Weekly Edition
Return to the Security page
| |||||||||||
|
| |||||||||||
Security Innovation's Microsoft/Linux web server security study
Security Innovation has announced the availability of its (Microsoft-funded) web server security survey which found Windows to be a more secure platform. The document itself is available in PDF format. "For example, CAN-2004-0957 discusses a bug in MySQL's mysql_real_connect()
function. This was entered into the MySQL bug database on 4th June 2004, and fixed in
the source tree 17th June 2004. However, Red Hat only packaged this fix in RHSA-2004:611, issued on the 27th of November. This problem of the management of fixes
from a third-party is a difficult one, and one which could represent a significant challenge
to Linux on a go-forward basis."
(Log in to post comments)
Security Innovation's Microsoft/Linux web server security study Posted Mar 23, 2005 8:03 UTC (Wed) by danieldk (subscriber, #27876) [Link] I can't read the report with gv, but I wonder who buys these flawed reports? Following their reasoning Windows also has the same security flaws, since MySQL is also available for Windows.
They probably equate Linux to Red Hat ;).
Security Innovation's Microsoft/Linux web server security study
Security Innovation's Microsoft/Linux web server security study Posted Mar 23, 2005 8:04 UTC (Wed) by mormop (guest, #13775) [Link] I still can't help but think that the main point of these studies is thatyou shouldn't let people who don't have a clue set up publicly available servers. I remember a friend of mine who's a network manager for a multinational architects set up Server 2000 on a fresh install with all the patches, hotfixes etc. With IIS running to the outside world it took less than two hours for the box to be hacked. Ultimately, hardening by someone who knows what they're doing could have made all the difference and I still reckon that any company that uses a default install on any platform gets what they deserve for being to tight to pay to have it done properly.
Security Innovation's Microsoft/Linux web server security study Posted Mar 24, 2005 5:21 UTC (Thu) by zotz (guest, #26117) [Link] "I still can't help but think that the main point of these studies is thatyou shouldn't let people who don't have a clue set up publicly available servers."
The problem is, one of the selling points of MS is that their stuff is so easy and intuitive that you don't need to pay an expert to do it properly, anyone can do it. This is the take they push onto the public is it not?
all the best,
drew
http://www.archive.org/search.php?query=creator%3A%22drew...
Security Innovation's Microsoft/Linux web server security study Posted Mar 23, 2005 8:31 UTC (Wed) by ballombe (subscriber, #9523) [Link] > Red Hat only packaged this fix in RHSA-2004:611, issued on the 27th of November.
This is not true. Just check the excellent LWN Security section (http://lwn.net/Alerts/108548/)
It was issued the 27th of October.
Security Innovation's Microsoft/Linux web server security study Posted Mar 23, 2005 8:43 UTC (Wed) by gnb (subscriber, #5132) [Link] That's still longer than you might hope. They may well have pickedthe worst example they could find, but the point that need for the fix to propagate from the upstream vendor to the distribution vendor introduces delay is valid. Whether the end result is any worse than the delay you get from some other large software companies is a separate question.
Security Innovation's Microsoft/Linux web server security study Posted Mar 23, 2005 8:51 UTC (Wed) by shahms (subscriber, #8877) [Link] Even if they picked the worst example they could find, they still exaggerated it by a month...
Security Innovation's Microsoft/Linux web server security study Posted Mar 23, 2005 8:55 UTC (Wed) by tzafrir (subscriber, #11501) [Link] Have a look at the original bug:
http://bugs.mysql.com/bug.php?id=4017
The original report was unreproducable from 4-jun-2004 to 16-jun-2004. Then a discussion started. A quote from it:
[17 Jun 2004 2:20am] Lukasz Wojtow
Everything depends on library you use. In glibc there is a limitation for an IP
So Theoretically RHEL was volnurable. Practically it wasn't. Still it is worth fixing because who knows what other pathes may lead there. No reason for urshing out an emergency fix for this one.
Security Innovation's Microsoft/Linux web server security study Posted Mar 23, 2005 9:29 UTC (Wed) by ballombe (subscriber, #9523) [Link] Second error:>CAN-2004-0957 discusses a bug in MySQL's mysql_real_connect() function.
