secunia.com · Domains · Slashdot Mirror

Re:I agree! by BobPaul · 2005-11-11 07:40 · Score: 1 · on IBM Releases Cell SDK

Gentoo has significantly more vulnerabilites than Fedora, even if you add up all the vulnerabilities for all 4 cores (not that those raw numbers really matter in the end as long as they all get patched)

Well, first I'd like to irraterate what you already pointed out, that neither has unpatched vulnerabilities.

Second, you're comparing EVERY release of Gentoo ever to Fedora Core 4.0. Notice how Fedora Core 4.0 doesn't have any vulnerabilities before Feb 2005? That's because it didn't exist much before then.

You forgot the 186 patched vulerabilities in FC 3, the 132 patched vulnerabilities in FC 2, and the 74 patched vulnerabilities in FC 1.

No, that 448 patched vulerabilities is much less than the 746 vulnerabilities for Gentoo, but that's a stupid rubrik anyway. 746 vulerabilities covers the entire portage tree, where as 448 vulnerabilities only covers those packages distributed on the RedHat installation media.

Keep your meta distribution, it's no skin off my nose. But at least attempt to make like comparisons in your arguments.

Re:I've been running this for days... by whitehatlurker · 2005-11-10 14:09 · Score: 1 · on Firefox 1.5 RC2 Available

Something's happening - I'm fairly certain that Opera stories are being rejected out-of-hand, while anything with a link to Firefox gets passed on immediately.

Thank you for passing this information along to the community.

For what it is worth, the MacroMedia Flash Player has a security hole that has been fixed in version 8. This is mislisted by Secunia as a hole in Opera?! (But not Firefox. If my tin foil hat still worked, I'd be using it 24x7.)

Re:I agree! by LnxAddct · 2005-11-10 08:19 · Score: 1 · on IBM Releases Cell SDK

Security should be easy. Fedora comes with it preconfigured and has an excellent default policy that you can modify at your desire. The more obstructions in the way, the less likely the security features are to be used, Fedora literally removes all obstructions. Gentoo has significantly more vulnerabilites than Fedora, even if you add up all the vulnerabilities for all 4 cores (not that those raw numbers really matter in the end as long as they all get patched). The difference is that most of the vulnerabilities announced in Fedora can't actually be used against the system for a couple of reasons including SELinux, exec-shield, randomized memory mappings and compiling with fortify source for all major public facing services . All of this is done and implemented without the user having to do anything, that is the way to implement security (if you want it to be used). Keep it simple, and keep it out of the way. In addition to this, Fedora/RHEL have the fastest rate of getting patches out, followed by Novell which is sometimes 2 or 3 days later, and then followed by others (Its been a few months since I've read the report, but it was on /.) I'm not knocking Gentoo, it has its place, but it isn't really made for the desktop or the server, it is a really good learning tool that some people use as their main OS (of course it also has other purposes). I've ran Gentoo before, and learned alot about my system, but as far as speed goes I noticed nothing above Fedora (which has all optimized packages). Infact the only distro that I've ever used where there was a huge noticable speed difference over the others was Yoper., unfortunately its development seems stagnant.
REgards,
Steve

Re:I agree! by LnxAddct · 2005-11-10 08:19 · Score: 1 · on IBM Releases Cell SDK

Security should be easy. Fedora comes with it preconfigured and has an excellent default policy that you can modify at your desire. The more obstructions in the way, the less likely the security features are to be used, Fedora literally removes all obstructions. Gentoo has significantly more vulnerabilites than Fedora, even if you add up all the vulnerabilities for all 4 cores (not that those raw numbers really matter in the end as long as they all get patched). The difference is that most of the vulnerabilities announced in Fedora can't actually be used against the system for a couple of reasons including SELinux, exec-shield, randomized memory mappings and compiling with fortify source for all major public facing services . All of this is done and implemented without the user having to do anything, that is the way to implement security (if you want it to be used). Keep it simple, and keep it out of the way. In addition to this, Fedora/RHEL have the fastest rate of getting patches out, followed by Novell which is sometimes 2 or 3 days later, and then followed by others (Its been a few months since I've read the report, but it was on /.) I'm not knocking Gentoo, it has its place, but it isn't really made for the desktop or the server, it is a really good learning tool that some people use as their main OS (of course it also has other purposes). I've ran Gentoo before, and learned alot about my system, but as far as speed goes I noticed nothing above Fedora (which has all optimized packages). Infact the only distro that I've ever used where there was a huge noticable speed difference over the others was Yoper., unfortunately its development seems stagnant.
REgards,
Steve

Re:Why does Windows need a defender? by TechnologyX · 2005-11-09 09:56 · Score: 0 · on How Microsoft Takes a Name

I know right! I mean Linux doesn't have anything... oh wait.

