Slashdot Mirror

Better than Linux on the desktop. But hey, Linux is number one when it comes to vulnerabilities.

https://www.cvedetails.com/top...

Go Open Sores Team!

Security and minor feature updates are available in the repo every few days.

I guess that explains the hundreds of Linux security bugs that never get reported on..

https://www.cvedetails.com/top...

Another difference is that Linux updates break shit so very often. Not to mention the countless security vulnerabilities that Slashdot never reports on..

https://www.cvedetails.com/top...

Do you? Is that why the top 6 products with the most vulnerabilities in 2018 were all Linux products? Is that why the Linux kernel had the second highest number of vulnerabilities in 2017?

You're conflating two different concepts. We have no way of knowing what piece of code has the highest number of vulnerabilities. To find that out, we would have to freeze all development and then scour all existing code using some standardized methodology.

What you're talking about here is that the Linux kernel had the second highest number of vulnerabilities that were discovered. BIG difference.

The Linux kernel is open source and is by far the most widely used operating system in the world. Vulnerabilities in Linux are golden tickets, so people are looking for them all the time. Having a simple aggregate list like that is also of limited value because it doesn't tell you the nature of the exploit.

https://www.csoonline.com/arti...

Why, looky there. Ask yourself a question: How bad is this?

See, before Cisco fessed up, few people knew about this. It wouldn't have shown up on your list there. But something like this almost certainly trumps 20 regular vulnerabilities. It's nearly impossible to put something like this into open source software.

Do you? Is that why the top 6 products with the most vulnerabilities in 2018 were all Linux products? Is that why the Linux kernel had the second highest number of vulnerabilities in 2017?

You're conflating two different concepts. We have no way of knowing what piece of code has the highest number of vulnerabilities. To find that out, we would have to freeze all development and then scour all existing code using some standardized methodology.

What you're talking about here is that the Linux kernel had the second highest number of vulnerabilities that were discovered. BIG difference.

The Linux kernel is open source and is by far the most widely used operating system in the world. Vulnerabilities in Linux are golden tickets, so people are looking for them all the time. Having a simple aggregate list like that is also of limited value because it doesn't tell you the nature of the exploit.

https://www.csoonline.com/arti...

Why, looky there. Ask yourself a question: How bad is this?

See, before Cisco fessed up, few people knew about this. It wouldn't have shown up on your list there. But something like this almost certainly trumps 20 regular vulnerabilities. It's nearly impossible to put something like this into open source software.

If you use established Linux kernel core coders, you get completely different numbers compared to using newbie kernel driver coders.

Do you? Is that why the top 6 products with the most vulnerabilities in 2018 were all Linux products? Is that why the Linux kernel had the second highest number of vulnerabilities in 2017?

C coders don't seem to be that great at security.

If you use established Linux kernel core coders, you get completely different numbers compared to using newbie kernel driver coders.

Do you? Is that why the top 6 products with the most vulnerabilities in 2018 were all Linux products? Is that why the Linux kernel had the second highest number of vulnerabilities in 2017?

C coders don't seem to be that great at security.

meanwhile, in the real world, guess whose racing ahead?

https://www.cvedetails.com/top...

lols

Meanwhile, Linux is racing ahead on vulnerabilities..

https://www.cvedetails.com/top...

Many eyes.. lols.

https://www.cvedetails.com/pro...

aaaaand yet Linux continues to be #1 in vulnerabilities

https://www.cvedetails.com/top...

lols

MS should really be abandoning Windows and trying to figure out how to either use Linux

Seems like a bad idea. In 2018 the top 6 products with the most security flaws were all Linux products. How do you account for that?

You talking about Linux?

https://www.cvedetails.com/top...

lols

Um, Linux has consistently had more bugs than Windows.. unless you live in an alternate reality.

https://www.cvedetails.com/top...

lols..

Oh wait.. lols..

Countless Linux boxes continue to get rooted daily. Yawn!

https://www.cvedetails.com/top...

There is nothing worse than a developer who is so incompetent that they have to constantly push out updates to fix their broken garbage

Looks like open source software is garbage then. Constant updates ..

