Sean Purdy

    Re: I hear...

    That's probably because "Within 10 minutes Claranet contained and halted the malicious activity" i.e. the script probably worked alphabetically and didn't get time to do the whole lot.

  14. Simon Greenwood

    re: I hear...

    Quite obvious if you think about it: if you gain access to a virtual hosting server's filesystem, the host directories will be in alphabetical order, so an exploit script would traverse the directory tree in the same way. I can remember when ClaraNet was BSD...

  15. Anonymous Coward
    Paris Hilton

    Nothing unexpected

    A company where the technical staff cannot be bothered to interview candidates so they let the HR and secretaries perform technical interviews with multiple choice questions they cannot even read correctly. Why am I not surprised...

    As Graig Lake used to say "We get whatever Christmas we deserve..."

    Paris hilton as most appropriate approximation of an eastern european HR lass performing an interview is most appropriate here...

  16. Madeye

    @ Chris

    Looks like you've got your lips wrapped firmly around Bill Gates halo *slurp*

  17. Anonymous Coward
    Anonymous Coward

    Local root exploits

    Local root exploits in Linux (by which I mean core parts of a Linux system) aren't all that rare. I would guess there's at least one a year. So, you can't have lots of untrustworthy local users on a Linux system and expect this sort of thing not to happen every now and then. The usual solution, for hosting companies, etc, is to use virtual machines to separate the users from each other, though quite a lot can be done with chroot jails if you don't mind giving the users a very restricted environment.

    It's not clear to me from the report whether Claranet was attacked by a "legitimate" local user or whether there was also some kind of remote exploit used to gain access in the first place.

    I'm not sure it makes sense to compare with Windows. Does Windows even attempt to protect itself against untrustworthy local users?

  18. Orclev
    Linux

    Bah

    The difference here between Windows and Linux is that when the vulnerability was discovered in Linux there was a hotfix and a patch out almost the same day, and every vendor should have a patch out in less than a month. It also doesn't affect too many production systems as it's only a very narrow range of version that are affected, it just happens to be that a couple of the biggest distros are currently using one of those versions. If it had been one of the smaller distros you probably wouldn't have even heard about any sites actually getting hit by this. Contrast that to Windows where the response is usually to sweep the vulnerability under the rug and put out a patch in a month or two. In Linux, if you were inclined you could compile the patch and install the hot fix as soon as it was released and you would have had a window of vulnerability of less than 2 days. In Windows you're at the mercy of Microsoft and there's nothing you can do about it until they decide to release a patch in a month or two.

    As for this particular vulnerability, I find it interesting that production systems were hit, as it shouldn't be remotely exploitable. It's a privilege escalation attack that requires permission to compile (or download) a binary and execute it on the target machine. Sounds like maybe they're running something else in need of a patch, or someone brute forced or social engineered their way onto the system.

    Also, despite what I said I do run Windows for specific things (gaming), but I also use Linux and OS X where appropriate (work and laptop respectively). I do think Linux and OS X are superior to Windows, but you have to use the platform your programs require.

  19. Robert Grant

    HAHA Linux losers! Windows 1 : Linux...234786234

    Let's be honest, if the same number of Linux users commented like this on every article that reported a Windows vulnerability, old El Reg'd need to host its comments database on one of those Google portable datacentres.

  20. Peter W

    quick! linux security problem!

    windows supporters - ATTAAAAAACKK!!!!!!!!!!

    despiter the fact that it's literally 1 problem, already fixed.....

    btw, I'm not a linux fanboi. Just find it funny when the windows fanboi's retaliate for any and everything, and exhibit confirmation bias in bucketloads....

  21. Fully Groan

    Erm..

    Isn't this a local exploit? Did the perps register an account or just hack in to someone elses shell? Doesn't say much for the password policy eh!

  22. Sirus Black
    Boffin

    To All The Fanboys ( both win and linux )

    Nothing Is Perfect.

    I am Not a Windows Fanboy..

    I am using windows Xp for 3 years and never got a BSOD.

    It Mostly hangs and i press the reset button.

    I am Not a Linux Fan boy

    I used Ubuntu For a Month . It sucks . i liked using win.

    So FLLLLLLLAMEEE ONNNNNN

  23. Darren Coleman
    Black Helicopters

    Disclosure != vulnerability

    I'm a big fan of open source - I run Linux at home, administer it at work (alongside Windows), and even own a Macbook Pro. - so my thoughts aren't tainted by any agenda :)

    That said - just because this vulnerability was fully disclosed a few days ago and patches came out shortly after, doesn't mean to say that this vulnerability hasn't been in the wild for quite some time or that the time taken from public disclosure to patching makes Linux inherently more secure. For all we or anyone knows hackers may have been using this to root servers for months (2.6.17 has been out a while).

    This is a BIG vulnerability in the kernel and the code involved should really have been picked up by peer review. I can only assume through a basic understanding of the process by which kernel patches are approved that the vmsplice code was added to the kernel without a great deal of analysis.