The good ole days never ended. Unpatched old holes by free2 · 2005-11-08 07:13 · Score: 1 · on ZDNet Talks to Kevin Mitnick

Yipee, the good ole days never ended...
http://secunia.com/product/22/
http://secunia.com/product/11/

It seems "hot fixes" are just for some of the old (and mildly warm) vulnerabilties.

The good ole days never ended. Unpatched old holes by free2 · 2005-11-08 07:13 · Score: 1 · on ZDNet Talks to Kevin Mitnick

Yipee, the good ole days never ended...
http://secunia.com/product/22/
http://secunia.com/product/11/

It seems "hot fixes" are just for some of the old (and mildly warm) vulnerabilties.

sysadmins: known holes will be the next worms ! by free2 · 2005-11-08 06:49 · Score: 1 · on Linux Lupper.Worm In the WIld

What every sysadmin should know is that the unpatched known holes of today are not only open doors for crackers, they are the open doors for the next worms.
Every sysadmin should check security sites like Secunia, with a list of unpatched known holes for each software they use:
http://secunia.com/

Re:CONTINUE: by Trepalium · 2005-11-08 06:15 · Score: 1 · on Linux Lupper.Worm In the WIld

Well, would you blame Microsoft for the vulnerabilities in aspWebCalendar 4.x or ASP Nuke? Or perhaps it's Microsoft's fault that there is a exploitable flaw in Macromedia Flash Player (it's an option during the IE6 install)? If you want to complain about double standards, how about we start with that one?

Re:CONTINUE: by Trepalium · 2005-11-08 06:15 · Score: 1 · on Linux Lupper.Worm In the WIld

Well, would you blame Microsoft for the vulnerabilities in aspWebCalendar 4.x or ASP Nuke? Or perhaps it's Microsoft's fault that there is a exploitable flaw in Macromedia Flash Player (it's an option during the IE6 install)? If you want to complain about double standards, how about we start with that one?

Re:CONTINUE: by Trepalium · 2005-11-08 06:15 · Score: 1 · on Linux Lupper.Worm In the WIld

Well, would you blame Microsoft for the vulnerabilities in aspWebCalendar 4.x or ASP Nuke? Or perhaps it's Microsoft's fault that there is a exploitable flaw in Macromedia Flash Player (it's an option during the IE6 install)? If you want to complain about double standards, how about we start with that one?

Re:So let me get this straight by LnxAddct · 2005-11-08 03:31 · Score: 1 · on Linux Lupper.Worm In the WIld

All signs point to linux having anywhere from the same market share as macs up to 3 times the market share of macs, particularly if you take into account webservers which would not show up in places like traditional webstats because web servers don't browse web sites, same thing for HPCs. Also, most linux machines are converted wintel boxes, meaning that as far as sales stats go, Windows makes out really well. Take into account that alot of linux boxes are old as well as new, meaning that alot of people who run linux often run more then one linux box, some of which may be a decade or so old (or much older in some cases). The average wintel box is replaced every 2~3 years. That means, for the sake of argument, if I set up a linux box today and a windows box, in 6 years after the first wintel box is replaced,Microsoft will have 2 "points" and linux will have 1 even though there is still 1 linux box and 1 wintel box running. Now if that linux box originally was a windows box, as it is in most cases, then Microsoft would have 3 "points" and linux none.

Apple often uses sales figures to make their market share appear larger than it is, those numbers are not accurate and highly biased against linux. But as far as your little rant goes, this is an exploit in php and only php. But it is even more specific than that, you must have a very speicific configuration which pretty much allows anyone to own your machine. This worm doesn't use an exploit, it uses people's stupidity that configure machines for convenience rather than security. It's akin to be leavning the door to my house not only unlocked, but wide open because I didn't feel like being inconvenienced by opening it every day. I've never heard of a box being configured the way the aritcle describes so this is indeed a rare occurence.