Also,..

https://www.cvedetails.com/top...

lols

Firstly, that's not going to help when your "mission critical" system is running Windows. Sooner or later the outside world is going to be reachable and if you're stupid enough to be running Windows then your system is going to be hosed.

https://www.cvedetails.com/top...

Oops.. lols

What is this mound of security bugs you refer to?

Probably this one..

https://www.cvedetails.com/vul...

Modern Firefox and Chrome are both incredibly secure

You got the "Incredible" part right.

We have had this panic several times before. Remember the Web USB API?
That was going to be a security nightmare,

Um no Firefox does NOT support Web USB... Chrome is alone in this madness.

It very much has been a security nightmare.
https://pwnaccelerator.github....

massively abused and used to take over every poor sap's PC the moment it was deployed. Yet here we are, it's been around for years now, and somehow, presumably by blind luck rather than skill, they managed to make it secure.

What does Web USB have to do with granting web sites write access to local filesystem? I fail to see the linkage. They are two separate features with separate security properties. Each must be evaluated on the merits not by some ridiculous unfalsifiable false equivalence.

What is this mound of security bugs you refer to?

Just look here.

The main thing I would be looking to see here is if they can find a way to stop XSS exploits, because this API is going to have similar attack vectors.

If you can't keep track of your memory, how are you going to write secure code?

If you don't eat your meat, how can you have any pudding?

Security? Invalid memory accesses are too hard to exploit these days with things like ASLR and other kernel protections. They can still be exploited but it's not nearly as easy as it used to be.

You just contradicted yourself.

If you want to use C and still be safe, you can create an API for dealing with memory chunks.

Or you can spare yourself a lot of pain and just move to a language where that happens by default.

The most common types of vulnerabilities these days are things like SQL (or noSQL) injection, and XSS. Invalid memory access doesn't even make the top 10, but of course you already know that.

Oh, really? Invalid memory issues still make up around 20%, and it's the single-highest category of security vulnerability, even more than XSS, and more than double SQL injection.

These problems have been known about for decades and yet they still occur even with projects where there are no time deadlines like many open source projects.

There are a few points this article ignores.

1) The attack surface of C/C++ applications is huge, because pretty much every OS and major application is written in these languages. These are High Value Targets, so of course more vulnerabilities will be discovered in these pieces of software. Blaming C/C++ for that is like blaming water for drowning, and saying we'd be safer if we replaced all water with Gatorade, since nobody's ever drown in Gatorade.
2) Java vulnerabilities are a dime a dozen, and some of the most popular Java frameworks (like Spring) have had major issues as well.
3) All languages suffer from inherent vulnerabilities, especially input validation issues, including deserializing untrusted data directly to objects. It doesn't matter if it's C, Java, Python, or Brainfuck.

Additionally, the article seems to suffer from selection bias. The author writes: "From my own security research into the widely used open source image processing libraries ImageMagick and GraphicsMagic, in the last year I've found more than 400 memory unsafety vulnerabilities." That's great, and I applaud the work, but I can't help but wonder how many Python or Java libraries he examined in that time frame, or how many other types of vulnerabilities he was even looking for, or would recognize if he was looking at them.

TLDR: It's possible the article is correct, but far more evidence is required.

However, I also see Apple's point. When you're trying to secure a device against hardware attack, the integrity of the components is critical, as is the ability to transmit data between them securely. Since it's all but impossible to keep the various communications busses inaccessible to attackers, you cryptographically authenticate the components to one another and encrypt the traffic (this also denies the data to attackers doing EM sniffing). But to to do that you need the components to have a shared key, which means you need a pairing step -- and that pairing step must be something the attacker can't do. This is easy to arrange in the factory, and not too hard to arrange in authorized repair facilities, but allowing any third party to do it without also allowing attackers to do it is really hard (and, no, asymmetric cryptography doesn't fix this.