    I think this vulnerability just goes to show that no code is totally secure, and source being open does not guarantee security or quality.

  24. Anonymous Coward
    Linux

    Been there, fixed that

    The fix for Ubuntu came out a couple of days ago.

    Yawn.

    https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.22/+bug/190587

  25. Edward Rose
    Alien

    Excellent....

    Nice to get a reminder that I shouldn't get tooooo complacent.

    Mind you, never run bleeding edge kernels or major software anyway.

    Alien: Well, ..... someone must have planted the bug ;)

  26. Anonymous Coward
    Linux

    Linux is more secure - not completely secure

    First a few things to note about this security hole

    a) It can only be exploited by someone with access to the system.

    b) It only effects the 2.6.23 kernel, anyone stupid enough to be running that in a shared user/web hosting environment deserved what they got

    c) It was fixed in all versions of the kernel within a few hours of first being spotted (and that's the benefit of open source).

    d) Just because something is closed source, that doesn't offer security. It's more likely to protect flaws which are being actively exploited from discovery and give criminals much more time to exploit them. Some Windows flaws have been exploited for over a year before they were even noticed and several weeks passed beyond that before fixes became available.

    I'd welcome every single security researcher out there to turn their attention to linux. They will find flaws faster and linux security will improve at a greater rate.

    Most informed Linux users have never claimed 100% security. Usually it's the Windows fan boys who twist words because that's the only way they can deal with what they perceive to be a threat to their way of life. However for most people security is only one aspect of choosing linux and incidents like this aren't going to stop the increasing take up of linux worldwide.

  27. Morely Dotes
    Linux

    Re: I thought Linux was secure

    No, it's not totally secure. Nothing is.

    Linux is simply more secure than Windows because of major design differences; if operating systems were compared to, say, a mosquito net, Linux would be a mosquito net with a few small holes in it, while Windows would be a mosquito net made from chicken wire.

  28. Timothy Slade
    Boffin

    RE: I Wonder... By Jamie Kitson

    The odd / even thing for testing and stable distributions is only the second digit: in this case 6(a stable version, 2.5.xxx was the last development version) (2.6.xxx). But overall this system has been moved away from. Linus had something to say about it, a bit of googling should bring up the interview - basically that that model of development was too slow and painful - trying to huge amounts of updates and integration, so now he has moved the kernel to a development model of many small releases. He said that he is very happy with the way it works, and that he doesn't see the kernel moving on from 2.6 anytime soon.

  29. Schoofs
    Coat

    Bring back OpenVMS

    If only Digital had allowed Dave Cutler to port OpenVMS to the Intel world. And if only some more energy would be put in writing proper tools and quality code on whatever platform you prefer.

    I must be getting old so I'd better get my ...

  30. Anonymous Coward
    Pirate

    Diversity

    This relates to diversity. As with biological diverstiy, a pathogen can wipe out entire species of crops and more when there is little bio-diversity. Does this not seem to apply to other systems as well. All these problems are contained within a small subset of Linux systems. However, when a exploit is found in MS Server or MS Desktop OS, it has the potential of disrupting millions of systems.

    Next point: Should mission critiical systems (hospitals, doctors, government agencies, energy, etc.) be using their own version of open source OS to limit their exposure to malware, exploits, etc.

  31. Tim
    Paris Hilton

    Re: Bah

    Whilst true that the Linux community will typically get the patch out quicker (hacked together by some spotty teenager and tested by users), whilst MS will develop and thoroughly test the patch behind closed doors, the fact is that the closed source vulnerabilities in Windows are almost always ones that are announced by themselves or security firms but where the hackers do not have access to the source to work it out themselves.

    i.e. With Windows, by the time the hackers really have developed a hack, MS has long since rolled out the *fully tested* patch.

    Now don't get me wrong. I love Linux too. However, the whole "it's secure because it's Linux" is both a myth and a dangerous assumption.

    The fact is there are far more security patches rolled out on Linux than Windows. They're occurring all the time, but few people make a song and dance about it unless you get a headline incident like this.

    That both Linux and Windows get patched pretty quick is a positive thing anyway, and reality probably is that so long as people update they are mostly safe from these vulnerabilities.

    The real issue with Linux is with poor administration and the assumption that updates are not required. Sadly a lot of neglect occurs with web servers, and especially in applications that aren't part of the normal distribution and therefore update process.

    I mean, what do I see in my web server logs these days? Not IIS hack attempts like I used to see 10 years ago, but almost all the attempts are aimed at known flaws in PHP applications. Not in PHP or Linux, but in the applications.

  32. Nipsirc

    Didn't Microsoft release fixes for 6 crits yesterday?

    Couldn't work out how long they'd been open for, and granted, most were for 'userland' stuff like Office, but that was after about a minute of looking. I'd say that the very fact *1* security flaw has been exploited in a Linux deployment is newsworthy says it all...