But just in case you forgot, Mac OSX does have its problems, despite the limited amount of software that comes with them and the limited liability that Apple takes. Apple's track record is on par with any linux distro, for instance Debian or Fedora, but this actually means that Apple's record is worse because in a distro like Debian or Fedora, these projects take responsibility for something like 10,000 packages. If you look at Fedora's page in secunia you'll see that its advisories include updates for Mozilla, Squid, Wget, Abiword and every other package. Considering that one project has the burden of having to report and patch so many packages, you would expect the number to be much higher. Looks like linux is still kicking both Microsoft's and Apple's ass as far as security goes.
Regards,
Steve

Recent vulnerability where NoScript didn't help by MarkByers · 2005-11-03 05:29 · Score: 2, Interesting · on Firefox Achieves 10% Global Market Share

I use NoScript.

One recent exploit that worked even with NoScript enabled was the highly critical 'Firefox IDN URL Domain Name Buffer Overflow'.

http://secunia.com/advisories/16764/

Securia Advisory about Sony DRM by Anonymous Coward · 2005-11-02 15:37 · Score: 0 · on More on Sony's "DRM Rootkit"

Secunia has released a security advisory about the Sony DRM at this link: http://secunia.com/advisories/17408/

Secunia has listed this bug... by Hymer · 2005-11-02 08:05 · Score: 1 · on More on Sony's "DRM Rootkit"

Sony CD First4Internet XCP DRM Software Security Issue
...with a simple solution : Use another product.

Re:A lot like Star Trek... by ChatHuant · 2005-11-01 12:25 · Score: 4, Funny · on No Respect for Windows Open Source

Could you explain how IIS is more secure than Apache?

I could: Apache 2.0.x had 28 security advisories since release (2 still unpatched at the time of writing), while IIS 6.0 had only 2 until now, and they were both patched.

Re:A lot like Star Trek... by ChatHuant · 2005-11-01 12:25 · Score: 4, Funny · on No Respect for Windows Open Source

Could you explain how IIS is more secure than Apache?

I could: Apache 2.0.x had 28 security advisories since release (2 still unpatched at the time of writing), while IIS 6.0 had only 2 until now, and they were both patched.

What about voice services? by jsveiga · 2005-11-01 04:02 · Score: 1 · on Fully Automated IM Worms on the Way?

Wouldn't it be possible to send a specially crafted audio stream to VoIP programs such as Skype to explore eventual vulnerabilities on the audio codec routines?

I know it sounds far-fetched, but you know, jpegs were once safe too. Skype had its vulnerabilities (even on Linux), but were there any on the audio codec?

I hate these "must-have-a-firewall-passage" kind of programs, and I've so far managed to keep them out of my network, but now I'm trying hard to convince my boss not to install Skype on a CAD user's PC "because a customer wants to talk with him"!! CAN'T HE USE A PHONE??!

The Microsoft Patch Legend by game+kid · 2005-10-29 01:42 · Score: 1 · on The Story of a Microsoft Patch

A huge unidentified virus is approaching the Computer. It was made in the far past by another life than the human race, and occupied and inhabited by a vicious exploit in the long period. In order to save the Computer, the strongest Windows patches go into action.

The Microsoft Patch Legend by game+kid · 2005-10-29 01:42 · Score: 1 · on The Story of a Microsoft Patch

A huge unidentified virus is approaching the Computer. It was made in the far past by another life than the human race, and occupied and inhabited by a vicious exploit in the long period. In order to save the Computer, the strongest Windows patches go into action.

The Microsoft Patch Legend by game+kid · 2005-10-29 01:42 · Score: 1 · on The Story of a Microsoft Patch

A huge unidentified virus is approaching the Computer. It was made in the far past by another life than the human race, and occupied and inhabited by a vicious exploit in the long period. In order to save the Computer, the strongest Windows patches go into action.

Re:Lack of Intellectual Honesty. by burnin1965 · 2005-10-23 09:59 · Score: 1 · on Microsoft & Linux Should Co-Exist In China

Perhaps I am getting the wrong impression, but it seems you are implying that the article lacks "Intellectual Honesty" and yet you yourself point out that it clearly states in the article that linux is "regarded as" more secure.

