Who gets CERT's attention [LWN.net]

Backers of proprietary software have, at times in the past, resorted to claims that Linux and free software are the subject of more CERT advisories than other systems. Such claims have been strikingly absent recently. Since our detractors have apparently been too busy to tally up CERT's output this year, we've decided to do it for them. Here's the full list of CERT's 2004 "technical cyber security alerts":

ID	Date	Vulnerability	Linux	Windows	Other
TA04-028A	Jan 28	MyDoom.B virus
TA04-033A	Feb. 2	Multiple Internet Explorer holes
TA04-036A	Feb. 5	Check Point Firewall HTTP parsing
TA04-041A	Feb. 10	Multiple ASN.1 holes
TA04-070A	Mar. 10	Outlook mailto: handling vulnerability
TA04-078A	Mar. 19	Multiple OpenSSL vulnerabilities
TA04-099A	Apr. 8	Outlook Express MHTML cross-domain
TA04-104A	Apr. 14	Multiple vulnerabilities in Microsoft products
TA04-111A	Apr. 20	TCP/BGP session termination
TA04-111B	Apr. 20	Cisco IOS SNMP message handling
TA04-147A	May 26	CVS heap overflow
TA04-160A	Jun. 9	Oracle SQL injection
TA04-163A	Jun. 11	Internet Explorer cross-domain redirect
TA04-174A	Jun. 22	Multiple DHCP vulnerabilities
TA04-184A	Jul. 2	Internet Explorer ADOBD.Stream control
TA04-196A	Jul. 14	Multiple Windows/Outlook vulnerabilities
TA04-212A	Jul. 30	"Critical" Windows/IE remote code execution
TA04-217A	Aug. 4	Multiple libpng vulnerabilities
TA04-245A	Sep. 1	Multiple Oracle vulnerabilities
TA04-247A	Sep. 3	MIT Kerberos 5
TA04-260A	Sep. 16	Microsoft JPEG component
TA04-261A	Sep. 17	Multiple Mozilla vulnerabilities
TA04-293A	Nov. 10	Multiple Internet Explorer vulnerabilities
TA04-315A	Nov. 11	Internet Explorer buffer overflow
TA04-316A	Nov. 11	IOS input queue vulnerability
		TOTALS:	7	13	6

Now, one can raise all sorts of complaints about this table. The logic that assigns the Mozilla vulnerability to Linux could also, easily, have charged it to Windows as well. The process by which CERT chooses vulnerabilities worthy of "cyber security alerts" is poorly understood. And so on.

There are seven vulnerabilities in the Linux column - and that is seven too many. But that is far less than the count in the proprietary columns. The Windows vulnerabilities include many which affect a large percentage of users; instead, very few users were affected by most of the Linux problems. The CERT advisory count is a flawed measure at best, but, within its limits, it shows that things could be a lot worse.

(Log in to post comments)

Who gets CERT's attention

Posted Nov 24, 2004 14:58 UTC (Wed) by maney (subscriber, #12630) [Link]

Maybe, but with closed source it's more difficult to identify it, so you have to pray that the vendor will notice it and choose to fix it before you're toast. Sic biscuitus disintegrat!

Who gets CERT's attention

Posted Dec 1, 2004 3:00 UTC (Wed) by roelofs (subscriber, #2599) [Link]

Doesn't Microsoft use code derived from libpng?

Yes, but XBox is the only verified location that I'm currently aware of. MS Office used LEADTOOLS, last I checked (with zlib, of course), and I was never clear what MSIE used.

I did recently learn of native PNG support in GDI+ (Windows' graphics layer), however--this support is new as of XP, which also happens to be the first version of MS Windows to contain a certain copyright notice corresponding to a piece of libpng-using code I wrote. (Search for my name in one of the README or RELNOTES files on the CD, if you have one and actually care.) So there's reasonably direct evidence that some part of Windows uses libpng, and some indirect evidence to suggest that it might be the core graphics layer, but that's a stretch.

Hmmm... A quick recursive grep of XP's system32 directory turns up hits for "libpng" in dx8vb.dll, dxdiagn.dll, diactfrm.dll, and a few ss*.scr files. So I guess that's relatively definitive. Still no clue whether or how any of those are connected to GDI+, though.

Greg

How about a free software vs proprietary count

Posted Nov 24, 2004 2:05 UTC (Wed) by lakeland (subscriber, #1157) [Link]

Rather than attempt to split things into linux vs windows, how about free
vs non-free? This makes the previously awkward mozilla issue easy to
classify. It also gives more justification to not putting oracle under
the linux category.

To be fair, the test would require a similar amount of free vs non-free
programs to be available that could be subject to a CERT advisory. I
would guess this is true.

My attempts:

ID Free Not
TA04-028A 0 1
TA04-033A 0 2
TA04-036A 0 2 ?? Is the firewall free
TA04-041A 0 3
TA04-070A 0 4
TA04-078A 1 4
TA04-099A 1 5
TA04-104A 1 6
TA04-111A 2 6 ?? Is this linux
TA04-111B 2 7
TA04-147A 3 7
TA04-160A 3 8
TA04-163A 3 9
TA04-174A 4 9
TA04-184A 4 10
TA04-196A 4 11
TA04-212A 4 12
TA04-217A 5 12
TA04-245A 5 13
TA04-247A 6 13
TA04-260A 6 14
TA04-261A 7 14
TA04-293A 7 15
TA04-315A 7 16
TA04-316A 7 18

How about a free software vs proprietary count

Posted Nov 24, 2004 3:45 UTC (Wed) by nicku (subscriber, #777) [Link]

Is the firewall free

Far from it. The Check Point Firewalls are highly proprietary. And also very expensive.