  33. Dr. Mouse
    Linux

    LOL

    A few points.

    Firstly, to all you Windows Fanbois: The reason this is newsworthy is because it is RARE! Compare this to Windows where every time an automatic update is done your get several security fixes.

    Also, WRT Chris' comment "Proof that Open Source Software is DANGEROUS", this is where you are wrong.

    The fact that security vulnerabilities are easier to find means they get found quicker. Often before the major distros release the new software (whether kernel update or something else). If a "hacker" finds it first, and it is already out in production environments, it gets reported quickly and fixed.

    Contrast this with MS. The only way people not working there can test for security flaws before release is in a beta program. And they cannot check the source code for them. Even during the beta testing, hackers will be looking for vulnerabilities, as well as the good folks at MS and security firms. Do you think these hackers will report the problem to MS?

    So some make it out into production environments. When a flaw is found, it must be reported to MS. MS must then build a patch, test it to make sure it doesnt break something else, then release it. The end user must then download and install it. Overall this makes for a much longer period of vulnerability.

    Therefore I put it to you that, from a security point of view, CLOSED source is more dangerous.

  34. Anonymous Coward
    Happy

    @Orclev

    "In Windows you're at the mercy of Microsoft and there's nothing you can do about it until they decide to release a patch in a month or two."

    Strange that the last few MS vulnerability warnings I have read on El Reg also state that users who are fully patched are already protected.

    Basically, the problems with Windows are generally created by idiots who know nothing about computers (what's a firewall?). You don't tend to get that with Linux simply because you need a bloody degree in computer science to get the damn thing to do what you want it to do. But also for this reason you more than likely know a little about security (i.e. you know not to open that attachment from that unknown source). Windows is built specifically for end-users and is designed so that the end-user doesn't need to know how the OS works to be able to use it. The upshot of this is that hackers are having to use social engineering techniques to breach systems at the only vulnerable component - the user.

    It's not easy being a fanboi when the rug is pulled from under you eh? All of the reasons that are continually spouted on here about how you don't have to worry about this that and the other because you run a "secure" system will just have to stop before your complacency compromises your system. Welcome to the real world, your bubble has been burst.

    And @Robert Grant

    "Let's be honest, if the same number of Linux users commented like this on every article that reported a Windows vulnerability..."

    They do, every time. And yes, we're sick of hearing it.

    Suck it up boys, it's your turn to take some flak. And please, less of the BS in future eh? It only makes you look foolish when we get headlines like these.

  35. N

    at least it was patched fairly quickly, unlike...

    I quote "I do think Linux and OS X are superior to Windows, but you have to use the platform your programs require."

    Couldnt agree more, windows sucks but you have to use it every now and again.

    But as alternatives gain ground the requirement to bathe in the devils vomit is getting less as time goes by, thankfully.

  36. Anonymous Coward
    Anonymous Coward

    Not only claranet?

    I have a few sites on easily, one of which (near the top of the alphabet) was defaced on Tuesday. Several .php pages, all starting at the top of the alphabet.

  37. Steven Hewittt

    RE: Peter W

    No, the funny thing is Peter that El Reg decided to post this on their site. Linux exploits happen every week at least, if not more.

    The difference is that El Reg is bias towards OSS so hardly reports it. Remember the big random number generator issue a few months back. Funny that the Windows issue was listed on El Reg but the Linux one a few days later wasn't.....

    Truth is all OS's have holes, and they all need to be patched. Windows, BSD, OS X, Linux etc.

    I suggest people commenting on OS security take a look first at the various independant websites that monior exploits. Secuina, CERT etc.

  38. Matthew Macdonald-Wallace
    Linux

    Linux isn't secure...

    Shock horror, A Linux user stating that fact that all windows users know to be true!!

    The cancer that is open-source spreads FUD about how secure it is before falling prey to a hacker and not fixing the patch for six months... no... wait.... sorry, what I mean to say was:

    1) This kernel shouldn't have been used on a production system

    2) No computer system is completely secure against attack unless it is switched off, sealed in a lead-lined case, covered in cement, surrounded by Nuclear Waste and blasted into space before being blown up...and even then someone would probably be able to hack it given time...

    3) Linux has bugs. Thousands of them every year. Some of them become exploits, these are usually patched within 24-48 hours. Linux may not be completely secure, but it is secure, and more so than windows.

    M.

  39. Anonymous Coward
    Boffin

    No Perfect Security

    As with any computer operating system (Unix, Linux, Windows, Sun and all combined flavors) there is no perfect security process! The more lines of code, the more features, the more critical the system the more likely that someone will eventually find a hole, bug, or other electronic or socially engineered weakness and exploit it. The only thing we can hope for is DILIGENCE in design and operations. In other words PAY ATTENTION !!! Pay attention to the code you write, pay attention to the code you buy/download/install/borrow/steal, pay attention to your systems very closely and make sure you have backups and know how to use them!