That sounds great and all, except Apple goes out of its way to limit access to components and has tight controls over all authorized repair facilities that frequently amount to little more than (1) sending the whole logic board back to Apple (and waiting many days for a replacement) or (2) telling the customer to buy a new computer. It's clear their "secure a device against hardware attack" is more about securing a device against the owner's third party hardware usage which undercuts Apple's profit margin. Yes, there are unscrupulous people who would exploit Apple's name to charge a premium, but it seems clear that Apple is most offended by this because *they* want to be the unscrupulous people who exploit Apple's name to charge a premium.

If the core point was to provide protect against hardware attack, the realistic approach would be to sub-license third party production under supervision by Apple to sell components at lower prices. All Apple's approach does is encourage third parties to find ways to disable T2 protection entirely, not work with it. Of course, people using unauthorized parts are the sort Apple would love to punish to teach them a lesson: buy from us or your device may randomly soft brick (at least for a few weeks/months, presuming there's enough outcry to disable the soft brick).

That's the premium you pay by buying Apple. Protection against actual, realistic attacks? Except for some protection by obscurity, it's certainly not the secure software that's doing it, but who cares about realistic attack vectors?

Goes back to working on some FreeBSD vms.

I'll just leave this here https://www.cvedetails.com/vul...

This is the list of LibreOffice security vulnerabilities you will notice that there are quite a few recent ones. By comparison this is the OpenOffice list. You will note that no vulnerabilities have been published since 2010. That doesn't mean they haven't been found. Whilst a few of the vulnerabilities will be in new LibreOffice code, many will be in the common code. What it means is that either nobody has tried the same vulnerabilities on OpenOffice because none of the white hats who publish exploits care or that the exploits haven't been published because although they have been reported, nobody has yet created a fix.

This probably doesn't matter if you just use OpenOffice on your own documents. This is maybe important if you send documents to other people. This is very important and a reason to give up on OpenOffice immediately if you use it to read documents that other people send to you.

This is the list of LibreOffice security vulnerabilities you will notice that there are quite a few recent ones. By comparison this is the OpenOffice list. You will note that no vulnerabilities have been published since 2010. That doesn't mean they haven't been found. Whilst a few of the vulnerabilities will be in new LibreOffice code, many will be in the common code. What it means is that either nobody has tried the same vulnerabilities on OpenOffice because none of the white hats who publish exploits care or that the exploits haven't been published because although they have been reported, nobody has yet created a fix.

This probably doesn't matter if you just use OpenOffice on your own documents. This is maybe important if you send documents to other people. This is very important and a reason to give up on OpenOffice immediately if you use it to read documents that other people send to you.

There is very little stupid assembly code out there.

There is very little assembly code out there, period. But we've seen, going one layer down, that even the experts at Intel can screw up security.

Probably the worst language I've seen in terms of security was version 4 of PHP.

Because PHP is an awful language that was heavily inspired by Perl. Gee, it turns out when you make awful design mistakes, it impacts the number of errors! Just like C.

You DO have to be careful with C - and C programmers generally know that, and are careful.

Is that why 20% of CVE bugs are for overflow and memory corruption?

I fear the language which may be even worse for security than PHP 4 may be Rust.

You've got to be shitting me. Rust will remove a vast swath of the errors that pops up in C all the time. Not only that, it's a difficult language, so by your own standards it will be geared towards more expert usage -- even more expertise than required with C!

Why? Because Rust hypes some very basic features to a ridiculous degree, pretending that avoiding oob access magically makes your code secure, and many Rust programmers actually believe that.

I'm sure many, many more aren't so stupid as to believe that all security is taken care of because some areas have been made more secure.

Only because you don't know about them doesn't mean they do not exist. Have a look in here:

https://www.cvedetails.com/pro...

For instance these in 2017 https://www.cvedetails.com/vul...

The vast majority of these are for versions = 5.5, for obvious reasons as they've been EOL'd for years. Unless you're running some version of red hat that still patches their 5.4 installations, you're likely vulnerable to many of these.

Only because you don't know about them doesn't mean they do not exist. Have a look in here:

https://www.cvedetails.com/pro...

For instance these in 2017 https://www.cvedetails.com/vul...

The vast majority of these are for versions = 5.5, for obvious reasons as they've been EOL'd for years. Unless you're running some version of red hat that still patches their 5.4 installations, you're likely vulnerable to many of these.