Your implication and the article seem to be in contradiction. Anyhow, since you brought up the issue I'd like to point out a few flaws in your arguement:

Firefox was "regarded as" bullet proof until it started gaining market share, and as soon as it did, there came the holes.

I think there is some truth the to bullet proof remark as many people assumed there would be no holes in Firefox because they had not seen continual bug reports like they had seen for the Intenet Explorer counter part. However, I think there is still some justification to the perception of a more secure product from the mozilla foundation than from Microsoft. I am basing this opinion off the statistics at secunia.com:

Internet Explorer stats
http://secunia.com/product/11/

Fire Fox stats
http://secunia.com/product/4227/

Pay close attention to the statistics charts and you can draw the following conclusions:
1) The rate at which bugs are found in the two applications is very nearly the same. On average about 2 per month for each application.

2) Internet Explorer tends to have more bugs which are unpatched or partialy fixed. Fire Fox is much better at patching.

3) The severity of the bugs found in Internet Explorer tend to be much higher than those of Fire Fox. The bugs in Internet Explorer are more than 3 times likely to be of extreme severity when compared to Fire Fox.

4) And more of the bugs found in Internet Explorer tend to give system access when exploited than Fire Fox bugs.

So the perception that Fire Fox is more secure than Internet Explorer is justified. But bullet proof, far from it.

The Linux market is so incredibly tiny that no hacker looking to make money takes the time to hack Linux.

Somehow I doubt that most of the hackers out there do what they do to make money. But I'm more concerned with you "incredibly tiny" market share theory. Perhaps in desktops the linux market share is small, however, there are a significant number of linux servers out there especially in the web server space. I tried searching for data but the only thing I could find was some old 2001 data from a Netcraft survey.

http://survey.netcraft.com/index-200106.html

But based on that survey in June of 2001 there were about 8.5 million linux web servers alone. That is 29% of the market. And if the market share numbers are the same today that number is over 21 million. So I'd say there are plenty of linux boxes just waiting to be hacked.

And interestingly, when you compare the secunia reports for similar products, Windows 2003 Web Server and Red Hat Enterprise AS 3, you find similar results to the web browsers:

Windows 2003 Web Server
http://secunia.com/product/1176/

Red Hat Enterprise AS 3
http://secunia.com/product/2534/

One may look at the number of reported vulnerabilities and say ooh open source security sucks, but then when you dig a little deeper you see that on average Windows security bugs are patched slower, the severity is greater, and they are more likely to provide system access if exploited.

Others spread FUD about MS just as much as MS spreads FUD about Linux.

I'd say its rather dishonest to put some Slashdot poster FUD on the same level as the expensive marketing campaigns used by Microsoft to spread FUD. Not quite the same thing. And besides, could you give some examples of non-blog/message board FUD spread about Mic

Re:Lack of Intellectual Honesty. by burnin1965 · 2005-10-23 09:59 · Score: 1 · on Microsoft & Linux Should Co-Exist In China

Perhaps I am getting the wrong impression, but it seems you are implying that the article lacks "Intellectual Honesty" and yet you yourself point out that it clearly states in the article that linux is "regarded as" more secure.

Your implication and the article seem to be in contradiction. Anyhow, since you brought up the issue I'd like to point out a few flaws in your arguement:

Firefox was "regarded as" bullet proof until it started gaining market share, and as soon as it did, there came the holes.

I think there is some truth the to bullet proof remark as many people assumed there would be no holes in Firefox because they had not seen continual bug reports like they had seen for the Intenet Explorer counter part. However, I think there is still some justification to the perception of a more secure product from the mozilla foundation than from Microsoft. I am basing this opinion off the statistics at secunia.com:

Internet Explorer stats
http://secunia.com/product/11/

Fire Fox stats
http://secunia.com/product/4227/

Pay close attention to the statistics charts and you can draw the following conclusions:
1) The rate at which bugs are found in the two applications is very nearly the same. On average about 2 per month for each application.

2) Internet Explorer tends to have more bugs which are unpatched or partialy fixed. Fire Fox is much better at patching.

3) The severity of the bugs found in Internet Explorer tend to be much higher than those of Fire Fox. The bugs in Internet Explorer are more than 3 times likely to be of extreme severity when compared to Fire Fox.

4) And more of the bugs found in Internet Explorer tend to give system access when exploited than Fire Fox bugs.