    All other claims to be un-hackable and/or indestructible just make for cute commercials (Hi, I am a Mac) and anyone that believes them should really be in sales, not tech support!

  40. Kanhef

    Difference in attitudes

    The Linux community had a patch out within a few days of the vulnerability's discovery. Microsoft would, at the very least, wait until the next 'patch tuesday'; they can (and have) spent a few weeks 'verifying' the flaw, and a few more 'fixing' it.

    More than the number or severity of security vulnerabilities, it's the priority given to fixing them that sets Linux above Windows.

  41. Sikas Aparat
    Paris Hilton

    The real problem is feeping creaturism

    It's a stupid bug in a stupid syscall added to make webserver benchmarks look good.

    The specific bug is the absence of checking on a memory address passed from a user program into the kernel.

    In other words: it's caused by a combination of sloppy programming and vanity.

    It says nothing about the relative security of linux vs. Windows.

    OTOH, if they'd kept linux small and simple, like un*x used to be, instead of bloating it, this wouldn't have happened, so I suppose it says something about the security of badly- (or non-)designed systems in general.

    BTW: this somewhat invalidates the OSS idea that a million eyes make for safe code: if that was so then this bug would never have made it into production.

    There's no Paris Hilton angle, but there's no Jessica Biel icon (who she?): the exploit source code file was named "jessica_biel_naked_in_my_bed.c"

    Aren't men sad?

  42. Jay
    Linux

    funny how

    Its funny how I just did an XP install an an older laptop, around 60 or so updates to install on an OS thats how old now. Then an older pc, I put Xubuntu on, latest gutsty gibson release, just start it up and it tells me their is 168 patches available. So an OS that is just released has a 168 patches yet a 5 or so year old os only has 60. Good thing Linux is so secure that those 168 patches must be only for wallpapers and new icons.

    Fanboys, at least they're good for keeping you warm this warm with all the hot air they keep fanning around.

  43. Codifex Maximus
    Happy

    Re: quick! linux security problem!

    >windows supporters - ATTAAAAAACKK!!!!!!!!!!

    >despiter the fact that it's literally 1 problem, already fixed.....

    >btw, I'm not a linux fanboi. Just find it funny when the windows fanboi's retaliate for

    >any and everything, and exhibit confirmation bias in bucketloads....

    But... they're hungry! It's not often a crumb falls from the table for them to feed on.

  44. Robert Long
    Linux

    Who the hell's waiting for a fix?

    This was a one-liner. I did it myself and re-compiled in less than fifteen minutes from the exploit becoming known to me a few days ago.

    THAT's why I use open-source. Everything goes wrong sometimes, but I can fix my system myself without having to wait.

  45. furby_singh
    Dead Vulture

    Would it be terribly unsporting

    to curtail this flame war by asserting that those believing this to be of value in the great MS vs Linux vs BSD vs OS/2 debate are clearly Nazis?

  46. Anonymous Coward
    Linux

    Re; Bah

    "As for this particular vulnerability, I find it interesting that production systems were hit, as it shouldn't be remotely exploitable. It's a privilege escalation attack that requires permission to compile (or download) a binary and execute it on the target machine. Sounds like maybe they're running something else in need of a patch, or someone brute forced or social engineered their way onto the system."

    Given its some kind of hosting environment, its only as secure as their customers sites. If someone has their own php script running that does no input validation, or is running an out of date version of some bulletin board software, gallery or whatever, a hacker could easily use a Cross Site scripting attack to gain access to the box, something I've seen happen with other websites. It doesn't require any thing else unstable on the box. Even a quick 5 minute Google will show all sorts of copies of various scripts all ready to be injected in such ways.

  47. Anonymous Coward
    Thumb Down

    @Tim - Fully tested?

    "Microsoft only rolls out fully-tested patches?" Are you kidding me? How many times have you seen MS roll out the 'patch to the patch'? Just last year in our organization, we got a "fully tested" patch that had half of our 500 users complaining about frequent IE crashes. MS eventually released an updated patch, but to say that the quality of MS patches is somehow better than Linux fixes is absurd. Not a fanboi of either OS. I use both and they both have things I like and things that are a royal pain in the ass.

  48. Anonymous Coward
    Anonymous Coward

    re: Bring Back OpenVMS

    "If only Digital had allowed Dave Cutler to port OpenVMS to the Intel world. "

    You can get VMS on Intel. Unfortunately it's on one of Intel's occasional failures, the Itanium (who else remembers the iAPX432 and I20 and other ventures which prove that Intel are not invincible, and prove that Intel won't throw good money after bad indefinitely even if they can afford to).

