[plug] More news?

Craig Ringer craig at postnewspapers.com.au
Fri Aug 29 11:21:22 WST 2003 

> Windows XP has so many holes in its security that any reasonable user will
> conclude it was designed by the same German officer who created the prison
> compound in "Hogan's Heroes."
>                                                                                                     
>  I know Linux and the Mac OS attracts its share of maladjusted jerks just like Windows does; surely 
>  my other machines would have been infected with something by now if these operating systems        
>  weren't fundamentally secure.                                                                      

Sorry, but this "fundamentally secure" thing really gets me. Try putting 
a linux box out on the 'net unprotected __AND_UNPATCHED__ , and see how 
long it lasts. Depends on the distro and version, but the answer is 
often "not long at all". This is what most Windows users do, after all :-(

However, more people patch linux boxes more reliably, and the newer 
distros include firewalls that help prevent easy exploits.

I think Windows really is the security doghouse, yes, but Linux just 
isn't as far ahead as many would like to think. I get near-daily 
security alerts from the RH and debian security lists, LWN is full of 
them, etc. Of course, half of those can be written off as silly - "I'm 
sorry, a /train simulator game/ has a security alert?!?!" - but there 
are a lot of important ones. Try installing RH8 and then downloading the 
updates - there are many hundreds of megabytes of them. Of course, 
that's because there's STILL no non-crap patching method for packages 
under any distro I'm aware of, you have to download entire packages just 
to replace one file. *sigh*.

With any OS, real security comes with proper configuration and system 
management, including regular patches and updates.

What really kills it for Windows, though, is the IE/LookOut! integration 
  into the OS. Thanks to that, their InsecureExplorer(TM) browser allows 
malicious exploits of all sorts of programs and tools that embed IE or 
use it's functions, including many mail clients, the windows file 
manager, etc. You can easily perform a JavaScript attack on a windows 
box by dropping an HTML file on a network "drive" - if the user clicks 
on it (say, to delete it) the code will be "previewed" and fizz-pop 
there goes the machine. That IE crash exploit, if put in an HTML file 
and clicked on, would happily crash windows explorer. That's where 
they've really stuffed it, IMHO. That, and making their RPC and SMB 
services available unprotected over the 'net by default - BAD PLAN. I 
seem to remember that newer XP releases will ship with smb firewalled 
off by default.

Please also note that the #1 security issue on the MS platforms is 
mass-mailing trojans. Not worms, though some of those do attempt to 
exploit LookOut to function as a worm as well, and may virally infect 
files on the system. They rely on _user_ _stupidity_ to spread. "Anna 
Kournikova" anybody? Now, the design of mail clients under windows makes 
it much too easy to be fooled by a message (".jpg.vbs") and too easy to 
execute it (executables determined by file ext, rarely any safety checks).

You could still do a linux mass-mailing worm - pretty easy, actually. 
It'd be /much/ less successful, since you'd have to persuade the user to 
save your '.sh' file and open it with the image viewer "bash" (example) 
but trust me, it'd happen quite enough. It'd be harder to get root on 
machines due to the fact that at least Linux doesn't run users as root 
by default (ever tried using a windows desktop day-to-day as "restricted 
user"? It's a nightmare.), but you'd still get still a mail flood, a 
malicious program able to open a backdoor, exploit a local security hole 
to gain root, delete user files, etc.

What I'm trying to say here is that if folks go around talking about how 
wonderfully innately secure linux is,
	(a) people won't put in the effort to secure it properly
	(b) You'll lose credibility whenever a major worm comes out.
	(c) WHEN (not if) the linux viruses start hitting, you'll look like an 
idiot.
	(d) you're encouraging app authors etc to be slack and trust the 
'innate security' not do safety checks and user stupidity checks (are 
you /sure/ you want to open that email attachment?).

Linux is in a much better position than windows, but still suffers from 
regularly discovered exploitable security holes, including remotely 
exploitable holes in commonly used daemons, and far from perfect default 
configurations on most distros. If people focused on that, not the 
existing security difference, it could go from vaguely OK to good security.

Craig Ringer

More information about the plug mailing list