Consider QNX and its vulnerabilities (the entire software stack) and here's what we have for the Linux kernel (again, kernel alone) whose source is ostensibly verified by millions of eyes.

And here's another almost shameful development: Linux and Open Source are all the rage amongst Open Source fans, yet for some reasons it's been hinted that Google is transitioning from the monolithic Linux kernel (lacking internal stable API/ABI) to its own microkernel, Fuchsia (with stable API/ABI).

Consider QNX and its vulnerabilities (the entire software stack) and here's what we have for the Linux kernel (again, kernel alone) whose source is ostensibly verified by millions of eyes.

And here's another almost shameful development: Linux and Open Source are all the rage amongst Open Source fans, yet for some reasons it's been hinted that Google is transitioning from the monolithic Linux kernel (lacking internal stable API/ABI) to its own microkernel, Fuchsia (with stable API/ABI).

The security risks of using Windows 7 outweigh the time wasted de-bloating Windows 10.

What about the privacy risk of Windows 10, and the fact that it is still riddled with vulnerabilities? Just stop abusing yourself and install Linux. If you absolutely must run Windows then run it under KVM. I hear tell that Windows on KVM is actually more efficient than Windows running on the metal, perhaps because of more efficient file system and block device handling.

Any complex OS written by a small team will potentially have as many if not more security issues as Linux.

A microkernel OS written by a multi-billion company will potentially have more security issues as monolithic and bloated Linux, considering that Linux kernel (except for Google and Red) has no QA and regression testing?

Advantages of the Linux kernel is a lot of eyeballs, mature codebase, reasonably good architectures, very wide hardware support, and known to scale up to very large systems.

Yeah, top 50 products with security vulnerabilities Linux kernel alone having the most bugs.

Top 50 products with security vulnerabilities and Linux kernel alone has the most *discovered* bugs.

Exactly. Undiscovered bugs do not count on CVEDetails (nor in any other legal vuln list).

Top 50 products with security vulnerabilities and Linux kernel alone has the most bugs.

https://www.cvedetails.com/top...

open-sores? lols!

Really?

Maybe you can use the source to patch it for the seemingly unresolved vulnerabilities...

https://www.cvedetails.com/vul...

Um, Microsoft didn't write those drivers. Its a hard concept to grasp, but device manufacturers are best suited to write drivers for products they create. Also, fun fact, Microsoft QA doesn't own every single device made in existence. Its best to shut up about the woeful quality of Linux these days. Go visit some linux forums. Or do you want me to post some embarrassing facts? You have to be on a constant patch treadmill to avoid being one of those millions of rooted LAMP servers. Dare to put an unpatched Linux box on the internet?

https://www.cvedetails.com/top...

Lols..

No, it isn't magic. Its the same junk as closed source. But you guys pretended it was magical pixie dust. "many eyes" is slowly but surely turning out to be a giant lie that us non-cheerleaders knew it was...

https://www.cvedetails.com/top...

Oh look, #1 is a closed source evil proprietary system... oh wait.. no, Its the open source darling that everybody swears is the best..

I guess its number 1 in something..

It's more interesting to look at the chart comparing vulnerabilities by year. Both have had some major spikes over the years.

https://www.cvedetails.com/pro...

https://www.cvedetails.com/pro...

The difference is, Drupal is guilty of being insecure over generations. The vulnerabilities being reported go back to d5, and the original commits are by people who are no longer in the community.

Anyone running anything below d7 probably does not put much work into maintaining their website, creating this huge garden for bad elements to play in. One of the other things is the update module - which is shipped starting with Drupal 6 - is likely turned off if you don't care about maintaining your website. Which means the Drupal team doesn't know how big a problem they have created.

Drupal 8's architecture is integrated with Symfony, which has it's own set of issues.

https://www.cvedetails.com/pro...

While the number of issues may seem low by comparison, they are mostly code execution vulnerabilities.

