Slashdot Mirror

It is my understanding that the "obsolete" version of Linux are still working very, very well, with few vulnerabilities

You are suffering from confirmation bias. This is just not true.

http://www.cvedetails.com/vuln...
There are pages of medium and high priority vulnerabilties on that page. If you lump in the browser-- which would have to be a really ancient version of firefox or konqueror-- that number would skyrocket. You would have to be out of your mind to place a 2.4 server on the web or even to use it as a desktop web-browsing box.

Microsoft security, the gift that just keeps on giving. Note the elapsed times between vulnerability publication and update.

How's that? The MS servers are already better in that they've never been wide-open with Heartbleed like Linux servers are.

This one is ten times worse than Heartbleed

It's not entirely clear what you mean when you say "root exploit" but one interpretation is an exploit that when run as a regular user gives you administrator/root permissions. There have definitely been recent XP privilege escalations exploits for XP recently (e.g. CVE-2013-5065 leverages a bug in NDProxy).

Perhaps you meant "remote exploit" but also last year there was CVE-2013-3175 malformed asynchronous RPC request so another machine can attack your XP machine over the network with no user intervention. See this table of 2013 Windows XP CVE entries for a list of what MS have been patching...

If you are no longer able to keep your OS regularly patched it's no longer safe and you are better off using something else for online activities. Save XP for those appliances that have to use it and can be stringently firewalled/quarantined.

I knew there were people to come to complain that Linux/Android was insecure

It is insecure and there is a huge list of vulnerabilities.
Drive-by malware
EZ2Use exploit of another drive-by vulnerability
Here is a list of 30 other serious vulnerabilities many of which do not require authentication and provide remote access.

And that is before you even take a look at all the trojan malware out there that breaks from the application sandbox to take control of the system.

So instead of just pretending it is secure and sticking your head ignorantly in the sand why don't you wake up and actually take notice. Stop being a denier just because you love the platform, it's just a computing platform you don't have to defend it like it's a person.

you should look at the history of vulnerabilities on it and Chrome's viewer. You'll see reason.

Wow.. that is such a dishonest comparison. Chromes viewer doesn't do all the stuff that Adobes viewer does. Anyone can write a 'hello world' program and claim its secure.

In general, seeing as how Google has to *constantly* patch chrome, they are not any better than Adobe at writing secure software.

http://www.cvedetails.com/product/15031/Google-Chrome.html?vendor_id=1224

> I don't get it why people hate Java applets so much they want them to go altogether.

Because Java applets are a honking big security hole, and currently the most-often-used attack-vector to take over unsuspecting users' machines. See http://www.cvedetails.com/vulnerability-list.php?vendor_id=5&product_id=1526&version_id=&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=6.99&year=0&month=0&cweid=0&order=1&trc=35&sha=d158a5520a2bc52f7443268daaab5851ced00564 for a list of recent problems.

wouldn't Java be a example of the contrary to this?

Yes, but not the best one. The best would be Oracle's database. Despite the fact that Oracle Database Server is not the result of a 'community-based development model,' the product has a long, ugly history of vulnerabilities. For some reason it fails to be composed of 'low-defect code,' despite apparently having all the best financial incentives. The list of vulnerabilities is long and grows regularly.

The only reason Oracle Database Server has never been the victim of a SQL Slammer type exploit is that it is so expensive that most instances exist only well behind corporate and government firewalls that, if not well maintained, at least exist. Many SQL Server admins apparently don't believe in firewalls.

However, [Solaris] is more of Sun's creation than Oracle's.

Likewise with Java.

How about this one from a month ago?

You can also compare Apple's 2095 vulnerabilities for 97 products to D-Link's 43 vulnerabilities for 40 products.

How about this one from a month ago?

You can also compare Apple's 2095 vulnerabilities for 97 products to D-Link's 43 vulnerabilities for 40 products.

How about this one from a month ago?

You can also compare Apple's 2095 vulnerabilities for 97 products to D-Link's 43 vulnerabilities for 40 products.

That won't help if tomorrow someone finds a vulnerability in the openssh server that enables to bypass that (maybe something like this one from 2011). And that someone instead of announcing it worldwide (i.e. the NSA) start to use it to deploy their own backdoors in your server. Not having access to the service in the first place will avoid potential future exploits on it. Of course, could be exploits for the portknocker daemon, but as is simpler than the sshd (or any other service you have published that is not meant for the world) should be easier to check/audit it (only 2 vulnerabilities were found so far that im aware of, and implies or already being logged in the system, or being successfully authenticated.)