That is not true either, mysql_real_connect() is CAN-2004-0836. CAN-2004-0957
See http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-200...
Given there is two factual mistakes in the 5 lines pasted in the news
Security Innovation's Microsoft/Linux web server security study Posted Mar 23, 2005 8:33 UTC (Wed) by wilreichert (subscriber, #17680) [Link] Baahhhh, any system is as secure as the user / administrator makes it, regardless of the operating system. Silly wabbits.
Security Innovation's Microsoft/Linux web server security study Posted Mar 23, 2005 10:14 UTC (Wed) by dan_ (guest, #28710) [Link] I suspect lots of OS distributors provide regular security patches and bydefault switch off most risky and non-essential features and services. Some are now using Security Enhanced Linux to bolt things down further. Can you give me some examples of what else a system administrator should do to make a system more secure?
List of tasks and checks for a new server Posted Mar 23, 2005 11:07 UTC (Wed) by dmarti (subscriber, #11625) [Link] Here's a list of things to do and check on a new server before putting it up. Suggestions welcome.
List of tasks and checks for a new server Posted Mar 23, 2005 12:17 UTC (Wed) by jwb (subscriber, #15467) [Link] That's a great list, Don. Why can't we get default installs that meet all these criteria? I just installed Debian on a bunch of old PCs for compute nodes, so allow me to run down your list with a fresh perspective:
1: whatever
So it seems that at least Debian has a long way to go before the default install is ideal and perfect. I would add one thing to your list, and that is: the administrator's ssh private key should really be on a smart card. SSH supports generation of the key on-card, and uses the key to establish the connection, so the private key is never in core or on disk of any computer. Alas, Debian's ssh does not support smartcards. If you want this functionality you need to rebuild the package locally.
What does all this have to do with the original article? Well not much I guess. As we all know you are pretty well screwed when installing a Windows machine, and frankly I fail to see how a mysql bug is a Linux problem. Do not people use mysql on Windows, as well?
List of tasks and checks for a new server Posted Mar 24, 2005 9:36 UTC (Thu) by deepfire (guest, #26138) [Link] > 11: no default iptables rules in Debian, and also discards your firewall> rules every time you reboot.
/etc/init.d/iptables save active
will make the day -- the `active' ruleset is the one activated during bootup
Security Innovation's Microsoft/Linux web server security study Posted Mar 25, 2005 16:38 UTC (Fri) by job (guest, #670) [Link] That is just not true. In many cases the operating system may exposeextra attack vectors. For example, in Microsoft Windows a process that has access to the GUI system automatically has access to elevated privileges, by design. This can't be fixed without breaking a lot of old applications. How do you stop the NetBIOS-over-IP processes in Windows? The answer is you don't, not in a controlled way that update and repair tools won't restore for you again. You block the ports in your firewall and cross your fingers there is no unprivileged exploit on the local subnet. But of course, these and many others well known peculiarities with Windows will never be "fixed" and has no "report date". So you'll never find them in Microsoft sponsored studies. But the facts speak for themselves: security is much harder to attain with a poorly thought out operating system.
Dead Letter Office Posted Mar 23, 2005 9:43 UTC (Wed) by b7j0c (subscriber, #27559) [Link] Microsoft has been issuing these phony reports at the rate of about once a month for at least two years now, and people still don't believe them.
Security Innovation's Microsoft/Linux web server security study Posted Mar 23, 2005 10:37 UTC (Wed) by iabervon (subscriber, #722) [Link] The fundamental flaw in this study is that it does not include any determination of whether the vulnerabilities actually apply at all to the configuration they are theoretically testing. While they do address some more serious flaws in other studies, this still makes their results worthless.
Early in the paper, they mention a vulnerability as an example (issues with libpng); this would generally not matter to a web server, unless someone using the machine would display images from untrusted sites. It is unclear whether this is included in the study, but it probably should not be, at least not without extensive explanation, since the theoretical administrator of this system could work around the issue in the period of risk by avoiding the behavior which triggers the bug.
They give one example of an included vulnerability. This vulnerability is inapplicable for many reasons: it requires an attacker to connect to the database, which is not accepting connections from potential attackers; it requires the attacker to provide a special DNS response, which may be impossible; it requires a library the program is using to behave differently from the one actually used. One might reasonably guess that the reason Red Hat was so slow to fix this flaw was that it did not actually permit an exploit.