So, there's a team of CMS developers, who have been building insecure systems for years and now have a huge set of malware sites built on their platform that no one can do much about. Despite that track record, their Core development team is being trusted with integrating a complex PHP framework known for code execution vulnerabilities.

What's not to love about this situation?

It's more interesting to look at the chart comparing vulnerabilities by year. Both have had some major spikes over the years.

https://www.cvedetails.com/pro...

https://www.cvedetails.com/pro...

The difference is, Drupal is guilty of being insecure over generations. The vulnerabilities being reported go back to d5, and the original commits are by people who are no longer in the community.

Anyone running anything below d7 probably does not put much work into maintaining their website, creating this huge garden for bad elements to play in. One of the other things is the update module - which is shipped starting with Drupal 6 - is likely turned off if you don't care about maintaining your website. Which means the Drupal team doesn't know how big a problem they have created.

Drupal 8's architecture is integrated with Symfony, which has it's own set of issues.

https://www.cvedetails.com/pro...

While the number of issues may seem low by comparison, they are mostly code execution vulnerabilities.

So, there's a team of CMS developers, who have been building insecure systems for years and now have a huge set of malware sites built on their platform that no one can do much about. Despite that track record, their Core development team is being trusted with integrating a complex PHP framework known for code execution vulnerabilities.

What's not to love about this situation?

It's more interesting to look at the chart comparing vulnerabilities by year. Both have had some major spikes over the years.

https://www.cvedetails.com/pro...

https://www.cvedetails.com/pro...

The difference is, Drupal is guilty of being insecure over generations. The vulnerabilities being reported go back to d5, and the original commits are by people who are no longer in the community.

Anyone running anything below d7 probably does not put much work into maintaining their website, creating this huge garden for bad elements to play in. One of the other things is the update module - which is shipped starting with Drupal 6 - is likely turned off if you don't care about maintaining your website. Which means the Drupal team doesn't know how big a problem they have created.

Drupal 8's architecture is integrated with Symfony, which has it's own set of issues.

https://www.cvedetails.com/pro...

While the number of issues may seem low by comparison, they are mostly code execution vulnerabilities.

So, there's a team of CMS developers, who have been building insecure systems for years and now have a huge set of malware sites built on their platform that no one can do much about. Despite that track record, their Core development team is being trusted with integrating a complex PHP framework known for code execution vulnerabilities.

What's not to love about this situation?

https://www.cvedetails.com/vul...

The answer to "When should we install security updates on your machine"
is
(a) Never
(b) Read my mind
(c) Let me tell you when I'm not busy.
(d) As soon as you can

Windows believes in rebooting all your apps so you get the new fixes in memory. Linux ppl believe in letting people continue to run vulnerable software from the previous load, and just replacing the file on disk. The lax attitude makes sense given the massive number of security bugs in Linux. Of course, you won't get to hear that on this website, which is primarily focused on cheerleading. In the real world everything runs on Windows. All medical equipment, all ATMs, every single factory automation system, every single biomedical device interfaces with windows . The computer you're typing on was made because of Windows. This site was financed by Microsoft ads. Linux was a failure when neckbeards were still creating their Toy OS in their basements. IBM Intel and others poured a few cool Billions and started paying people, which is why Linux is where it is right now. And its a decent OS, or perhaps even a great OS. But linux only works in places where you can hide it from the users (severs, smartphones). Its a huge fail when people actually get to use it. BTW, what is the latest excuse for the failure on the desktop? Still blaming MS for the past 15 years? lol..

https://www.cvedetails.com/top...

Lack of security in the Linux kernel is kind of an issue.

Top 50 most vulnerable software packages

Top 50 Products By Total Number Of "Distinct" Vulnerabilities in 2017

https://www.cvedetails.com/top-50-products.php?year=2017

Bottom line: Linux aint as 'secure' as some people think.

Change log:
2018/01/01 - Added 14 Useful Links. Disable Intel ME 11 via undocumented NSA "High Assurance Platform" mode with me_cleaner, Blackhat Dec 2017 Intel ME presentation, Intel ME CVEs (CVSS Scored 7.2-10.0)

Intel CPU Backdoor Report
The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

What we know about Intel CPU backdoors so far:

TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.