And, btw, the Single Packet Authentication uses a certificate too to open the port for your IP. And then you can use your own ssh certificate or password to login.

http://www.cvedetails.com/vulnerability-list/vendor_id-802/product_id-2219/Argosoft-Argosoft-Mail-Server.html

http://www.cvedetails.com/vulnerability-list/vendor_id-31/Sendmail.html

http://www.cvedetails.com/vulnerability-list/vendor_id-86/product_id-143/Dan-Bernstein-Qmail.html

http://www.cvedetails.com/vulnerability-list/vendor_id-1565/Mailenable.html

That's not including the anti-virus that commonly scans the email transversing the system.

http://www.cvedetails.com/vulnerability-list/vendor_id-802/product_id-2219/Argosoft-Argosoft-Mail-Server.html

http://www.cvedetails.com/vulnerability-list/vendor_id-31/Sendmail.html

http://www.cvedetails.com/vulnerability-list/vendor_id-86/product_id-143/Dan-Bernstein-Qmail.html

http://www.cvedetails.com/vulnerability-list/vendor_id-1565/Mailenable.html

That's not including the anti-virus that commonly scans the email transversing the system.

http://www.cvedetails.com/vulnerability-list/vendor_id-802/product_id-2219/Argosoft-Argosoft-Mail-Server.html

http://www.cvedetails.com/vulnerability-list/vendor_id-31/Sendmail.html

http://www.cvedetails.com/vulnerability-list/vendor_id-86/product_id-143/Dan-Bernstein-Qmail.html

http://www.cvedetails.com/vulnerability-list/vendor_id-1565/Mailenable.html

That's not including the anti-virus that commonly scans the email transversing the system.

http://www.cvedetails.com/vulnerability-list/vendor_id-802/product_id-2219/Argosoft-Argosoft-Mail-Server.html

http://www.cvedetails.com/vulnerability-list/vendor_id-31/Sendmail.html

http://www.cvedetails.com/vulnerability-list/vendor_id-86/product_id-143/Dan-Bernstein-Qmail.html

http://www.cvedetails.com/vulnerability-list/vendor_id-1565/Mailenable.html

That's not including the anti-virus that commonly scans the email transversing the system.

There are many people that work on the kernel, and even more students that study it. The kernel is of little concern. What is a concern is the thousands and thousands of little executables that are in so many distros. Worse still, how many people look through all the code from an average everyday apt-get?

Doesn't really matter in the end as there is always the Underhanded C Contest to think about.

So please explain the number of kernel exploits over the past year.
http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/cvssscoremin-7/cvssscoremax-7.99/Linux-Linux-Kernel.html
http://www.zdnet.com/linux-trailed-windows-in-patching-zero-days-in-2012-report-says-7000011326/

Linux had 14 kernel vulnerabilities this year versus 7 Windows kernel-mode vulnerabilities this year. (Just going by MS announcements for Windows 7, there may have been more unannounced issues)

*facepalm* with that logic you should stop using Chrome, guess what, Google knows every place you go on the web even things you type in text boxes ("for spell check reasons" only ;) Stop using Reddit too since they track the links you click on....

Google Chrome, putting the fear into their user base every chance while providing a false sense of security by having the most vulnerabilities the past 3 years than any other browser. Source: http://www.cvedetails.com/top-50-products.php?year=2012 http://www.cvedetails.com/top-50-products.php?year=2013 http://www.cvedetails.com/top-50-products.php?year=2011

*facepalm* with that logic you should stop using Chrome, guess what, Google knows every place you go on the web even things you type in text boxes ("for spell check reasons" only ;) Stop using Reddit too since they track the links you click on....

Google Chrome, putting the fear into their user base every chance while providing a false sense of security by having the most vulnerabilities the past 3 years than any other browser. Source: http://www.cvedetails.com/top-50-products.php?year=2012 http://www.cvedetails.com/top-50-products.php?year=2013 http://www.cvedetails.com/top-50-products.php?year=2011

*facepalm* with that logic you should stop using Chrome, guess what, Google knows every place you go on the web even things you type in text boxes ("for spell check reasons" only ;) Stop using Reddit too since they track the links you click on....

Google Chrome, putting the fear into their user base every chance while providing a false sense of security by having the most vulnerabilities the past 3 years than any other browser. Source: http://www.cvedetails.com/top-50-products.php?year=2012 http://www.cvedetails.com/top-50-products.php?year=2013 http://www.cvedetails.com/top-50-products.php?year=2011

Fedora has SELinux, and everyone complains about and disables it

. . . Wut? Dude, SELinux was merged into the Linux kernel. A decade ago. Development continues. merges continue. And as a "security researcher" like yourself you should know that Linux has a lot of MAC implementations: TOMOYO, SELinux, AppArmor and SMACK.

AppArmor is an extremly lightweight form of MAC, and only Ubuntu implements it correctly.

As apposed to Window's "rudimentary MAC implementation"? And I don't know what's wrong with SUSE's AppArmor, but Ubuntu is the most common Linux distribution. And as for "lightweight".

[AppArmor] also only applies to applications that ship with the distro.

Uh...... bullshit? Cite that. Seriously. Because it's not really an optional thing. That's the "M" in MAC. "Mandatory". Anything you get from the solution center, apt-get, or download and compile are going to be running with the mother-may-I from AppArmor. Were you getting ahead of yourself and thinking about ASLR?

