Re: Will Linux become as vulnerable as MS ??
From: Jim Richardson (warlock_at_eskimo.com)
Date: 02/13/04
- Next message: Jim Chisholm: "Re: Samba Port Probes Way Up Tonite"
- Previous message: Bit Twister: "Re: Samba Port Probes Way Up Tonite"
- In reply to: Nils Petter Vaskinn: "Re: Will Linux become as vulnerable as MS ??"
- Next in thread: Nils Petter Vaskinn: "Re: Will Linux become as vulnerable as MS ??"
- Reply: Nils Petter Vaskinn: "Re: Will Linux become as vulnerable as MS ??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 12 Feb 2004 15:31:28 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 12 Feb 2004 11:29:48 GMT,
Nils Petter Vaskinn <no@spam.for.me.invalid> wrote:
> On Wed, 11 Feb 2004 19:36:58 -0800, Jim Richardson wrote:
>
>
>> You're mixing up a few things, and ignoring others.
>
> I don't think I mix up much. I have chosen to ignore a few things because
> I wasn't talking about beeing vulnerable to worms, I'm talking about
> beeing vulnerable to viruses.
>
there's no hard and fast distinction between worms and viruses, a given
piece of malware can be one, the other, or both.
>>
>> 1) Unlike OE, IE, et al, Linux doesn't conflate open() and exec().
>
> I never said it did. But people sometimes infected by viruses from files
> that they know are executable, and execute intentionally. Like
> some_famous_person_nude.exe, some_game_cracked.exe
> some_file_I_got_from_my_mom_so_it_must_be_safe.exe
>
That's exactly what conflating open and exec means. If you click on
something you think is an image, and instead, it's an executable, and it
runs, then you've fallen victim to that particular flaw, irrespective of
whether you screwed up in the social engineering area.
>> 2) While a few years ago, RH et al, had a problem with turning every
>> dang dæmon on "just in case", that's no longer the problem it was. Now,
>> the tendency is to have nothing turned on without express human action.
>
> Yes. But any sucker can set a demon up to run and then forget about it.
> "chkconfig whateverd on" is all it takes when you forget about it later
> on. Limiting a service through iptables, pam, and hosts.{allow,deny} is
> far harder than just turning it on.
>
depends on the mechanism used. Chkconfig is something rhatish, and not
the kind of thing I expect grandma to run. You are trying to dance
between servers and desktops.
>> 3) The mono-culture in the MS world, simply has no comparison in Linux.
>> the writers of viruses and trojans know that IE and probably OE will be
>> installed, and they act accordingly. That's simply not the case with
>> Linux, each distro is a little different, and even within the distro,
>> the user can easily chose to change the default, with far less effort
>> than it would take under MS-Windows.
>
> They're not that different. While yuu can't easily target a particular
> browser or mail client. Once you get something to run you can be fairly
> sure that the usual command line utilities are there. Remember we're
> talking about viruses exploiting user-stupidity here.
>
agreed, and in order to do so, they have to be executed. Now, can you
show me a way to send an executable to someone using say, kmail (a
pretty common guified email client in Linux) that will run the
executable from a double or single click?
>> 4) In addition to the diversity of applications, there's a diversity of
>> libraries. While various versions of glibc work fine together, the
>> trojans and other malware we've encountered to date, are quite fragile,
>> not working when little things change, like stack allocations, and such.
>> Again, MS-Windows is far more rigid and consistant in these things. in
>> part, because of the nature of IPC in MS-Windows. They happily fling
>> binary data back and forth, that's frowned on in most *nix apps, who
>> instead push text back and forth, across more robust, and far less
>> rigid, interfaces. Trojans and other malware are usually quite fragile.
>
> So we will se statically linked viruses instead of dynamically linked
> ones.
>
That is one possibility yes. Again, how does the virus get executed?
>> 5) Linux distros don't upgrade by patch, they upgrade by replacing the
>> old app, completely, with the new one. It's a big difference. You don't
>> have to worry that patch b will open wide, the sec flaw that patch a
>> closed last week, sure, it's possible that the upstream maintainer
>> screwed up, but it's far less likely. They are juggling far fewer balls
>> in the air than their counterparts in Redmond.
