Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


DigeratiPrime

8 year old bug in Linux discovered

Recommended Posts


funny I don't see anyone mentioning the 2 year old bug in Office Web Components.

http://www.h-online.com/security/Microsoft...e--/news/113994

that was a hole known since 2 years.

whereas your 8 year vulnerability seems to have been brought to the attention of the kernel team around july.

not defending anyone, things like this can happen in projects of that size.

I'm just saying even if you are a fan of MS you should sweep before your own door before you pull jokes about what MS (now) calls concurrents.

oh and BTW, MS seems to have a history of their own with problems from the past creeping up on them:

http://news.softpedia.com/news/Microsoft-P...SP3-97742.shtml

http://www.networkworld.com/news/2007/1126...nerability.html

I dont remember a big fuss about those either.

Edited by bj-kaiser

Share this post


Link to post
Share on other sites

I know Microsoft has been guilty of similiar before, these things can happen to anyone. Those other bugs aren't as serious though, this is a kernel exploit affecting basically every linux distro for the last 8 years, the ones you pointed out are for Office Web ActiveX, unsigned SMB, and WPAD with .com domains. The Register article also mentioned another recent discovery affecting SELinux, my point is that any software can be vulnerable to known and unknown exploits.

Share this post


Link to post
Share on other sites
not defending anyone, things like this can happen in projects of that size.

I'm just saying even if you are a fan of MS you should sweep before your own door before you pull jokes about what MS (now) calls concurrents.

An awful large bunch of obnoxious Linux zealots keep repeating and telling everyone Windows is insecure though. And that it's also more secure because everyone can look at the source code, and that this "many eyeballs" way makes these things never happen. And that with things like SELinux, they're 100% protected against everything. Whereas in reality, it's a VERY different picture.

If you count from around Y2K or so (starting from the Linux kernel 2.2.x and Win2k Server to Win2008), we get very similar pictures:

Linux: 280 advisories, 475 vulnerabilities with 7% unpatched (worst being rated "less critical")

Win: 472 advisories, 580 vulnerabilities with 7% unpatched (worst being rated "less critical")

It only looks somewhat favorable to Linux in this case because basically no one really looked at Linux back when Win2k was out, and there are basically nothing about it (2.2.x: 8 advisories, 5 vulnerabilities) whereas the new kernels which a lot more people use and gets a lot more attention (2.6.x: 187 advisories, 353 vulnerabilities)

If you look from 2003-now (a time frame where more eyes were laid on Linux, due to having more users), we get this:

Linux 2.6.x: 187 advisories, 353 vulnerabilities, 5.8% unpatched (worst being rated "less critical") -- spanning over 5 years and 8 months.

Win2k3+: 242 advisories, 341 vulnerabilities, 5.3% unpatched (worst being rated "less critical") -- spanning over 6 years and 4 months (2/3 of a year extra, or 12% longer)

If you were to adjust the numbers for an identical time span (or remove all the bugs discovered in the first 8 months Win2003 was out), then Linux looks even worse.

And here, we're merely comparing Linux' kernel flaws against an entire OS and all of its components combined. That's not even remotely fair!

If you were to take the current version of most common commercial server-oriented Linux distro (that would be RHEL 5), compared to the latest version of Windows server (the best/latest the two biggest companies have to offer), we get these:

RHEL 5: 273 Secunia advisories, 829 Vulnerabilities, 0 unpatched, been out for 2 years, 5 months

Win 2008: 40 Secunia advisories, 82 Vulnerabilities, 0 unpatched, been out for 1 year, 6 1/2 months

Yes, RHEL has been around for 50% longer, but even if you boost Win 2008's numbers up by 50%, we're *nowhere near* RHEL 5's numbers. 600% more advisories and 1000% more vulnerabilities in 50% longer?