    Sadly the current owners of VMS don't have the same track record of investment in VMS development and support as the people who brought it to you in the first instance, and its security record is no longer as unblemished as it was, particularly where software has been ported to VMS from the UNIX world without taking full account of VMS security mechanisms which simply don't exist in the Unix world (yes I'm talking about some bits of TCP/IP services).

  49. Damien Jorgensen
    Gates Halo

    linux aka cack

    If it had been a closed source OS then they wouldnt have known about a bug in virtual memory managment (thats not to say there wouldnt have been one elsewhere)

  50. Robert Brockway
    Stop

    I'm surprised at the lack of clue being shown by some users here

    I'm a *nix sysadmin that works mainly with Linux & Solaris. I love OSS and do believe that the OSS model offers security advantages.

    News flash: No mainstream OS in use today is very secure.

    Anyone who claims that simply running a given OS will make their system/network secure hasn't got a clue about security. Perhaps some end users might believe this sort of thing but in my experience even the most inexperienced sysadmins realise that security is a bit more complicated than that. Security is a process that has a purely human component.

    As for this exploit itself - it is a local root exploit. This isn't the first in the Linux kernel and it won't be the last. Every other OS has had equivalent problems too.

  51. Adam Williamson
    Thumb Down

    Oh, the crap is flying here. Tim and others, re disclosure.

    For the benefit of Tim and others:

    yes, this case is slightly unusual - because there was public disclosure before the bug was fixed (albeit by a couple of days; most distributors had official updates available Tuesday).

    Yes, Tim, we have a perfectly mature private disclosure system for Linux security issues. There is an established process whereby serious security issues are privately disclosed by security researchers to other security researchers, the developers of the affected component, and distributors.

    The issue is then verified, fixed, the fix is tested, and the public disclosure is made at the same time as the patches are made available by the upstream developers and by distributors.

    In this case, the issue leaked to the public slightly prematurely, no-one knows how yet, AFAIK. Usually, there would be zero window between the public disclosure of the vulnerability, and the availability of official updates.

    Usually, security researchers only break this process when they don't believe the issue is being worked on sufficiently urgently, which isn't ever the case for kernel security issues, which are always handled as a very high priority by the kernel developers.

    (Compare to Microsoft's "once a month, you get to be slightly secure!" policy).

    And for the most recent AC, they *really* ought to be using separate virtual machines for each user in a hosting setup. Or at least chroot jails. As someone earlier pointed out. This is at least 60% the fault of bad setup on Claranet's part (as most compromises usually are, for any OS).

  52. Adam Williamson

    Jay:

    except that the Ubuntu disc you installed comes with a complete set of applications for doing just about everything (all of which need patches), and Windows comes with...er...IE. And Paint.

  53. Andrew
    Linux

    Wasted half my coffee reading the comments.

    "if operating systems were compared to, say, a mosquito net, Linux would be a mosquito net with a few small holes in it, while Windows would be a mosquito net made from chicken wire."

    "whilst MS will develop and thoroughly test the patch behind closed doors"

    Managed to spray coffee over the monitor on two occasions. Funniest comparison of windows to linux I've heard in a long time. While I'm not sure what planet Tim was on when writing the second comment. I've lost track of the times I've had roll back patches after MS Auto update ignored the settings and installed a patch onto a production server that promptly broke half the other software running on it or restarted the server in the middle of a backup run (Auto updates were set to ask before downloading or installing). While the recent debacle with Office, where a service pack stopped it from opening its own files, had the technical team dreading the phone ringing with another client moaning as they could no longer open their word documents. How the hell did that make it through "thorough testing".

    I use both Windows and Linux for work and home. I use the one thats best for what I need, however I find myself cursing MS stupidity more and more lately while having less and less support calls from the clients using linux (desktop and server roles).

    Nice one to the developers for getting the fix out so soon after the disclosure of the vunerability, rather than trying to bury the existence of it while taking months to develop the necessary patch.

  54. Colin Wilson
    Pirate

    Windows updates vs linux (any flavour)

    The talk about the number of updates between the two systems, and the relative security offered by both need to be looked at in context.

    Take two machines...

    1) Install the standard WinXP (first release, not SP2, which was basically a complete re-write - or for that matter, use SP2, it still has holes) - DON'T use a seperate firewall, virus checker, or spyware detection, and don't bother updating - most users are still too dumb to bother - if you're really brave (should that be stupid?) try browsing a few salubrious sites.

    2) Install linux (pick a flavour, any flavour). Don't update etc as above.

    Stick both online, and see how long they last before they're completely owned by an unknown third party.

    Going back 2 years or so, the lifespan of a "virgin" XP box was down to about 8 seconds of first being connected to the internet before it was well and truly rogered and turned into someone elses' bot-bitch.

    If the linux machine lasts more than that, you have your winner.

  55. michael
    Stop

    statistics, more statistics and bull

    This my OS is better than your OS ego tripping that goes on is getting very very boring.

    The simple fact is that If the most popular operating system in the world was Linux, then all the hackers would be focusing on it instead of windows and I bet alot of vulnerabilities would crop up just as we see in windows all the time.