>
> Actually I thought this was what was done on windows too, only that of an
> application conists of several files (dlls or whatever) only the changed
> ones are updated. I may be wrong ofcourse.
I think you are partly correct, but binary inplace patches still occur
there also.
>
>> 6) With Linux, click on the attachment all you want, it's not going to
>> be executed unless you go *way* out of your way to make it do so. Unlike
>> MS-Windows...
>
> Fortunately this is still the case.
>
> But one day some well intentioned fool will add the capability to click to
> open according to filename ending to a mail client.
open is fine, exec is not. See "conflating open() and exec()" above.
>
> Some other well intentioned fool will make *.sh files open with bash.
> Since clicking on a script is easier than typing it's name, not realizing
> the mail program uses the same file <-> program settings as the filesystem
> browser.
>
sure, badly written apps can open up sec holes. Now, in order to be
*as* vulnerable as MS windows, that badly written app must be a) the
most common app for that task, b) preinstalled in the "bad"
configuration, and c) not fixed after the flamewars that will descend
upon the first distro to pull such a boner.
> Then anyone with a basic understanding of shell scripts could write one
> capable of mailing itself out.
>
> Such a script could even copy itself into any scripts it finds that the
> current user has write privileges to and silently keep doing that
> whenever a script is run until it's run by uid 0, which is when it
> installs a backdoor.
>
> If this happens on a system where users share scripts (eg in project
> folders) the script-virus could spread until it infects all user writable
> scripts on a machine. And if root executes only one of those
Again, the claim isn't "Linux is invulnerable" but "Linux is not as
vulnerable" As you have just shown in the "scenario" above.
>
>> None of this means that Linux is invulnerable, or that it can't be
>> improved. But these, and other points, are some of the reasons that it
>> is *less* vulnerable than MS-Windows.
>
> I agree to that.
>
>> Consider this. The overwhelming majority of websites out there running
>> Apache, and despite having several rather nasty holes in Apache, or it's
>> modules in the last couple of years. Apache hasn't come even close to
>> the vile record that IIS holds in spreading malware. Apache is far more
>> common, the source code is out there for the black hats to study, and
>> yet it's IIS which craps all over the net.
>
> Because the black hats know they can use an IIS exploit for months before
> it's even known, and then for months before a fix exists. And then even
> for more months before all the unpatched machines are replaced with newer
> ones with a new version of windows.
> Basically cracking IIS may be harder because of the closed source, but it
> has a bigger "return on investment" :)
>
That doesn't track with the "more popular software gets attacked more"
claim at all, now does it?
> I believe that apache has fewer holes than IIS (based purely on gut
> feeling) but the relative number of exploits can't be used to tell us if
> that's true.
>
Relative number of exploits do, however, blow holes in the "more popular
means attacked more" mantra.
>> While MS holds the vast majority of the desktops, and has for quite some
>> time, the server market is far more evenly distributed, yet still, it is
>> MS servers that are spreading this garbage, not the equally prevalent
>> Linux ones.
>
> Fortunately webservers are less prone to the stupid user syndrome.
>
>
One can hope... :)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFALAzQd90bcYOAWPYRAu8eAJ9GcKxdPJ5M4kWoA7CJm+xTuUyKrACg5VFT
KKLG0LWiJsOpJFF5BXZ7rOE=
=JYtN
-----END PGP SIGNATURE-----
-- Jim Richardson http://www.eskimo.com/~warlock "It says he made us all to be just like him. So if we're dumb, then god is dumb, and maybe even a little ugly on the side." -- Frank Zappa
- Next message: Jim Chisholm: "Re: Samba Port Probes Way Up Tonite"
- Previous message: Bit Twister: "Re: Samba Port Probes Way Up Tonite"
- In reply to: Nils Petter Vaskinn: "Re: Will Linux become as vulnerable as MS ??"
- Next in thread: Nils Petter Vaskinn: "Re: Will Linux become as vulnerable as MS ??"
- Reply: Nils Petter Vaskinn: "Re: Will Linux become as vulnerable as MS ??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