So the perception that Fire Fox is more secure than Internet Explorer is justified. But bullet proof, far from it.

The Linux market is so incredibly tiny that no hacker looking to make money takes the time to hack Linux.

Somehow I doubt that most of the hackers out there do what they do to make money. But I'm more concerned with you "incredibly tiny" market share theory. Perhaps in desktops the linux market share is small, however, there are a significant number of linux servers out there especially in the web server space. I tried searching for data but the only thing I could find was some old 2001 data from a Netcraft survey.

http://survey.netcraft.com/index-200106.html

But based on that survey in June of 2001 there were about 8.5 million linux web servers alone. That is 29% of the market. And if the market share numbers are the same today that number is over 21 million. So I'd say there are plenty of linux boxes just waiting to be hacked.

And interestingly, when you compare the secunia reports for similar products, Windows 2003 Web Server and Red Hat Enterprise AS 3, you find similar results to the web browsers:

Windows 2003 Web Server
http://secunia.com/product/1176/

Red Hat Enterprise AS 3
http://secunia.com/product/2534/

One may look at the number of reported vulnerabilities and say ooh open source security sucks, but then when you dig a little deeper you see that on average Windows security bugs are patched slower, the severity is greater, and they are more likely to provide system access if exploited.

Others spread FUD about MS just as much as MS spreads FUD about Linux.

I'd say its rather dishonest to put some Slashdot poster FUD on the same level as the expensive marketing campaigns used by Microsoft to spread FUD. Not quite the same thing. And besides, could you give some examples of non-blog/message board FUD spread about Mic

Re:Lack of Intellectual Honesty. by burnin1965 · 2005-10-23 09:59 · Score: 1 · on Microsoft & Linux Should Co-Exist In China

Perhaps I am getting the wrong impression, but it seems you are implying that the article lacks "Intellectual Honesty" and yet you yourself point out that it clearly states in the article that linux is "regarded as" more secure.

Your implication and the article seem to be in contradiction. Anyhow, since you brought up the issue I'd like to point out a few flaws in your arguement:

Firefox was "regarded as" bullet proof until it started gaining market share, and as soon as it did, there came the holes.

I think there is some truth the to bullet proof remark as many people assumed there would be no holes in Firefox because they had not seen continual bug reports like they had seen for the Intenet Explorer counter part. However, I think there is still some justification to the perception of a more secure product from the mozilla foundation than from Microsoft. I am basing this opinion off the statistics at secunia.com:

Internet Explorer stats
http://secunia.com/product/11/

Fire Fox stats
http://secunia.com/product/4227/

Pay close attention to the statistics charts and you can draw the following conclusions:
1) The rate at which bugs are found in the two applications is very nearly the same. On average about 2 per month for each application.

2) Internet Explorer tends to have more bugs which are unpatched or partialy fixed. Fire Fox is much better at patching.

3) The severity of the bugs found in Internet Explorer tend to be much higher than those of Fire Fox. The bugs in Internet Explorer are more than 3 times likely to be of extreme severity when compared to Fire Fox.

4) And more of the bugs found in Internet Explorer tend to give system access when exploited than Fire Fox bugs.

So the perception that Fire Fox is more secure than Internet Explorer is justified. But bullet proof, far from it.

The Linux market is so incredibly tiny that no hacker looking to make money takes the time to hack Linux.

Somehow I doubt that most of the hackers out there do what they do to make money. But I'm more concerned with you "incredibly tiny" market share theory. Perhaps in desktops the linux market share is small, however, there are a significant number of linux servers out there especially in the web server space. I tried searching for data but the only thing I could find was some old 2001 data from a Netcraft survey.

http://survey.netcraft.com/index-200106.html

But based on that survey in June of 2001 there were about 8.5 million linux web servers alone. That is 29% of the market. And if the market share numbers are the same today that number is over 21 million. So I'd say there are plenty of linux boxes just waiting to be hacked.

And interestingly, when you compare the secunia reports for similar products, Windows 2003 Web Server and Red Hat Enterprise AS 3, you find similar results to the web browsers:

Windows 2003 Web Server
http://secunia.com/product/1176/

Red Hat Enterprise AS 3
http://secunia.com/product/2534/

One may look at the number of reported vulnerabilities and say ooh open source security sucks, but then when you dig a little deeper you see that on average Windows security bugs are patched slower, the severity is greater, and they are more likely to provide system access if exploited.