Most distributions don't include applications compiled with support for DEP and ASLR, despite the support being in the kernel.

AH! Now you say DEP and ASLR aren't common. Just like MAC isn't common in Linux. Because Ubuntu just isn't common enough for you (until later in your post). And hey, you're probably right about the uptake of DEP and ASLR by Linux applications. But Windows applications fail just as hard. Also, wow that was a way's back there, but the discussion originally focused on security. You know, people using TOR? So, for this aspect, it doesn't matter so much how common a feature is, as long as it's available to the people who want security. So, you know, stop making arguments that don't make sense. Like suggesting a child instal Win7 on a 486. I'm not going to let you forget that fuckup.

[number of] Vulnerabilities are a pretty poor measure of security,

Yeah, I'd agree, but you're the one quoted the marketing fluff: "Windows is more secure than most Linux distributions. Due to the mitigating technologies done right and increased focus on security resulting in few vulnerabilities." So I figured I'd throw some statistics at you.

Also a fun statistic, from your very source
Linux: Unpatched 0% (0 of 259 Secunia advisories)
Windows 7: Unpatched 4% (6 of 148 Secunia advisories)

But yeah, on this point you're right. Linux has had more vulnerabilities. Generally less severe then what's been seen in Win7 though.

Nothing "Happened". *No* operating system is 100% secure, especially when humans are involved. At the place where I work, people send around user names and passwords in e-mail. Twice I've sent out notes to the entire company admonishing them to not do that and why, but the practice continues.

Beyond simply the operating system, you've got vulnerabilities in things like .net and java.

http://technet.microsoft.com/en-us/security/bulletin/ms13-040
http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-3091/Microsoft-Asp.net.html
http://www.oracle.com/technetwork/topics/security/alerts-086861.html

If you really believe that Windows is just as secure as Linux, then go ahead believing that. You're going to anyway.

That is hilarious. So you're saying that this bug can't be from this code:

5-Dec-1990 -by- Paul Butzi [paulb]

/
* EPATHOBJ::pprFlattenRec(ppr)
*
* Cruise over a path, translating all of the beziers into sequences of lines.
*
* History:
* 5-Dec-1990 -by- Paul Butzi [paulb]
* Wrote it.
/
PPATHREC EPATHOBJ::pprFlattenRec(PATHRECORD *ppr)
{ // Create a new record

        PATHRECORD *pprNew;
        COUNT maxadd;

        if ( newpathrec(&pprNew,&maxadd,MAXLONG) != TRUE )
                return (PPATHREC) NULL; // Take record of Beziers out of path list, and put a new record // in its place. Update 'pprNew->pprnext' when we exit.

        pprNew->pprprev = ppr->pprprev;
        pprNew->count = 0;

Not only that, but it lacks the features to exploit. Which is actually an important point in security, to only have the features you need and nothing else. Less surface area to attack.

http://www.cvedetails.com/vendor/5836/Lynx.html
Pretty much any software that is sufficiently complicated will have security bugs.

Are they still finding vulnerabilities in Linux 2.4 after all these years?
http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/version_id-19616/Linux-Linux-Kernel-2.4.31.html

Oh look at that, they are.

Use Google. Seriously. It's not hard.

http://www.cvedetails.com/

Actually, I just included the kernel: http://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33

Just for your education. This is the last Safari release known vulnerabilities list:

http://www.cvedetails.com/version/130707/Apple-Safari-5.1.7.html

Must be pretty big hands to count that high. 26 earned CVE designations since 2006, and those are just the ones that made it into the public light.
http://www.cvedetails.com/vulnerability-list/vendor_id-5/product_id-1526/cvssscoremin-6/cvssscoremax-6.99/SUN-JRE.html

Care to cite some in OpenBSD?

• IPv6.
• IPSEC

Care to cite some in OpenBSD?

• IPv6.
• IPSEC

Um, Secunia lumps all versions of Mac OS X as one thing: from its release in 2001 to the present. An unpatched vulnerability in OS X is not an unpatched vulnerability in the current version.

Another interesting thing about Secunia: for Apple, they report any vulnerabilities they can find. For Microsoft, they only report Microsoft-acknowledged vulnerabilities. If Microsoft doesn't admit to a vulnerability, then it doesn't exist, right?

Let's see what people outside of Redmond have to say recently about Windows 7, shall we?
Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities
RSAC 2011: Windows 7 vulnerabilities show need for kernel control
Patch Tuesday: Gaping security hole in Windows Media Player
Windows security hole gives anyone access to computer without logging into User Account
Windows still unpatched security hole
partial list of current exploits for Windows 7

Number of security vulnerabilities related to Adobe products by years:
2006: 31, 2007: 35, 2008: 64, 2009: 95, 2010: 175
152 of 175 vulnerabilities published in 2010 have CVSS scores higher than 9.
See http://www.cvedetails.com/vendor/53/Adobe.html for more details