    P.S. I use both.

  56. heystoopid
    Linux

    The wonders of open source

    The wonders of open source and the marvel at just how quick the security fixes come rather than the usual six to ten month wait from the Redmond Campus mob or the questionable thieves out Cupertino way who pay lip service to GPL for their operating systems !

  57. Patrick
    Stop

    Windows in perspective.

    Just for perspective, Vista SP1 fixes 551 bugs (rolling in 551 separate hot fixes) and 23 security updates alone. Just something to keep in mind while comparing the security problem of Windows to Linux or to OS X or to xyz alternative.

  58. Anonymous Coward
    Anonymous Coward

    Linux is unsafe

    and Windows is safe. The fact that most servers around run Linux, and most botnet zombies run Windows might be a clue. Or not?

    But no system is 100% foolproof. That's why they should have been using a less recent kernel probably. The main difference between Win and Lin on this ground is that testing/unstable thingies are labeled as such in the open source community, as opposed to MS who sell their beta stuff as stable, and discontinue them as soon as they are stable (if and when it ever happens).

  59. Andrzej
    Gates Halo

    Message to Jay

    @Jay

    XP SP1- updates from 24 security bulletins and 297 hotfixes

    XP SP2- 60 security bulletins and a whopping 666 (no, I did not make that number up) fixes

    Now do some basic math (hopefully your math skills are better than your IT knowledge) and add 297+ 666 + 60(taking your word on this) = 1023 +/-

    Another windowz n00b skooled.

  60. John Benson
    Flame

    Half a league, half a league, half a league onward...

    Into the Valley of Death plunged the bug hungry.

    So Linux has a bug, I guess that proves it's inferior.

    As to closed source versus open source, some of the arguments sound like "what you don't know (without a disassembler) can't hurt you". In other circles this is known as "security through obscurity" and generally avoided on principle.

    In my personal experience I've seen a lot more BSODs than kernel panics, but your mileage may vary.

    I'm also noticing that CentOS 5 seems a lot more solid than Fedora 8 (well, duh). So it's probably fairer to compare boring, stable, old, patched releases of Linux to boring, stable, old, patched releases of Windows.

    I think it's perfectly fine to say "I like Linux/Windows because..." without feeling compelled to add "because Windows/Linux is a cartful of nightsoil, that none abideth the stench thereof."

    (If I do, however, it's because the Devil made me do it...)

  61. Anonymous Coward
    Anonymous Coward

    If the OS market share split was 50 50...

    between Linux and Windows, you would still find more exploits in Windows.

    It is beginner usability versus security that is the main reason windows is open to exploit. Open source does enable security flaws to be found earlier, and people do wade through the kernel code, and the netfilter code checking security all the time. Applications depending on what they are may not get the advantage of Open Source security reviews, and of course obfuscation does work well with security tools, but you add a risk of introducing an error.

    MS engineers tend to focus more on the UI and the end user experience, the tech crowd are on Unix where there is more emphasis on good security practice, though of course things do slip through the net.

    If you really want security OpenBSD is probably the OS you want, unless you want to harden Linux yourself. But, look what OpenBSD does to your usability. There is some truth about the OS not being the be all and end all, but a tank is more secure than a bicycle on balance :)

    I thought the honeymoon period was over with Linux, the number of actual exploit attempts has been on the increase, I think we have inherited the Windows crackers :) There was a time period where people would not deliberately target Linux because of their own use and like of the OS, those days appear to be gone now.

    There are loads of security flaws found all the time in Linux - but not all are critical and they tend to get patched fast and I suppose you should practice security in-depth, but it is very hard to make a usable multi purpose hardened system.

  62. Dave

    @Jay

    Your XP fixes were solely to the OS and probably required multiple reboots (although MS are getting better about that now), the Linux stuff not only includes the latest OS fixes but application fixes as well (not all of them are fixes, some are features).

  63. Rich Turner
    Alert

    MS not as often to blame as you may think!

    One of the biggest problems with Windows is it's popularity. Quite honestly, by far the biggest threats to your Windows based PC is running crappy software from verious sources that don't take security and reliability seriously. Good examples include Real, Adobe, Sun and Apple ... as evidenced on the Secunia site today (see below).

    It doesn't matter what the OS is ... if it's pretty much #1 then chances are that it's going to see the largest volume of hackery. Just be glad Linux isn't the world's most used OS!

    From Secunia (2/14/2008):

    During the last 24 hours, we have seen security updates for some very popular Windows programs from four major vendors: Sun, Adobe, Apple, and Skype.

    Based on these four security updates, we have gathered some statistics from our free Secunia PSI that shows a startling picture, detailing the amount of users who need to patch their computers, in order to safely do something as ordinary as surfing the Internet.

    Currently, the Secunia PSI has been installed on 282,726 computers.

    Unique installations, counting each application only once per. computer:

    Adobe Reader 8.x 172,653 61.07% of all computers affected

    Apple Quicktime 7.x 133,169 47.10% of all computers affected

    Sun Java 1.5.x 98,618 34.88% of all computers affected

    Skype 3.x 57,496 20.34% of all computers affected

  64. Anonymous Coward
    Alert

    Just a point

    Linux flaws appear every week without fail, they just don't get reported as often as windows flaws as sites like this seem to be going along with the 'MS is evil' bandwagon.

    As for comments like

    '2.6.23 is a very new kernel to be running in a production environment'

    For quite a while now, linux users have been crowing about how quickly things get fixed and their system automatically updates itself with the patches, while complaining about automatic updates from MS. Seeing as this is a new kernel, it's more than likely that the sysadmins had auto update enabled to save themselves time and effort so what's the difference between that and what MS offer? They both screw up occasionally.

    Nothing is perfect

  65. Anonymous Coward
    Pirate

    MS engineers tend to focus more on the UI and the end user experience ...

    Total utter and complete rubbish. Sorry, but you're utterly wrong here. For the vast majority of MS product groups, the internal guts of our apps and systems get FAR more attention than do the UI.

    The difference between Microsoft and the Linux world, however, is that Microsoft gives a damn and does spend considerable effort making their apps and systems easy to use, easy to manage and easy to support.

    A good example of this is that no Windows user has to recompile their OS' kernel to apply a patch.

    And when it comes to patching issues in the OS ... the fact that the Linux community releases patches to it's kernel within a day or two of fixing an exploit clearly illustrates that you don't run full test and regression suites against your patched kernel. That's left to the distribution owner. And they rarely do this either because it takes care, time and money ... something that most distro's owners are relatively loath to give up. This IS a benefit of Windows - you can be considerably more sure that a fix doesn't break you, and if it does then it's for a damn good reason.

    And to your latter point ... there are tons of vulnerabilities found in practically every OS in use today, and yes, not all are even interesting, let alone fatal. This applies to Windows too.

  66. Smitty Werben Jueger Man Jenson
    Unhappy

    new banned worf for El Reg

    'Fanboi"

    Seriously. If this keeps up we will all start spelling like an AOL chatroom full of 12 year olds.

  67. tardigrade
    Linux

    @AC Patching and all that.

    "Seeing as this is a new kernel, it's more than likely that the sysadmins had auto update enabled to save themselves time and effort so what's the difference between that and what MS offer?"

    Just a small point to explain. The update software used 'apt' or 'yum' by default doesn't auto upgrade the Kernel. To do that you would usually have to manually force a kernel update.

    A standard distro of debian will have a cron job set to call apt-get each night to update using 'stable' lists and 'security update' lists stored in /etc/apt/lists/. So you don't get bleeding edge updates that can cause breakerage nastyness from unstable lists but you do get security fixes by default if an 'issue' arises as in this case. Hence my server in now auto patched, but without forcing a Kernel update to a bleeding edge version. :)

    Apt is one of the smartest tools that I've seen on any platform for this purpose. If it can't resolve dependency issues without breaking another app then it will skip to the next update and leave you a message in the system logs to tell you what it didn't want to do. Hence my custom BIND and Sendmail hacks don't get wiped out by the auto-update process each time a newerer 'stable' version of said app is released.

  68. david Silver badge

    Local root exploits

    "I'm not sure it makes sense to compare with Windows.

    "Does Windows even attempt to protect itself against untrustworthy local users?

    This is the thing: all Linux/BSD users I know work from a position of deep ignorance like this.

    Some of my best friends are Linux/BSD/Solaris administrators. I don't expect them to master two operating systems. They try not to boast about their ignorance.

  69. Anonymous Coward
    Boffin

    @Slackware has

    > the patched Kernel available now I would suggest getting it and installing it. If your

    > lucky enough to be using Slackware.

    Or you could go completely spartan and build the latest 2.6.24.2 kernel yourself. I did that two days ago with my Debian Sid machine (yes, I'm that insane to run something that experimental).

    As for perfection, nothing is perfect. Linux does have flaws here and there. So does Windows, Mac, etc.

  70. Dan
    Boffin

    Correction?

    There are TWO PoC's floating around, making 2.6.17 onwards vulnerable.

    One is for the issue introduced between 2.6.23 ~ 2.6.24 (Diane Lane).

    The other is for 2.6.17 ~ 2.6.24.1 (Jessica Biel).

  71. Anonymous Coward
    Anonymous Coward

    @ Total Utter and Complete Rubbish

    I am guessing you are an American - reread what you quoted :

    'MS engineers tend to focus more on the UI and the end user experience.'

    and then combine it with your statement:

    'A good example of this is that no Windows user has to recompile their OS'[sic] kernel to apply a patch.'

    See there is a tendency (which is an interesting English word), to worry more about the end user experience, and I think you have proved it.

