New critical Windows flaw discovered

[malfunction]

The trouble with all this Linux / M$ bashing is that really it's pretty irrelevant...

Yes M$ has problems and yes the open source community has the potential to fix security problems in less time than M$ does. But really - if Linux out-numbered M$ on the desktop then there would be more people trying to hack Linux boxes and more exploits found and less people doing the same for M$. And IMO M$ have gotten a lot better recently - 2K, XP and 2003 server are much better than their earlier attempts and the kind of exploits we're getting now seem more advanced. Forget e-mail / script viruses - those started out as M$'s fault - they really were wide open - but now are down to the user... Honestly if any company out there doesn't have suitable security measures (AV, firewall, user training, etc) then they deserve whatever they get IMO. How many viruses have I ever been infected with? None. How many worms / hacks have gotten through my firewall? None (to my knowledge!)... I'm not saying it isn't possibly but most attacks are from worms / scanners and if you leave yourself that open then you've only got yourself to blame. Blocking / detecting targetted attacks from knowledgeable hackers if always going to be hard no matter what you are running...


Anyway I'm ranting so I'll get my coat!

[DaBeeeenster]

The trouble with all this Linux / M$ bashing is that really it's pretty irrelevant...

Yes M$ has problems and yes the open source community has the potential to fix security problems in less time than M$ does. But really - if Linux out-numbered M$ on the desktop then there would be more people trying to hack Linux boxes and more exploits found and less people doing the same for M$. And IMO M$ have gotten a lot better recently - 2K, XP and 2003 server are much better than their earlier attempts and the kind of exploits we're getting now seem more advanced. Forget e-mail / script viruses - those started out as M$'s fault - they really were wide open - but now are down to the user... Honestly if any company out there doesn't have suitable security measures (AV, firewall, user training, etc) then they deserve whatever they get IMO. How many viruses have I ever been infected with? None. How many worms / hacks have gotten through my firewall? None (to my knowledge!)... I'm not saying it isn't possibly but most attacks are from worms / scanners and if you leave yourself that open then you've only got yourself to blame. Blocking / detecting targetted attacks from knowledgeable hackers if always going to be hard no matter what you are running...


Anyway I'm ranting so I'll get my coat!

I agree with your first point about Linux getting less hacker attention because it is less prevalent, but that is only on the desktop; Linux does VERY well in the server area but does not seem to suffer attacks in the same was as MS does - think of the MSSQL slammer and the code red virus - they both attacked servers and they attacked MS ones, not linux ones...

I agree that MS has got better, but it is still far from acceptable. XP default installs without a firewall and with numerous ports open and listening. When you use XP, you are generally logged in as the root user; Linux and Unix in general are just better designed in this respect. Even if there was a compromise for, say, Thunderbird, most Linux users would still limit the damage a worm or virus could do as they would not be logged in as root.

[malfunction]

I agree with your first point about Linux getting less hacker attention because it is less prevalent, but that is only on the desktop; Linux does VERY well in the server area but does not seem to suffer attacks in the same was as MS does - think of the MSSQL slammer and the code red virus - they both attacked servers and they attacked MS ones, not linux ones...

I agree that MS has got better, but it is still far from acceptable. XP default installs without a firewall and with numerous ports open and listening. When you use XP, you are generally logged in as the root user; Linux and Unix in general are just better designed in this respect. Even if there was a compromise for, say, Thunderbird, most Linux users would still limit the damage a worm or virus could do as they would not be logged in as root.

Hmmm... Hard to counter as my knowledge isn't that good. I'll have a go though

MSSQL isn't part of the base OS (possibly in the cluster editions and almost certainly in the data center ones) and this one I do know - IIS (code red reference) doesn't run under an admin account on the machine. I also think that as far installing without a firewall is concerned that it's a fair thing to do in a business environment - where there really should be a sep. firewall and you can at least configure TCP/IP filtering (it's only stateless filtering IIRC)... For my 2p in an ideal world any web server would be in a DMZ and I'd use TCP/IP filtering on the machine itself (as well as disabling all the various unrequired services - which 2003 is much better for than 2K)... And even if the web server is on the general LAN (i.e. small company with only 1 firewall and no DMZ) I reckon it would be unwise to use the machine as pre-configured - whether it's Windows or Linux based (or anything else for that matter)... I see it as the company's responsibility to ensure security whether that's through external consulting or internal staff... Seriously though (as I've actually been meaning to give Linux another go at home) is there a good distribution that (for example) is fairly secure out of the box and ideally comes with Apache and MySQL pre-installed / pre-configured?

[Paul Adams]

Interesting. Do you have a URL on this? I wasn't aware that anything had made it into production code...I know that people have tried to hack the SSH code before, but not the kernel...

I don't, these articles I read in either Computing Weekly or IT Weekly or something, the typical "sound bite" report - I'll be honest that I don't pay much attention to Linux-related stories most of the time, it's not an OS that interests me (usually annually I get the latest ISO of a random flavour of Linux to see if it's changed any, but it gets wiped after a couple of days of tinkering).

I wouldn't rule out the possibility I misremembered the events, I can't find anything from Googling, just these sort of things:

November 5, 2003 - Linux: Kernel "Back Door" Attempt (the one that got picked up almost by mistake)

November 21, 2003 - Debian Linux Under Attack by Hackers

January 5, 2004 - Security flaws force Linux kernel upgrade (up to 2.4, recommends upgrading to 2.6)

January 7, 2004 - Linux kernel upgraded to fix security flaw (including 2.6)

Maybe it was the Debian hack I read about.