In order to give an actual value for days of risk, it is necessary to test, for the configuration which would have been current on each day, whether proof-of-concept exploits can be made to violate the security model. (Or, more strictly, if a set of exploits could be used to cause damage; *nix generically has a two-tiered security model, such that some flaws will violate the security model while not individually being sufficient to cause damage, so a complementary set of vulnerabilities would be required to be known and open at the same time.) As has been pointed out many times, there are vulnerabilities in Linux which may only be exploited in situations were the security model has already been violated, and where Windows behaving as designed would permit the action classified on Linux as a vulnerability.
Furthermore, if the study is using only vulnerabilities documented as known to the general public during a period, it does not make sense to include multiple unfixed vulnerabilities for the same day. There main reason to count different vector is that an attacker may only know some of the potential attacks; but using the periods where the flaws are publically reported makes this nonsensical. (Another reason is if you want to study a range of configurations, where an attack may only apply to some of them.) A more sensible model is to assume that an attacker will attempt all of the known attacks until one works, and measure the number of days on which some attack would succeed.
Security Innovation's Microsoft/Linux web server security study Posted Mar 23, 2005 10:40 UTC (Wed) by chohman (guest, #5519) [Link] So, they were illustrating how patches can take time to propagate; however, when you look at the bug, you can see why Red Hat didn't particularly rush - the bug is not exploitable under Linux, since glibc prevents the potential overflow. One could admire the irony if the Windows implementation of gethostbyname would allow the exploit, couldn't one - this would make a Windows platform running MySQL vulnerable while Linux wasn't, not quite the point they wanted.
And of course, failure to fix a bug in MySQL is definitely an operating system security issue, too.
Gotta love PHB market-speak - "go-forward basis" indeed!
Security Innovation's Microsoft/Linux web server security study Posted Mar 23, 2005 11:33 UTC (Wed) by tzafrir (subscriber, #11501) [Link] One simple data point to support that:
When they have classified the volnurabilities by sevirity, there were no IIS volnurabilities in the categories "low" and "not rated".
Assuming that the programmers of MS can make "small" mistakes, and not just horrible ones, this clearly indicates that many more volnurabilities in the IIS code go unpatched.
In fact, RedHat can't easily sit on a fix to a security issue too long, because it will be fixed by its competitors sooner, and its clients would start asking annoying questions.
MS's clients have only one source for fixes and about zero independent sources with the full ability to assess volnurabilities.
BTW: didn't they start lately to hold off fixes for 30 days?
Security Innovation's Microsoft/Linux web server security study Posted Mar 23, 2005 11:51 UTC (Wed) by dlapine (subscriber, #7358) [Link] RH or the kernel developers? Not sure about RH, but the kernel folks said that a delay measured in days, not weeks or months might be acceptable to hold off on announcing new bugs, in order to allow time to patch. I believe that they specifically said 7 days was a good limit.
Security Innovation's Microsoft/Linux web server security study Posted Mar 24, 2005 5:30 UTC (Thu) by zotz (guest, #26117) [Link] "When they have classified the volnurabilities by sevirity, there were no IIS volnurabilities in the categories "low" and "not rated".
Assuming that the programmers of MS can make "small" mistakes, and not just horrible ones, this clearly indicates that many more volnurabilities in the IIS code go unpatched."
Either that, or even the smallest mistakes on the MS platform lead to big vulnerabilities...
all the best,
drew
Security Innovation's Microsoft/Linux web server security study Posted Mar 23, 2005 11:14 UTC (Wed) by JoeBuck (subscriber, #2330) [Link] Microsoft's OS does not contain an SQL database, it's a separate product. Any security comparision should compare security bugs only in Red Hat components that correspond to a component that is bundled with Windows.Just the same, if it took Red Hat months to ship a security patch in mysql that had already been released by upstream, then they deserve criticism. Black hats often look for windows of this kind (where a bug fix has been released but large numbers of people haven't installed it).