TA04-111A. "...a large percentage of users".

Posted Nov 25, 2004 13:04 UTC (Thu) by gdt (subscriber, #6284) [Link]

lakeland: TA04-111A 2 6 ?? Is this linux

The stock Linux kernel does not provide a TCP MD5 signature feature. Patches containing that feature have been rejected for slowing TCP processing. So BGP daemons such as Zebra/Quagga or Gated which are running on Linux are vulnerable to spoofed resets of BGP sessions and the resulting loss of connectivity.

So it fair to say that Linux distributions have the shortcoming identified by the CERT advisory, since many distributions contain a kernel incapable of TCP MD5 signatures and also contain a BGP routing daemon. It's also fair to say that there is currently no intention for this vulnerability to be fixed.

As far as I know, Microsoft Windows does not provide TCP MD5 signatures. But nor does Microsoft ship a BGP routing daemon with their operating system.

The simple answer, removing the routing daemon, is short-sighted. One of the consequences of peer-to-peer architectures is that peer computers need more information about the network topology. And a BGP session is the obvious way for an ISP to provide that.

Article: ...instead, very few users were affected by most of the Linux problems

I don't know how that this conclusion can be drawn. Millions on people could sit behind a BGP session. Thousands of people in an organisation can rely on DHCP working. Redundant BGP and DHCP servers are possible, but that doesn't help much as both services share the same failure mode -- the software fault.

TA04-111A. "...a large percentage of users".

Posted Nov 25, 2004 13:48 UTC (Thu) by fdesloges (subscriber, #291) [Link]

It's also fair to say that there is currently no intention for this vulnerability to be fixed.

It is so because: a) the TCP MD5 signature is an hugly hack that should never have been standardized in the first place, b) the problem can be fixed using iptable rules (while preserving a high quality TCP stack).

The main problem I see is that the "iptable rules" fix can be found only if you read the linux-net/zebra/quagga mailing lists thoroughly. A good solution would be for quagga/zebra packages to include some scripts that deal with this automaticaly.

CERT as a measure

Posted Nov 24, 2004 21:57 UTC (Wed) by edstoner (subscriber, #4496) [Link]

If we are going to use the number of CERT advisories as an indication of security, why not use what systems CERT themselves use as a measure of security. Surely the people that write advisories have an opinion about which systems are more secure.

While I am sure no one at CERT would say this publicly, they have public server's that can easily be queried.

Netcraft says CERT's been running a linux/apache server for their public web service since at least 2001.

They're running Sendmail for mail, and bind for dns also. They appear to
have no public Windows services at all.

This seems to be a pretty good arguement that people always miss.

CERT as a measure

Posted Nov 24, 2004 22:59 UTC (Wed) by bk (guest, #25617) [Link]

You'd have a pretty difficult time arguing that bind and sendmail are the most secure mail and DNS daemons.

CERT as a measure

Posted Nov 24, 2004 23:08 UTC (Wed) by edstoner (subscriber, #4496) [Link]

Would you rather Exchange and Microsoft DNS?
I agree that bind and sendmail may not be the most secure unix programs. The comparison is not between different unix programs though, but rather between Windows and Unix.

CERT as a measure

Posted Nov 25, 2004 0:25 UTC (Thu) by gallir (subscriber, #5735) [Link]

It's is much harder to argue they are insecure in the last [three years]
versions.

CERT as a measure

Posted Nov 25, 2004 20:58 UTC (Thu) by erwbgy (subscriber, #4104) [Link]

Hmm...they are getting better, but see the sendmail CVE list and even the Sendmail Consortium front page. The ISC BIND Vulnerabilities page also makes interesting reading.

Who gets CERT's attention

Posted Nov 25, 2004 22:57 UTC (Thu) by addw (subscriber, #1771) [Link]

There are 2 problems with this sort of table

No indication or weight is given to the seriousness of the vulnerability, this is a combination of how easy it is to exploit (if indeed it is possible) and what the effects of an exploit are (crash the system/damage the system/damage user files).
Most of the Linux vulnerabilities will affect user data, I can't remember how easy they are to exploit, some are found by code review and do not have known exploits.
All of the Windows exploits are exploitable - if they weren't exploitable then they would not have been found.
Comparison should be of similarily configured systems. Linux systems typically come with a vast amount of software that you just do not get in a typical installation on a Windows box. This much larger code base means that you must expect more problems.
But, if it comes as standard, I suppose you ought to count it as a vulnerability, but then how many people run CVS on their Linux box (LWN developers aside, I suspect very few). Anyone sane that configures a server only installs the software that it actually needs to do the job.

Until comparison charts that take the above into account, I will not take them seriously - numbers like CERT's must be great for the MS marketing machine ``Look, Linux suffered 1/2 the vulnerabilities that we did'', well it isn't that great - but it is better than the truth.

I suppose that you get some real idea of how the above factors affect reality in that Linux boxes tend to not be compromised.

OpenSSL runs on Windows too

Posted Dec 2, 2004 9:28 UTC (Thu) by mjc@redhat.com (guest, #2303) [Link]

I'd agree with the comment that many of these vulnerabilities such as Mozilla deserve to be listed in multiple columns; the listed OpenSSL vulnerabilities affect the Windows platform just as they affect OSs based on Linux, BSD, Apple, as well as embedded devices (Cisco etc), and everyone else that uses OpenSSL.

The Apache Web server is also a great example where Apache on Windows actually has more vulnerabilities (and more serious vulnerabilities) than Apache on Linux.