How? An exploit is an exploit.

Writing a worm/trojan/script to take advantage of a flaw in a system is not the same as having a back door built into it.
One is an error/oversight, the other is a deliberate introduction of malicious code at the source level.

The bottom line is, Linux has a FAR better history of security than Linux. I mean, come on, it has taken MS SIX MONTHS to release a fix for this one...Open Source software is normally patched within hours (sometimes minutes) of the exploit being made publicly available. The same thing happened with the IE URL spoofer bug...That was public knowledge for weeks before a fix was made available. MS's temporary fix was to...get users to type URL's in by hand!!!

I assume you meant "FAR better history of security than Windows"?

The main counterpoint to this argument has already been mentioned and replied to - that the hackers/spammers/morons will target the systems which will have the highest impact on the most users - i.e. Windows users, and Microsoft servers installed by people with no clue about security.

There is another point though - that the more complex and secure you make a system, the more you it will appeal to the people that like a challenge when it comes to cracking into them.
You end up raising the bar on the intelligence and competence of the would-be intruders, who also have an advantage because they can see the source code of the systems they want to get into.

But I agree that Microsoft could surely have worked faster/harder to get a fix for this particular problem before it became public knowledge before Christmas, that was very bad form.


@Applecrusher - I saw the pic used in another forum and I thought it a cool geeky little tool
I assume it receives the request for a .jpg file and executes a script to generate the text for the banner in real time, so it's created dynamically rather than stored in a big lookup table.
Of course, other than the IP address, it works by picking up your agent string from the browser, which could be spoofed.
The IP address will be where the request that the server saw came from - so if you use an anonymizing proxy server or AOL (they have a huge browser proxy farm) then it will show something that is not your real IP.
But hey, it's only a toy


Sorry for taking a while to reply - got issues with getting OSPF working on some new Internet-facing routers that have kept me busy since 6am.

[Kezzer]

Basically ALL kids are brought up to use Windows, i was, most people were. If you were brought up to use linux then you wouldn't be complaining about linux and you would think windows was an inferior operating system. It's only because you are used to windows.

[malfunction]

Basically ALL kids are brought up to use Windows, i was, most people were. If you were brought up to use linux then you wouldn't be complaining about linux and you would think windows was an inferior operating system. It's only because you are used to windows.

Not at all KeZZer - we're not all kids on here you know I didn't even use a 'PC' (IBM compatible PC that is!) until I was 18/19 at Uni. Before then I was brought up on various 8 bits (Dragon 32, Commodore 64) and learnt to do things other than play games on the Amiga (500 -> 1200). My school had BBCs and my college had Acorn Archimedes...

I must admit that I do like windows because it's the easy choice - but to be honest who doesn't?!? Last time I installed linux (Mandrake 8.1 IIRC) it seemed OK but why bother to go through the process of finding new favourite apps, etc to do the same things... I might put linux on my firewall / server PC at some point though but even that's not certain (as I'd need to set up some kind of firewall software (IP chains?), MySQL and a web server that supports ASP... Not to mention it will have to run MS networking (SAMBA) so that I can easily share my files between my desktop and laptop as I'm *really* not ready to go the Linux route for those... Though I suppose my laptop might be a good place to start as it's not needed as much as the other two!

[Paul Adams]

Basically ALL kids are brought up to use Windows, i was, most people were. If you were brought up to use linux then you wouldn't be complaining about linux and you would think windows was an inferior operating system. It's only because you are used to windows.

Hmm, possibly true for a lot of users - in the same way that there are camps for Intel/AMD, nVidia/ATI, Pepsi/Coke, etc. but in my case I take the best tool for the job.

I was weened on DOS 3.3 onwards, utterly hated Windows 3.xx, got to use Unix and Open Windows at uni and that was just hideous to use, tried OS/2 Warp and... well... just "no!".

From a professional point of view, I used to love Novell's Directory Services and their file/print servers were WAY superior to Microsoft's offerings... now Novell really fell behind and the quality of their NOS dropped through the floor, I prefer the relative simplicity of Microsoft's Active Directory.

My opinions aren't based on purely what I am used to, but what I think is useful/intuitive/easily supportable and has a variety of software available for it.
The Redmond fanbois are just as bad as the Linux zealots, IMO

IT is my job and my hobby (sad, I know ), so I'll give pretty much anything a trial, heck even a Macintosh if one got delivered to my house by mistake

[gamezfreak]

Windows gets it worse because its where the money can be made, I mean come on, look, i'd say 75% of the computing world use Windows as their primary operating system, this is where the hackers and virus writers will get most impact from their original intention.

Linux can be whatever you want it to be, it's a lot more stable then Windows and has a lot to offer. I was talking to my Computing teacher about this the other day, He said that MS are a prime example of poor coding practice, releasing buggy and flawed software for its consumers. It isn't acceptable to be honest, its bad when it comes to corporate users having their servers crash every 3 days due to an illegal op etc

Linux is not a desktop operating system, it's designed for purposes, Windows does everything and it's fantastic.

Like I said before, Linux is what you want it to be, its not a widely user desktop O/S, but it can be. I use Gentoo Linux all the time now, I only venture into my Windows partition for gaming, which is rare nowadays. Also, Linux can do everything that windows can, so the last comment is a bit flawed there mate.

Even in Januarys issue of PCFormat, they stated that Microsoft we're becoming very lax in the way they've put their customers under threat from attacks.