The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
[Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
@21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.

[Quotes] Vortrag:
"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".

"We can permanently monitor the keyboard buffer on both operating system targets."

Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

2017 Dec Update:
Intel ME on recent CPUs may be disabled by enabling the undocumented NSA HAP mode, use me_cleaner with -S option to set the HAP bit, see me_cleaner: HAP AltMeDisable bit.

Useful links (Added 2018 Jan 1):
Disabling Intel ME 11 via undocumented HAP mode (NSA High Assurance Platform mode)
me_cleaner: Set HAP AltMeDisable bit with -S option
Blackhat 2017: How To Hack A Turned Off Computer Or Running Unsigned Code In Intel Management Engine
EFF: Intel's Management Engine is a security hazard, and users need a way to disable it
Sakaki's EFI Install Guide/Disabling the Intel Management Engine
Intel ME bug storm: Hardware vendors race to identify and provide updates for dangerous Intel flaws.
CVE-2017-5689: An unprivileged network attacker could ga

Change log:
2018/01/01 - Added 14 Useful Links. Disable Intel ME 11 via undocumented NSA "High Assurance Platform" mode with me_cleaner, Blackhat Dec 2017 Intel ME presentation, Intel ME CVEs (CVSS Scored 7.2-10.0)

Intel CPU Backdoor Report
The goal of this report is to make the existence of Intel CPU backdoors a common knowledge and provide information on backdoor removal.

What we know about Intel CPU backdoors so far:

TL;DR version

Your Intel CPU and Chipset is running a backdoor as we speak.

The backdoor hardware is inside the CPU/Bridge and the backdoor firmware (Intel Management Engine) is in the chipset flash memory.

30C3 Intel ME live hack:
[Video] 30C3: Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware
@21:43, keystrokes leaked from Intel ME above the OS, wireshark failed to detect packets.

[Quotes] Vortrag:
"the ME provides a perfect environment for undetectable sensitive data leakage on behalf of the attacker".

"We can permanently monitor the keyboard buffer on both operating system targets."

Decoding Intel backdoors:
The situation is out of control and the Libreboot/Coreboot community is looking for BIOS/Firmware experts to help with the Intel ME decoding effort.

If you are skilled in these areas, download Intel ME firmwares from this collection and have a go at them, beware Intel is using a lot of counter measures to prevent their backdoors from being decoded (explained below).

Backdoor removal:
The backdoor firmware can be removed by following this guide using the me_cleaner script.
Removal requires a Raspberry Pi (with GPIO pins) and a SOIC clip.

2017 Dec Update:
Intel ME on recent CPUs may be disabled by enabling the undocumented NSA HAP mode, use me_cleaner with -S option to set the HAP bit, see me_cleaner: HAP AltMeDisable bit.

Useful links (Added 2018 Jan 1):
Disabling Intel ME 11 via undocumented HAP mode (NSA High Assurance Platform mode)
me_cleaner: Set HAP AltMeDisable bit with -S option
Blackhat 2017: How To Hack A Turned Off Computer Or Running Unsigned Code In Intel Management Engine
EFF: Intel's Management Engine is a security hazard, and users need a way to disable it
Sakaki's EFI Install Guide/Disabling the Intel Management Engine
Intel ME bug storm: Hardware vendors race to identify and provide updates for dangerous Intel flaws.
CVE-2017-5689: An unprivileged network attacker could ga

macOS has more CVE findings released that Windows 10. Why would using macOS as a base be more secure?

If you add up all the shit that distros ship, you're looking at 50 times the number of bugs as windows. If you ship it, you take responsibility for it..

https://www.cvedetails.com/top...

Linux is # 1 But please feel free to laugh at Microsoft. lols

hahaha

Heck, 2017 was a great year for Linux, only 400 security bugs.. lol

You do know that if you are basing security on the number of bugs in CVE: Windows 8.1 and Windows 10 combined to have more 400 bugs combined in 2017. That doesn't include all other versions of Windows like Server 2012 (235), Server 2016(252), Win 7(229) ,etc. But please feel free to laugh at Microsoft.