Others spread FUD about MS just as much as MS spreads FUD about Linux.

I'd say its rather dishonest to put some Slashdot poster FUD on the same level as the expensive marketing campaigns used by Microsoft to spread FUD. Not quite the same thing. And besides, could you give some examples of non-blog/message board FUD spread about Mic

Re:Lack of Intellectual Honesty. by burnin1965 · 2005-10-23 09:59 · Score: 1 · on Microsoft & Linux Should Co-Exist In China

Perhaps I am getting the wrong impression, but it seems you are implying that the article lacks "Intellectual Honesty" and yet you yourself point out that it clearly states in the article that linux is "regarded as" more secure.

Your implication and the article seem to be in contradiction. Anyhow, since you brought up the issue I'd like to point out a few flaws in your arguement:

Firefox was "regarded as" bullet proof until it started gaining market share, and as soon as it did, there came the holes.

I think there is some truth the to bullet proof remark as many people assumed there would be no holes in Firefox because they had not seen continual bug reports like they had seen for the Intenet Explorer counter part. However, I think there is still some justification to the perception of a more secure product from the mozilla foundation than from Microsoft. I am basing this opinion off the statistics at secunia.com:

Internet Explorer stats
http://secunia.com/product/11/

Fire Fox stats
http://secunia.com/product/4227/

Pay close attention to the statistics charts and you can draw the following conclusions:
1) The rate at which bugs are found in the two applications is very nearly the same. On average about 2 per month for each application.

2) Internet Explorer tends to have more bugs which are unpatched or partialy fixed. Fire Fox is much better at patching.

3) The severity of the bugs found in Internet Explorer tend to be much higher than those of Fire Fox. The bugs in Internet Explorer are more than 3 times likely to be of extreme severity when compared to Fire Fox.

4) And more of the bugs found in Internet Explorer tend to give system access when exploited than Fire Fox bugs.

So the perception that Fire Fox is more secure than Internet Explorer is justified. But bullet proof, far from it.

The Linux market is so incredibly tiny that no hacker looking to make money takes the time to hack Linux.

Somehow I doubt that most of the hackers out there do what they do to make money. But I'm more concerned with you "incredibly tiny" market share theory. Perhaps in desktops the linux market share is small, however, there are a significant number of linux servers out there especially in the web server space. I tried searching for data but the only thing I could find was some old 2001 data from a Netcraft survey.

http://survey.netcraft.com/index-200106.html

But based on that survey in June of 2001 there were about 8.5 million linux web servers alone. That is 29% of the market. And if the market share numbers are the same today that number is over 21 million. So I'd say there are plenty of linux boxes just waiting to be hacked.

And interestingly, when you compare the secunia reports for similar products, Windows 2003 Web Server and Red Hat Enterprise AS 3, you find similar results to the web browsers:

Windows 2003 Web Server
http://secunia.com/product/1176/

Red Hat Enterprise AS 3
http://secunia.com/product/2534/

One may look at the number of reported vulnerabilities and say ooh open source security sucks, but then when you dig a little deeper you see that on average Windows security bugs are patched slower, the severity is greater, and they are more likely to provide system access if exploited.

Others spread FUD about MS just as much as MS spreads FUD about Linux.

I'd say its rather dishonest to put some Slashdot poster FUD on the same level as the expensive marketing campaigns used by Microsoft to spread FUD. Not quite the same thing. And besides, could you give some examples of non-blog/message board FUD spread about Mic

Re:Lack of Intellectual Honesty. by spectecjr · 2005-10-23 09:13 · Score: 1 · on Microsoft & Linux Should Co-Exist In China

I would not rate a 30-40% webserver marketshare as 'incredibly tiny', and yet Red Hat, the most popular Linux distribution for servers has 0 unpatched vulnerabilities whilst Windows Server 2003 suffers from 8 unpatched vulnerabilities and Windows XP Professional suffers from a full 26 vulnerabilities one or more of which are marked as as highly critical.

Just wondering... how can Red Hat have no vulnerabilities, when the 2.6 linux kernel alone has 15 unpatched vulnerabilities?

Perhaps you don't understand how to read those pages?