Security experts find open-source flaws
Posted by realnischa on 20 September 2003 - 02:22 · 17 comments & 3015 views
About the Author
Full name: Unknown
Forum name: realnischa
Contact: via forum PM
Submissions: Normal · Headline
Full name: Unknown
Forum name: realnischa
Contact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google- Advertisement
-
-
(2 replies)
#1 Posted by Goalie_CA on 20 Sep 2003 - 03:55
- The only problem is that its rather impossible to exploit a buffer overflow unless you know your targets machine architecture. It would be harder to write a worm. You got sparcs running solaris, linux running on x86, others running in x86-64 bit, Macs running on ppc.
You should also note that mail server usually isn't usually run with root privelages. Also, with SE Linux or the 2.6 kernel even if a user gains control of your machine. They can pretty much do **** all. -
#1.1 Posted by antareus on 20 Sep 2003 - 19:42
- Wrong.
You have to be root to even bind() to a port below 1024 under *nix.
-
(1 reply)
#2 Posted by hoodedone on 20 Sep 2003 - 05:08
- Umm... It's been known for a long time that Sendmail has its security risks. Every time someone on Slashdot talks about Linux being secure, some smartass has to pipe up about Sendmail.
Notice also that these particular vulnerabilities affect versions *prior* to the specified versions.
-
#3 Posted by CheeseCow on 20 Sep 2003 - 08:36
- Not to mention that most desktop users won't be running a mail server anyway.
-
#4 Posted by WS togermano on 20 Sep 2003 - 12:59
- I think we should all use Beos or QNX that will fix secruity issues
-
#5 Posted by mr_da3m0n on 20 Sep 2003 - 16:05
- Nobody who's got half of a brain and has more than 10 mailboxes will definitively NOT use sendmail... sendmail is just there because it became sort of a standard. Why? I don't know. We're stupid.
(I use qmail)
-
(1 reply)
#6 Posted by Daffy_Duck on 20 Sep 2003 - 20:29
- Gasp! Flaws in Linux/Unix????
-
(6 replies)
#7 Posted by aent on 20 Sep 2003 - 23:14
- The thing is, they refuse to consider that most Microsoft security exploits go unfound and most open source ones are found and are patched at a much faster rate...
And when there is a security problem in a non-Microsoft made software, its not a Windows security bug, but when its 3rd party software you install in linux that has the security bug, its a linux security bug. Security bugs are going to be in both open and closed source products, just they are easier to find in open source ones and easier to get fixed, faster. And if I make an open source program for linux which included security bugs, would linux have security bugs? Based on these articles, the answer is yes. If I made a program which included loads of security bugs for Windows, the answer would be no. -
#7.1 Posted by SomeDork on 21 Sep 2003 - 03:31
QUOTE (#7.0) ..most Microsoft security exploits go unfound and most open source ones are found and are patched at a much faster rate..
Lets split that up.
Most Microsoft exploits go unfound: Prove it. Name me one exploit that isn't found yet, and you just found it. Additionally, name one exploit in Linux that isn't found yet. Hm, it would appear that both of them have the same "vulnerability" in this regard.
Most open source [vulnerabilities] are found and [patched faster]: Prove this too. It's largely subjective. Microsoft has made a practice of holding off on official announcements of vulnerabilities until the patch is tested and ready (an argument that subjectively could be good or bad). Linux may have the same practice, and/or some developer can hack a patch in overnight that may not work (the quality of the open source patch may be in question).
On the "patching faster" front, I'd really call to issue where not releasing publicly a vulnerability AND it's patch has caused harm.
On another note it's considered extremely bad form and horrible net manners to, when discovering a vulnerability, to simply expose it. In that respect, MS has been very good about accepting input, working quickly for resolution. So has the general Linux community. Which is the better practice is up to you; but this kind of rhetoric about "unfound" vulnerabilities isn't rational no matter which OS you refer to.-
#7.2 Posted by JaggedFlame on 21 Sep 2003 - 04:50
QUOTE And when there is a security problem in a non-Microsoft made software, its not a Windows security bug, but when its 3rd party software you install in linux that has the security bug, its a linux security bug.
Microsoft releases about 60-70 security patches per year. For all their products. That still blows Linux away.-
#7.4 Posted by JaggedFlame on 22 Sep 2003 - 05:57
- Release your own products and do better, then.
-
#7.5 Posted by werejag on 22 Sep 2003 - 06:58
- i see jaggedflame in here lying to people again about how good microsoft security is!!!
yet all major internet outages have been becuase of microsoft.
-
#7.6 Posted by werejag on 22 Sep 2003 - 07:03
QUOTE (#7.2) Microsoft releases about 60-70 security patches per year. For all their products. That still blows Linux away.
shouldnt that read
Microsoft releases about 60-70 security patches per year, For all each of their products. some 2 million of them and that still blows, in security.
trustworthy computing is a shame.
The more serious of the vulnerabilities affects Sendmail, an open-source program for managing e-mail. The vulnerability lies in the way the e-mail server software parses e-mail headers, according to Dan Ingevaldson, engineering manager for Internet Security Systems in Atlanta.
"It's an extremely serious vulnerability," Ingevaldson said, adding that computer attackers could probably exploit it. It is less clear, he said, whether a separate flaw in OpenSSH, also discovered this week, can be exploited.
"It may remain theoretical, it might prove to be exploitable," he said of the flaw in OpenSSH, which is used by network managers to log in remotely and gain encrypted access to computers and other networked devices.
Although it is not clear whether the OpenSSH vulnerability is exploitable, it would be serious if it were. The flaw occurs before authentication, meaning a user would not need privileges to log on to the machine to run the exploit, said Jason Rafail, an Internet security analyst with Carnegie Mellon University's CERT Coordination Center.
CERT issued an advisory on Tuesday for the OpenSSH vulnerability and another on Thursday for the Sendmail flaw.
The OpenSSH issue affects versions before 3.7.1 and occurs as a problem in the way the software stores chunks of data using storage areas called buffers. Cisco said it has products that are affected, while Red Hat, Sun Microsystems and IBM's AIX Toolbox for Linux all use versions of OpenSSH that could be vulnerable.
The Sendmail flaw affects versions before 8.12.10. HP, IBM and Red Hat are among the software makers that use Sendmail and whose products could be affected.
Both pieces of software are commonly used at large companies, making them an attractive target to hackers, Ingevaldson said. "Hackers like to attack high-value targets," he said.
Word of these flaws come amid concern that virus writers may create new bugs based on Windows vulnerabilities disclosed last week.
The latest flaws add to the debate over which is more secure--commercial software, such as that from Microsoft, or open-source software, such as Linux.
"In any given year there have been just as many vulnerabilities in the open-source community as there have been with Microsoft," Ingevaldson said.
It is difficult to compare the two, he said, but he noted that developers of both use similar tools to write their software and face similar challenges in dealing with hundreds of thousands or millions of lines of code.
With companies blocking all but a handful of the 65,000 available network ports, Ingevaldson said that hackers tend to target the infrastructure for things like e-mail and Web pages, which are allowed to enter a network.
"The open-source guys and the big commercial vendors are dealing with the same problem," Ingevaldson said.