Security Innovation's Microsoft/Linux web server security study Posted Mar 23, 2005 12:10 UTC (Wed) by prague (guest, #28712) [Link] Other than the fact that this report is biased (not to mention a load of bullshit), I just think it's funny that it was written by people with Ph.Ds. Honestly, did you not pay attention in English over your 20+ years of education? I can't stand when adult indiviuals have the composition skills of a middle school student. Ignorant ass wipes... no wonder they took a job funded by Microsoft...
Who runs the default vendor package applications for production anyway ? Posted Mar 23, 2005 12:23 UTC (Wed) by Spike (guest, #14160) [Link] When I install a LAMP stack on a production web application/database host(s), I never use the vender installed stuff anyway. If I run apache/php/perl/mysql on a host.I compile locally for the options I want and the patch/version control that is needed for secure feature rich sites. When a patch is announced, if the host(s)is/are vulnerable, I can patch ASAP. I would imagine most professionally run environments are run this way as well. These packages in my opinion are placed and maintained for convience of users and are really usable only for internal applications where evil doers are less likely to tread.
Who runs the default vendor package applications for production anyway ? Posted Mar 29, 2005 12:42 UTC (Tue) by dps (subscriber, #5725) [Link] I think my network counts as a "professional environment". I mostly run debian binary packages (woody and a 2.4.x kernel), seriously minimised. I roll my own kernels and frequently compile in everything I need and disable modules. 2.2.x kernel lack IP tables so are too conversative for my taste.
Tracking the security of everything installed everywhere would require more time than I have to keep the system happy, so apt-get upgrade is worth a lot. This does not mean I would not roll my own fixed version for something serious not covered by a DSA.
The major limitation of debain, RH, etc vendor packages is that it is hard to know the coverage of their backported fixes.
BTW almost all M$ bxoen run 100% vendor packages and only the vendor can provide security fixes. Even if get the source, AFAIK M$ "shared source" does not allow you actually fix a problem and use the fixed version.
Security Innovation's Microsoft/Linux web server security study Posted Mar 23, 2005 13:13 UTC (Wed) by bluefoxicy (subscriber, #25366) [Link] Red Hat is the ass of Linux. I don't know why they can't meter us against someone like Novell, who isn't a Microsoft-style "We own most of our market so we can do whatever we want" pile of crap. I'm sure many distributions have dedicated security teams, although I can say first-hand that Gentoo has a very active security crew who not only gets patches out as soon as a vuln is known-- sometimes before upstream-- but also researches the integration of PaX, GrSecurity, mandatory access control, stack smash protection, and anything else feasible (meaning easy to deploy and not terribly expensive in terms of space or performance overhead) to use so that new security flaws are "already taken care of." Ubuntu Linux may hopefully be going the proactive route, which seems very evident as per the official formation of Hardened Ubuntu by the Ubuntu Linux security team and the Hardened Debian team. This would negate a large portion (approximately 80%?) of security notices in whole or in part. Note that the Hardened Debian team was created to bring the advances in Hardened Gentoo to the Debian world; and these guys all also communicate directly with the Adamantix team, The PaX Team, and in some cases the GrSecurity team. They also all use SeLinux and/or RSBAC for MAC as well as GrSecurity.
Security Innovation's Microsoft/Linux web server security study Posted Mar 23, 2005 13:30 UTC (Wed) by tzafrir (subscriber, #11501) [Link] SELinux, you mean the whose integration caused so much grief to Fedora users? Already in RHEL4.
As for PaX: Any news following http://lwn.net/Articles/126986/ ?
Security Innovation's Microsoft/Linux web server security study Posted Mar 23, 2005 15:03 UTC (Wed) by bluefoxicy (subscriber, #25366) [Link] Yeah, that hole is fixed in 2.6.11 PaX. As for the future, PaX is probably going to be handed off to Brad Spengler, the GrSecurity lead; though anyone who wants to help is quite welcome to come help. As it stands now, the PaX team is still actively working on PaX, going to hand it off April 1.
Transparant data - Roll your own metrics Posted Mar 23, 2005 14:57 UTC (Wed) by mjc@redhat.com (guest, #2303) [Link] The Red Hat Security Response Team actually publish all the data on every vulnerability, when it was public, when it was fixed, and the severity, and a small perl script to analyse the data and make your own favourite reports. See http://blogs.redhat.com/people/archive/000201.html for the link
|
|||||||||||