| By Linux News Desk |
Article Rating: |
|
| February 22, 2004 12:00 AM EST |
Reads: |
20,180 |
A report in
Government Computer News (GCN) draws attention to two security flaws reported in some Linux kernels that could let local users execute arbitrary code on systems running the affected versions of Linux:
- A vulnerability in the ncp_lookup of the Linux 2.6 kernel could let a local user get elevated privileges on the system.
- A flaw in the memory remapping system call in versions of the 2.2, 2.4 and 2.6 kernels could give a user root access.
Fixes have been released for both new Linux vulnerabilities. (Information on the vulnerabilities and on the fixed versions is available online at www.securitytracker.com.)
Here's how the GCN report continues:
The vulnerabilities, reported by Security Tracker, have come about the same time as a study that found Linux to be the most hacked server operating system in government.
The study, by British security consulting firm mi2g Ltd., said attacks on Linux outpaced those on Microsoft Windows for the first time in January. The study focused only on direct digital attacks carried out by hackers, rather than on exploits by worms and viruses, which have primarily targeted Windows systems.
Linux accounted for 57 percent of successful attacks on government systems studied, followed by Windows at 35 percent. This is in sharp contrast to August, when Windows accounted for 51 percent of successful attacks and Linux just 14 percent. For the first time, the study found no successful attacks against government servers running the Berkley Software Distribution family of open-source systems, or the Mac OS X, based on the Darwin open-source kernel.
“The swift adoption of Linux last year within the online government community, coupled with inadequate training and knowledge on how to keep that environment secure, has contributed” to the shift, said D.K. Matai, mi2g executive chairman.
The mi2g study has come under immediate criticism from the Linux community around the world. One dissenting online opinion takes issue with some of the claims at the mi2g site, saying:
mi2g has not been in the security industry since 1995. The continued claims of collecting data that far back are unsubstantiated and unverified. DK Matai's insistence of working on a PhD in information security appear to be nothing more than wishful thinking. These are cornerstones of mi2g's claims of being experts in the field, and appear to be lies.
A more general observation, from someone posting to Slashdot the moment news of the report broke, was that the mi2g methodology "is not the best way to conduct research" - a reference to the fact that group discounted the recent wave of worms, viruses and other attacks that have affected Windows systems worldwide, and confined the study to overt digital attacks by hackers. Here is the post:
"When I was doing research at NIH we would say of this sort of thing: 'After discarding all data to the contrary, the hypothesis was proven.'
While this research may show that Linux servers are over-represented in overt acts of hacking, this does not statistically make the Linux OS the least secure. Attacking a particular system simply makes it popular for attack. In order to characterize Linux, or any other OS, as the least secure, there would need to be evidence that an equal amount of other OS's were unsuccessfully attacked or the success rate was lower. Other variables that would required controls would be the hacker, level of sophistication of attack, etc. etc.
To say that '...while Linux servers were the most vulnerable...' only means that they may have been the most targeted. I am not saying that the conclusions of this research are incorrect, I am saying that from what I have read, they cannot come to those conclusions."
Another excellent post came from Slashdot reader J M Dority, who wrote as follows:
"No OS is secure. The only defense OSS has is that patches can be released quickly, while Microsoft took 200 days to fix ASN.1 (for which a similar problem was found and fixed very quickly in the BSDs and Linux last March).
How many large companies/organizations running Windows where hacked last year? The point is, most companies/organizations don't report IT security breaches, certainly not like GNU did. If you have a high-profile company, and someone with enough skill wants to, you WILL be hacked eventually, regardless of your choice of OS. Most blackhats don't have the skill level that the GNU attack took, and even that probably could have been prevented, but there is a tradeoff between high security and convenience, and a 0day exploit is hard to stop, unless you can stay awake 24/7 and process incoming ethernet frames in your head fast enough to determine their intent before forwarding them.
I personally would rather be attacked once a month and know of the attack instantly than be attacked once a year and not know. Security starts at the power outlet, once you plug a machine in, you're vulnerable."
Subscribe to Virtualization Journal Email News Alerts
Subscribe via RSS