Simple comparison (I'm not going to manually compare 1000's of bugs spanning over several years, sorry), but I think it makes a point regardless. It hardly looks like the perfect, 100% bulletproof, inpenetrable fort knox they make it out to be now, doesn't it? That doesn't prevent them from laughing "M$ Windoze is insecure! LOL BSOD!" all the time. That very much explains PC_LOAD_LETTER's point.

And if this wasn't MSFN, there would be people calling me a paid shill or astroturfer within mere seconds of posting this. As if Bill himself personally hands a fat cheque to everyone who likes Windows and ever said so on the internet. And if ever anything has ever not worked on Linux then it's either my fault for being too stupid (including when drivers don't exist), that it should STFU and fix it myself and submit a patch (yeah, exactly what the average end user wants!), or because I've been too lazy to try these other 52 other distros, or whatever other nonsense. Only to tell me afterwards that the GIMP is a perfectly good replacement for Photoshop CS4, evolution for Outlook, OOo for MS Office and so on.

Share this post


Link to post
Share on other sites

The question really is "do many eyes make all bugs shallow?" - or why would closed source make bugs more identifiable? Does Linus' Law still stand or has it been undermined? "It just does, look at these statistics" isn't a good enough answer given the manipulability of selective statistics. It would be interesting to see if open-source OpenBSD suffers a comparable level of bugs?

Edited by darrelljon

Share this post


Link to post
Share on other sites

OpenBSD prides themselves in this:

"Only two remote holes in the default install, in a heck of a long time!" (to quote OpenBSD.org)

I did a quick stab with google trying to find the default package/application setup, but I didnt get lucky. However, I didnt spend much time on it.

Share this post


Link to post
Share on other sites
Just stating the obvious, BSD and Linux are completely different. The only similarity might be licensing.

The point about the vulnerability of open-source software to bugs is the same.

Share this post


Link to post
Share on other sites
Just stating the obvious, BSD and Linux are completely different. The only similarity might be licensing.

The point about the vulnerability of open-source software to bugs is the same.

Thats true, however it was sort of a red herring.

Share this post


Link to post
Share on other sites
Just stating the obvious, BSD and Linux are completely different. The only similarity might be licensing.

The point about the vulnerability of open-source software to bugs is the same.

Thats true, however it was sort of a red herring.

As deliberate distractions go, I'd say the news of an 8 year-old bug discovered in the Linux kernel was more of a red herring to distract from Linus' Law.

Share this post


Link to post
Share on other sites
Just stating the obvious, BSD and Linux are completely different. The only similarity might be licensing.

The point about the vulnerability of open-source software to bugs is the same.

Thats true, however it was sort of a red herring.

As deliberate distractions go, I'd say the news of an 8 year-old bug discovered in the Linux kernel was more of a red herring to distract from Linus' Law.

I think you're refering to "Linus' Law according to Eric S. Raymond" which was referred to ealier. I don't think the news is a distraction rather a proof that the idea of such law is invalid.

Share this post


Link to post
Share on other sites
I think you're refering to "Linus' Law according to Eric S. Raymond" which was referred to ealier. I don't think the news is a distraction rather a proof that the idea of such law is invalid.

In the news, it is stated that researchers found the bug mentioned, Right? Linus' Law has been proved as correct as another set of eyeballs made yet another bug shallow (discovered and to be fixed).

To invalidate the Linus' Law, you need to prove that undiscovered bugs exist and are not shallow. How can you make that absolute claim without checking the source code and finding the bugs, and if found, then you are just confirming the law as valid with your own eyeballs.

Share this post


Link to post
Share on other sites
To invalidate the Linus' Law, you need to prove that undiscovered bugs exist and are not shallow. How can you make that absolute claim without checking the source code and finding the bugs, and if found, then you are just confirming the law as valid with your own eyeballs.

Yup so we have a Catch-22. I think 'time' is an important thing to consider though when talking about security. 8 years means it was either overlooked or ignored for 8 years; vulnerable for 8 years. Then again if a tree falls in the woods... I just don't like that people call some idea a law and pretend that in itself makes it true, it's not a good premise.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...