Author: Benjamin D. Thomas
released for the Linux kernel, sysstat, mailman, coreutils, libxml2, mozilla,
and kdelibs. The distributors include Debian, Fedora, Gentoo, Mandrake, OpenBSD,
Red Hat, and Trustix.
Lies, Damn Lies,
and Statistics
The recent study released by a British
security firm has caused a lot of controversy. The report concluded that Linux
is the “most-breached” operating system, OS X was the least, and Windows somewhere
floated in the middle. Like clockwork, many IT journalists used the report as
a basis for articles. Headlines such as “Apple OS X Server is most secure system”
and “Apple Servers The Most Secure” tend to distort the truth. Most took the
report literally and failed to question the methods used to gather the statistics.
In the mean time, the security firm that released the report has gained a lot
of exposure because of its controversial findings.
I’m not writing this to dispute
or agree with the conclusions. The debate has been going on for a while and
it would be pointless to rehash the arguments already out there. My biggest
concern is realized when technologically naive management gets ahold of this
information. Rather than fully understanding the information presented, decisions
are made using distorted headlines. This week, platform X is most secure, next
week it will be platform Y. This type of analysis seems to imply that there
is a magic security silver bullet. Rather than responsible administration, it
implies that security is wholly attributed to choice of software.
Security is extremely hard to measure.
Quantifying security in terms of ‘most-breached’ or ‘most hacked’ is flawed
because it does not take administration faults into account. Some administrators
are very pro-active and can keep a server from being compromised, others are
negligent a leave vulnerabilities open.
As security practitioners
or system administrators we should not focus on flawed reports, but rather concentrate
on security best practices. In the real world, statistics of this sort provide
little benefit because we all have legacy systems to maintain. Appropriate time
should be spend applying security patches and verifying each system is configured
properly. Rather than asking, “Which system is more secure?” Administrators
should ask, “Which system will provide the most security flexibility?” “Which
operating system provides the fastest updates?”
Until next time, cheers!
Benjamin D. Thomas
LinuxSecurity
Feature Extras:
Innovative
Open Source Approach to Combating Email Threats
– Guardian Digital, the world’s premier open source security company, has
introduced Content and Policy Enforcement (CAPE) technology, an innovative
open source software system for securing enterprise email operations.Interview
with Vincenzo Ciaglia, Founder of Netwosix
– In this article, a brief introduction of Netwosix is given and the project
founder Vincenzo Ciaglia is interviewed. Netwosix is light Linux distribution
for system administrators and advanced users.Introduction
to Netwox and Interview with Creator Laurent Constantin
– In this article Duane Dunston gives a brief introduction to Netwox, a combination
of over 130 network auditing tools. Also, Duane interviews Laurent Constantin,
the creator of Netwox.[ Linux
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]
Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.
[ Subscribe
]
| Distribution: | Debian | ||
| 3/8/2004 | kernel | ||
| 2.2.19 Privilege escalation vulnerability This is the Kernel 2.2.19 backported version of the mremap fix that prevents |
|||
| 3/9/2004 | wu-ftpd Multiple vulnerabilities |
||
| 2.2.19 Privilege escalation vulnerability These vulnerabilities allow a malicious user to bypass directory access |
|||
| 3/10/2004 | python2.2 Buffer overflow vulnerability |
||
| 2.2.19 Privilege escalation vulnerability A crafted IPv6 address can overwrite memory in the stack. |
|||
| 3/10/2004 | sysstat | ||
| Insecure temporary file vulnerabilty Crafted symlinks can be used to make systat write to/read from arbitrary |
|||
| Distribution: | Fedora | ||
| 3/5/2004 | mailman | ||
| Cross posting vulnerability A cross-site scripting bug in the ‘create’ CGI script affects versions of |
|||
| 3/5/2004 | util-linux Information leak vulnerability |
||
| Cross posting vulnerability Fixed information leak in login program. |
|||
| 3/11/2004 | coreutils | ||
| Integer overflow vulnerability An integer overflow in ls in the fileutils or coreutils packages may allow |
|||
| Distribution: | Gentoo | ||
| 3/8/2004 | libxml2 | ||
| Buffer overflow vulnerability Bug may be exploited by an attacker allowing the execution of arbitrary |
|||
| 3/8/2004 | kernel | ||
| 2.4.x Privilege escalation vulnerabilty Exploitation of this bug can allow a local user to run arbitrary code as |
|||
| Distribution: | Mandrake | ||
| 3/10/2004 | python2.2 Buffer overflow vulnerability |
||
| 2.4.x Privilege escalation vulnerabilty A crafted IPv6 address can overwrite stack memory with executable code. |
|||
| 3/10/2004 | gdk-pixbuf Denial of service vulneraiblity |
||
| 2.4.x Privilege escalation vulnerabilty A malicious BMP file can crash the Evolution mail client. |
|||
| 3/10/2004 | mozilla | ||
| Multiple vulnerabilities Various serious vulnerabilities allow remote code execution and the reading |
|||
| 3/10/2004 | kdelibs | ||
| Path restriction escape vulnerability Exploitation of this bug allows attacker to escape path restrictions specified |
|||
| Distribution: | OpenBSD | ||
| 3/9/2004 | tcp/ip Denial of service vulnerability |
||
| Path restriction escape vulnerability Vulnerability allows remotely triggered denial of service. |
|||
| Distribution: | Red Hat |
||
| 3/9/2004 | wu-ftpd Multiple vulnerabilities |
||
| Path restriction escape vulnerability These vulnerabilities allow the escape of home-directory restrictions and |
|||
| 3/10/2004 | kdelibs | ||
| Path restriction escape vulnerability Attacker can escape path restrictions set by cookie originator. |
|||
| 3/10/2004 | Sysstat | ||
| Insecure temporary file vulnerability Using symlinks, this bug can be exploited to cause Sysstat to write to/read |
|||
| 3/10/2004 | gdk-pixbuf Denial of service vulnerability |
||
| Insecure temporary file vulnerability Malformed BMP file can segfault mail reader. |
|||
| Distribution: | Trustix | ||
| 3/8/2004 | nfs-utils Denial of service vulnerability |
||
| Insecure temporary file vulnerability Certain incorrect DNS setups would cause rpc.mountd to crash, resulting |
|||
| 3/8/2004 | libxml2 | ||
| Buffer overflow vulnerability URLs longer than 4096 bytes would cause an overflow while using nanohttp |
|||