    The UI is not just a GUI, it is how the user interacts with a system. From what I can see I am actually being a bit charitable I don't really rate the UI of Windows that highly - so you can only imagine what I think about the internals.

  72. Quirkafleeg
    Boffin

    Re: Linux is more secure - not completely secure

    “It only effects the 2.6.23 kernel”

    How does it cause a kernel? Do tell.

    Anyway, 2.6.22.18 was also released on Monday, with a similar fix for the same bug (the fact that it wasn't the same fix drew some comment on the kernel mailing list). 2.6.21.*, which is also vulnerable, is no longer maintained by the kernel people so no fixed kernel has been released on kernel.org – DIY patch, or wait for your distribution to provide an update. Same goes for other kernels back to 2.6.17.

  73. David
    Linux

    @"MS engineers tend to focus" AC

    "A good example of this is that no Windows user has to recompile their OS' kernel to apply a patch."

    No. But I've never compiled a single program on Linux, and yet I've been running it for years.. (for that matter, I've serviced many Linux installations, and am yet to see a single virus or piece of spyware or other malware.. whereas I've seen thousands for windoze, often on a single machine)

    "And when it comes to patching issues in the OS ... the fact that the Linux community releases patches to it's kernel within a day or two of fixing an exploit clearly illustrates that you don't run full test and regression suites against your patched kernel. That's left to the distribution owner. "

    True, but...

    "This IS a benefit of Windows - you can be considerably more sure that a fix doesn't break you, and if it does then it's for a damn good reason."

    Actually, again, I've never had a patch on Linux break anything. Nor have I heard of that happening, although it is likekly to happen eventually I guess. Whereas the reason i dumped that piece of foul shit known as "Vista" and installed XP a couple of weeks back is that an update to vista killed my favourite game (which is windoze only, for the moment), and a later update killed all the networking so no chance of further updates. So because windoze patches broke the whole system. I guess by locking out all networking it did make it more secure but....

    Oh.. And the fact that m$ takes months and so forth to test the patches means that it takes months for a vulnerability to be fixed from the time it is discovered, whereas with Linux, generally you're looking at a few days..

    m$ better? Only for making me enjoy using Linux.

    (Oh, and thanks for vista. Really. The best windoze ever! I am getting to convert so many people to Linux because it is so rubbish! I really appreciate you guys putting that out like you did. Honest!)

  74. Anonymous Coward
    Anonymous Coward

    @AC 14 Feb 23:44

    If you really are an MS employee ("our apps and systems") you've done your employer no favours, all you've done is confirm that you're clueless, which (in many people's experience) is fairly typical of MS employees... Like other posters, I've been using Linux for a while, e.g. Red Hat on and off since RH4, SuSe since SuSe 8, and not once have I needed to recompile a kernel.

    Yes I sometimes read about kernel patches to enable particular bleeding edge functionality but these are things that Joe Public or even Joan Corporate IT Department does not have to do. If you don't understand the difference, try popping along to your local Linux User Group for some enlightenment.

    Take some of your spare Vista CDs along too, they may find a use as drinks mats, 'cos Joe and Joan aren't interested in buying them are they.

    "MS ... apps and systems easy to use, easy to manage and easy to support."

    That's your opinion. I don't share it, and once you move out of the netherworld of Microsoft-funded consulting opportunities, a lot of other people don't share it either.

    "patches to it's kernel within a day or two of fixing an exploit "

    Hmmm. Having business-critical patches tested by distro builders doesn't suit MS needs this week then? Well given that was pretty much the approach MS initially tried with Windows DataCentre Edition (want a critical patch for DataCentre Edition on your Compaq Proliant?Only Compaq can provide it (ditto HP, Dell, etc) and there may be a delay of some months while the critical patch is "qualified" by the DataCenter OEM), perhaps you can enlighten us on whether MS still see that as an appropriate route to the user base for critical updates on enterprise-class systems? Or maybe MS accepted that Windows really doesn't belong in proper enterprise-class datacentres, 'cos that's what anyone with a clue knows?

  75. David
    Linux

    A good reason?

    "This IS a benefit of Windows - you can be considerably more sure that a fix doesn't break you, and if it does then it's for a damn good reason."

    So I guess MS has "a damn good reason" for disabling poor ol' Gus Bains's sound?

    See http://www.theregister.co.uk/2008/02/13/patch_tuesday_february/comments/#c_155002

    :)

  76. David
    Linux

    Another good reason?

    "This IS a benefit of Windows - you can be considerably more sure that a fix doesn't break you, and if it does then it's for a damn good reason."

    Also there's that other "David" a couple of messages below that? (Although having Nortons, his machine was probably pretty well broken anyway! :) )

    Again, see :)

    http://www.theregister.co.uk/2008/02/13/patch_tuesday_february/comments/#c_155002

This topic is closed for new posts.