Re: [fw-wiz] Proverbial appliance vs software based firewall
From: Mikael Olsson (mikael.olsson@clavister.com)
Date: 10/27/02
- Next message: Walter Ludwig: "[fw-wiz] IDS or Intrusion Prevention Systems"
- Previous message: Marcus J. Ranum: "Industry test reports... (was RE: [fw-wiz] Proverbial appliance vs software based firewall)"
- In reply to: Marcus J. Ranum: "RE: [fw-wiz] Proverbial appliance vs software based firewall"
- Next in thread: Bill Royds: "RE: [fw-wiz] Proverbial appliance vs. software based firewall"
- Reply: Bill Royds: "RE: [fw-wiz] Proverbial appliance vs. software based firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Mikael Olsson <mikael.olsson@clavister.com> To: "Marcus J. Ranum" <mjr@ranum.com> Date: Sun Oct 27 08:02:00 2002
"Marcus J. Ranum" wrote:
>
> [...] they use smaller
> kernels like VXworks or QNX or whatever. But there's a kernel
> (that's "software", see?) running down in there, you betcha.
> Do they look at the OS line by line? Hell no. Do they strip out
> security flaws? Hell no.
And, alas, "small" doesn't necessarily mean "secure". At least not for
high values of "secure". (Yes, you did hint as much; I just thought I'd
chime in and provide some hard facts.)
Lookie what happened when QNX tried to Go Internet:
(this is all from late May this year and on)
Multiple QNX Local Buffer Overflow Vulnerabilities
http://online.securityfocus.com/bid/5000
QNX Ptrace Arbitrary Process Modification Vulnerability
http://online.securityfocus.com/bid/4919
QNX RTOS PKG-Installer Buffer Overflow Vulnerability
http://online.securityfocus.com/bid/4918
QNX RTOS phlocale Environment Variable Buffer Overflow Vulnerability
http://online.securityfocus.com/bid/4917
QNX RTOS phgrafx-startup Privilege Escalation Vulnerability
http://online.securityfocus.com/bid/4916
QNX RTOS phgrafx Privilege Escalation Vulnerability
http://online.securityfocus.com/bid/4915
QNX RTOS su Password Hash Disclosure Vulnerability
http://online.securityfocus.com/bid/4914
QNX RTOS dumper Arbitrary File Modification Vulnerability
http://online.securityfocus.com/bid/4904
QNX RTOS monitor Arbitrary File Modification Vulnerability
http://online.securityfocus.com/bid/4902
QNX RTOS Watcom Sample Utility Argument Buffer Overflow Vulnerability
http://online.securityfocus.com/bid/4905
QNX RTOS Watcom Sample Utility Privileged File Overwriting Vulnerability
http://online.securityfocus.com/bid/4903
QNX RTOS CRTTrap File Disclosure Vulnerability
http://online.securityfocus.com/bid/4901
QNX RTOS int10 Buffer Overflow Vulnerability
http://online.securityfocus.com/bid/4906
Couple this with the amount of people likely to be scrutinizing QNX
code the way that people are doing with *nix / windows.
-- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
- Next message: Walter Ludwig: "[fw-wiz] IDS or Intrusion Prevention Systems"
- Previous message: Marcus J. Ranum: "Industry test reports... (was RE: [fw-wiz] Proverbial appliance vs software based firewall)"
- In reply to: Marcus J. Ranum: "RE: [fw-wiz] Proverbial appliance vs software based firewall"
- Next in thread: Bill Royds: "RE: [fw-wiz] Proverbial appliance vs. software based firewall"
- Reply: Bill Royds: "RE: [fw-wiz] Proverbial appliance vs. software based firewall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
