[vox] Open Source and Security

[Karalius, Joseph]

http://www.silicon.com/hardware/servers/0,39024647,39118519,00.htm

Three Linux server security holes found 
 
February 20 2004 
 
by Robert Lemos 
 
Is open source the new Microsoft? 

Three separate security flaws could be used by an ordinary user to gain
total control of a Linux server or workstation, security researchers have
warned. 

Two of the vulnerabilities lie in the way the Linux kernel - the core of the
open-source operating system - manages memory. They affect all current
versions of Linux, according to advisories released on Wednesday by iSEC
Security Research, a Polish security company. The third flaw affects the
module for the kernel that supports ATI Technologies' Rage 128-bit video
card. 

Because Linux is frequently used on shared servers, security holes that
allow a user to expand their access rights on a computer are serious, said
Alfred Huger, the senior director of engineering for security software
company Symantec. However, they are not as critical as flaws that allow an
outsider to compromise the computer, he said. 

"In the grand scheme of things, if an attacker is able to get access to your
box, then they could probably get root [control] on your box, anyway," he
said. The root user is the standard Linux and Unix name for the person who
has complete control of a computer. 

For example, the recently announced flaw in Windows that allows an attacker
to remotely execute code on any computer running the Microsoft operating
system is a more serious vulnerability. That flaw could allow a worm to
spread throughout the vulnerable computers attached to the Internet. The
security holes in the Linux kernel are of more use to an attacker looking to
compromise a single computer. 

The Linux Kernel Project released a new version of the 2.4 series kernel -
version 2.4.25 - to fix the vulnerability, the second time this year it has
had to issue an update as a patch. In January, it released the 2.4.24 kernel
to fix another flaw iSEC found. 

Another vulnerability in the kernel, found last September, allowed attackers
who had compromised a developer's computer to extend their control to
several key servers used for development of the Debian Linux distribution. 

Linux companies and projects that package their own version of Linux have
rushed to deliver updates. Red Hat, Novell's SuSE Linux, Debian and other
Linux distributions had released fixes by Thursday morning. 

The newly found flaws underscore the fact that vulnerabilities still exist
in the core software that makes up Linux, according to Symantec's Huger. 

Moreover, the discovery of serious flaws in the kernel the past three
consecutive months raises questions about the "many eyes" theory, which
maintains that open-source software can be audited for security holes easily
and is therefore more secure. In reality, the majority of developers don't
like to review old code, Huger said. 

"I think the concept is great, but by and large, I don't think the practice
is as true as people would like it to be," he said. 

That criticism has been leveled at Linux before. And while auditing may not
be as pervasive as some open-source advocates would believe, recent security
holes in Linux continue to be less serious than those found in Windows. 

Robert Lemos writes for CNET News.com 
 

-----Original Message-----
From: vox-admin@lists.lugod.org [mailto:vox-admin@lists.lugod.org]On
Behalf Of Byron Roberts
Sent: Monday, March 01, 2004 12:11 PM
To: vox@lists.lugod.org
Subject: [vox] Open Source and Security



Here is an excerpt from a post on the CVBIG list that I belong to:

[snip]
>The problems with Linux are that RedHat (our operating 
> system) no longer supports further updates, the Linux operating system has

> three system vulnerabilities, which need to be fixed, and it is open
source 
> (I know I touched on something sacred here, but no programmer likes to
redo 
> old code, especially someone elses, so I'm concerned the security 
> vulnerabilities will not get fixed).
[snip]

I feel like I'm totally missing something here....I thought that one of the
big advantages of 
OSS was increased security, precisely because the code is accessible and
able to be 
modified?  Or as a newbie is there some piece of information that I'm
lacking?
_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox