US-CERT Releases 2005 Year-End Index of Vulnerabilities
Posted by Shane Pitman on 04 January 2006 - 04:05 · 29 comments & 7236 views
About the Author
Full name: Shane Pitman
Forum name: Shane Pitman
Contact: via forum PM
Submissions: Normal · Headline
Full name: Shane Pitman
Forum name: Shane Pitman
Contact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google- Advertisement
-
-
(10 replies)
#1 Posted by Tungsten T on 04 Jan 2006 - 04:12
- Before anyone says anything about linux having more exploits than windows i would like to point out.
1.This is patched and unpatched ones, and linux ones were patched faster than windows.
2.If your using linux as a workstation/home pc/media pc/set top box then there is no nead to worry because there is no malware/viruses to run on them and they are not serving a website and they have no reason to just fuck with your termanil for nothing, hackers dont just do that.
3.Linux as a server is vunrible to being hacked but as i said in 2 desktops are not -
#1.1 Posted by raskren on 04 Jan 2006 - 04:43
- Hey, did anybody notice that Linux has more vulnerabilities than Windows?
Are you implying that the vulnerabilities lie within Apache and not within the Linux kernel? -
#1.2 Posted by Tungsten T on 04 Jan 2006 - 05:42
- No, I'm saying that in linux, there is no malware/virus (note: all spyware is made to generate ad revenue). There is no reason for hackers to use linux exploits aganist indeviduels using linux without a website. It does them no good. But on a server they are actively exploited to redirct to sites with those ads.
On windows, both workstations and servers are actively, and vigurusly exploited. -
#1.3 Posted by frogworm on 04 Jan 2006 - 09:04
- face it, common sense might suggest that a lot, if not the majority, of windows virus writers are dsigruntled *nix users. if we can honestly call people that fly planes into buildings islamic fanatics i think we could safely call those disgruntled *nix users terrorists too
hey, check out that Homeland Security logo.
p.s. don't twist my words, i never said *nix was bad (i like *ni
. -
#1.4 Posted by Jon on 04 Jan 2006 - 14:05
- No Linux malware?
McAfee strongly disagree:
http://vil.nai.com/VI L/newly-disco vered-viruses.asp
The comments system keeps adding spaces to my URLs, and it's realyl p*ssed me off, so I'm giving up trying to post the URL. I have better things to do.
Google for 'mcafee newly discovered viruses' and enter linux in the bottom search box.
Last edited by Jon on 04 Jan 2006 - 14:17 -
#1.5 Posted by sphbecker on 04 Jan 2006 - 15:34
- Malware does not count as a vulnerability in the OS because it is simply running the code its ignorant user asked it to. If anything it is a vulnerability in the user.
The only true measure of the security of an OS is the test of time. -
#1.6 Posted by markjensen on 04 Jan 2006 - 15:58
- No, I'm saying that in linux, there is no malware/virus (note: all spyware is made to generate ad revenue). There is no reason for hackers to use linux exploits aganist indeviduels using linux without a website. It does them no good.
There is money in spam, and many noob Linux users may have sendmail running by default. These people are also less likely to keep updated, or implement some sort of good security practices. Add these together, and you have a tempting target for crackers looking to make money off of spam.
Yes, there are Linux worms and malware. Yes, there are security flaws. Linux, like any OS, requires a competent admin to keep it secure. -
#1.7 Posted by LaNcom on 04 Jan 2006 - 17:07
- 1.) Linux exploits don't usually do much damage, as you don't run Linux as root by default. Even targeted services shouldnt be run as root. Plus, a sane basic config makes your system immune against most exploits, anyway (/tmp mounted noexec for example, and don't run services with root privileges, which is default on most distros). Most of the vulnerabilities listed get never exploitet, as they'd only work in theory or very rare cases, anyway.
2.) The single most dangerous type of exploit, a remote root, is extremely rare on Linux.
3.) Linux exploits usually target servers, not desktops/ workstations.
4.) The US-CERT listing is almost useless. The Linux/ UNIX section includes many OS X-/ AIX-/ HP-UX-only exploits, for example, or architecture-specific eploits, or vulnerabilites affecting rare 3rd-party apps. The Linux kernel vulnerabilites are almost completely DoS-ones, not really exploits. -
#1.8 Posted by sphbecker on 04 Jan 2006 - 21:56
- "Linux exploits don't usually do much damage, as you don't run Linux as root by default." - you don't need root access to access or delete files from the user's home directory, open TCP connections, or otherwise run malware/virus code that doesn't require root access
"Most of the vulnerabilities listed get never exploited, as they'd only work in theory or very rare cases, anyway." - same with Windows and other platforms.
"The single most dangerous type of exploit, a remote root, is extremely rare on Linux. " - that is only true if you value your computer's kernel/software more then you do the date on it (which does not require root access to read/modify).
"The US-CERT listing is almost useless. The Linux/ UNIX section includes many OS X-/ AIX-/ HP-UX-only exploits, for example, or architecture-specific eploits, or vulnerabilites affecting rare 3rd-party apps. The Linux kernel vulnerabilites are almost completely DoS-ones, not really exploits." - architecture-specific exploits are still valid, especially if they are popular platforms. 3rd-party apps are also valid if they are bundled with the distribution.
I will agree that this information is pretty useless; especially if all you do is compare the total numbers together. -
#1.9 Posted by Computer Guru on 04 Jan 2006 - 22:15
- Can the fanboys give it a rest???<br><br>The only reason that these different OSes still exist is that they <b>all</b> have a purpose and are good for one thing or another...<br><br>And that McAfee URI posted above is incorrect: <a href="http://vil.nai.com/VIL/newly-discovered-viruses.asp">http://vil.nai.com/VIL/newly-discovered-viruses.asp</a><br>
-
#1.10 Posted by LaNcom on 05 Jan 2006 - 04:23
- "you don't need root access to access or delete files from the user's home directory, open TCP connections, or otherwise run malware/virus code that doesn't require root access"
No, you're correct. But to access user data, the exploit needs to run with user rights. If an exploit targets, say, CUPS, it only gets the access rights cupsd has - and cupsd has not even sufficient rights to access user data. Some services use accounts limited in a way that doesn't even allow to open TCP connections. Know what I mean?
"same with Windows and other platforms."
Not entirely true. On Windows, or other closed source OSs, vulnerabilites are only found because they get exploited quite often, while on open source software, most exploits get found by looking at the sourcecode, which usually leads to a fix faster than an exploit could even be written.
"that is only true if you value your computer's kernel/software more then you do the date on it (which does not require root access to read/modify)."
True, but again: the exploit needs user-rights, at least to modify the data. Read my first answer...
-
(3 replies)
#2 Posted by thollian on 04 Jan 2006 - 04:55
- 2k for Linux...haha so much for it being super secure....but it does get patched more quickly then Windows....
-
#2.1 Posted by Tungsten T on 04 Jan 2006 - 05:44
- Windows has more vunribilitys than linux but they are hidden. It is much easyer to find vunriblitys when you have the source. (As in kernel sources)
-
#2.2 Posted by The_Decryptor on 04 Jan 2006 - 06:51
- the UNIX category just isn't linux, it is all UNIX OS's (OS X, Linux, BSD, UnixWare, etc.), which there are more of than windows.
-
#2.3 Posted by markjensen on 04 Jan 2006 - 11:55
- ^^^ And HPUX, Solaris, etc.
It seems too many people are jumping aboard the "Linux-bashing" train without engaging their brains (or reading the article, as usual).
And then, we have frogworm coming up with the "Linux users are terrorists" line. The pinnacle of talking without putting reasonable thought behind the words.
-
#3 Posted by Quick Reply on 04 Jan 2006 - 06:25
- that's 5,198 less ways to hack into a system, Operating Systems are only getting more secure.
-
(5 replies)
#4 Posted by plastikaa on 04 Jan 2006 - 06:51
- Theres a lot less people using linux but yes they have the source, people looks for exploits on windows machines to make viruses and spyware etc. while people just find security problems in linux for "fun". Thats most likely why windows exploits are usually more severe.
The only reason linux "seems" more secure is because no-one really attempts to create viruses for it as its a waste of time due to the small number of people using it. That would be like sending a nuke into space on the hope it would hit something.
Overall im unusre which is more secure - it depends how you look at the terms "secure" if you look at it from the point how many systems actually get hacked then yes windows is less secure but that doesnt mean thats becasue of a crappy OS and poor coding it mostly down to hackers targeting microsoft more. -
#4.1 Posted by frogworm on 04 Jan 2006 - 09:07
- i'm afraid that is a little over-simplified as quite a LOT of people use *nix, infact, most likely used more than OSX.. and that is considered UNIX. hell, if you go to /. you could find people that use *nix
and it is scary how many of them there are -
#4.2 Posted by markjensen on 04 Jan 2006 - 13:57
- Overall im unusre which is more secure - it depends how you look at the terms "secure"
You are right that the number of 'hacked' or otherwise compromized (automated virus or worm) systems isn't the full picture.
A good snapshot is comparing, on a daily basis, where the different OSes stand as far as the known vulnerabilities. This will give you an idea on how severe problems may be, and how quickly they are addressed.
For example:
Ubuntu Linux "Zero advisories"
Fedora Linux "Zero advisories"
Debian (unstable) Linux [img]http://secunia.com/gfx/crit_2.gif[/img] "Less Critical"
OSX [img]http://secunia.com/gfx/crit_2.gif[/img] "Less Critical"
XP Pro [img]http://secunia.com/gfx/crit_5.gif[/img] "Extremely Critical"
Even if Microsoft had the recent WMF flaw fixed, they would still be at [img]http://secunia.com/gfx/crit_4.gif[/img] "Highly Critical", due to a problem that has been open since April 2005.
I know where I place my daily computing security faith. -
#4.3 Posted by plastikaa on 04 Jan 2006 - 23:10
- Also take into account that practically everyone who uses linux is a lot more advanced than a basic pc user. Anyone who uses windows and knows what they are doing is perfectly okay in most cases... but the people who only know how to use MS Word are in more trouble - and to be honest if you can only use word this shows what OS your more likely using :p
And a LOT of linux users is still less than 1% of the whole market share. I dont think /. shows a fair cross section of peoples choice on OS! -
#4.4 Posted by Shadrack on 05 Jan 2006 - 01:52
- plastikaa:
Check out this graph of Servers across all domains at NetCraft.
A huge majority of web servers online right now are running Apache! And I'm sure the majority of those Apache servers are running on *NIX.
Now why wouldn't a virus writer crave to attack the largest amount of servers out there? Sure, end users are far-and-few between...but *NIX+Apache is still a very popular server combination that does attract attention. -
#4.5 Posted by plastikaa on 05 Jan 2006 - 19:45
- i cant be certain but I would still imagine that the number of attacks "attempted" on linux/apache servers is far fewer than those on desktop pcs. Okay so a lot of severs use apache - but I still wonder if this makes up a hugely significant number of pcs - okay it can cause a lot of chaos if there are attacks to major sites but they are usually quickly resolved - however personal desktop attacks cause less damange most likely short term but can be a real pain for some people to get rid of.
-
#5 Posted by some_guy on 04 Jan 2006 - 14:49
- i'm afraid that is a little over-simplified as quite a LOT of people use *nix, infact, most likely used more than OSX.. and that is considered UNIX. hell, if you go to /. you could find people that use *nix and it is scary how many of them there are
you have to remember, in this community, it makes you think that there are many that use *nix in the world. But when you look at the stats on paper, you'll find that the number of *nix users pale in comparison to the number of windows users.
-
(1 reply)
#6 Posted by marlow714 on 04 Jan 2006 - 17:29
- Don't ya just love all the peeps crawling out from under the rock they've been under to defend their choices? I know I do. You guys need to just deal with it. You can proclaim anything you like, when and where you like, however you like. The fact of the matter is all your base belong to us.
-
(2 replies)
#7 Posted by Gizzmo2k1 on 04 Jan 2006 - 21:05
- Security is only as good as the person behind the keyboard.
-
#7.1 Posted by plastikaa on 04 Jan 2006 - 23:05
- also very true - and also what they do... okay if you goto porn and other "wonderful" sites your a lot more likely to get stuff on your pc you dont want.
-
#7.2 Posted by underscorebios on 05 Jan 2006 - 02:03
- OMFG, no way dude...
there goes half my bookmarks 
lol j/k
Keep in mind that numbers of vulnerabilities do not indicate overall OS security. Some vulnerabilities are very insignificant and pose little threat or are limited to a small portion of users for that particular OS that are operating under specific criteria.