Linux speared by trio of security holes

Linux speared by trio of security holes

A series of security holes in three common Linux components has led open-source vendors to rush out several updates.

Two of them, rated "highly critical" by security company Secunia, are in libpng, a library used by a number of applications, including the Mozilla browser to display png graphics files.

The problems are a boundary error in Mozilla's "png handle" function, and an integer overflow in the "png read" function. These flaws could potentially be exploited by malicious users to trick computer users into viewing a corrupted png image, and inadvertently linking an application into the vulnerable library. Ultimately, it means a hackers could execute arbitrary code on your PC.

In August, a number of security flaws were discovered in libpng, including a bug in the POP3 capability and a risk of unauthorized upload of data from a victim's computer.

More flaws have also been discovered in Xpdf, which is used to view Adobe pdf files in Linux. A series of integer overflow errors in Xpdf could seriously compromise a victim's system. As with the libpng vulnerability, malicious users could exploit the Xpdf vulnerability to execute arbitrary code using specially crafted pdf files.

None of these are "Linux" problems, any more than a problem in Adobe Acrobat is a "Windows" problem. These are applications developed entirely separate from the Linux kernel. Some, but not all Linux vendors include these applications as part of their distributions, but they're still not part of Linux.

By a whole slew of mostly unpaid individuals. Whereas with Windows, they are put in there by "highly trained paid professionals" in the first place.

For one thing, none of the vulns described there are remote-root vulnerabilities, the kind that make alert systems administrators grab for the Maalox. On top of that - a patch was available before anyone came up with working sploit code.

I make my living doing network security, and I can tell you that Windows and Linux, for all the religious wars associated with them, are a TOSS-UP as far as security is concerned. I can think of quite a few situations and applications where using a properly configured and locked down Windows server is the better, and more secure, choice. For example, how many more vulns have been found in BIND than Win2K DNS or dDNS? About a zillion. Same goes for the IIS SMTP server - as long as the machine is protected by a solid firewall (a.k.a. not Cisco PIX) keeping outside users from hitting anything but port 25, I'd have no problem putting that out on the big, bad Internet. Sendmail, the Linux/Unix MTA of choice, has been like Swiss cheese over the last 4 years or so, with at least 3 remote-root vulnerabilities that I can think of, all of which have been successfully exploited.

I was just pointing out that that article was truly ignorant of the fact that software that depends on the Linux kernel != Linux.

in a server environment anyway.

As far as the comparison goes, you have some valid points. On the other hand, BIND (taken as an example you mentioned, could be replaced with many others) is updated much more often, so you're likely to come upon more glitches - glitches which are rectified more rapidly than the Windows ones, from what I've seen.

I'm sad now...

Is like comparing a pinhole to the Grand Canyon.

and as long as the user isn't logged in as Root or doing maintenance as a SuperUser (either of which would be stupid), the outbreak would be quite minimal.

Still, it shows that hackers (at least pro-Gate$ ones) won't stop at anything. Not sure I can entirely blame or hate them anymore given the state of the industry, but that's ambivalence for you.

they're on top of things, then they need to come to terms with that little aspect of the situation.

If a dashboard light on my Winnebago goes out, I don't say it's a problem with the 454 Chevy under the hood.

Real unix like AIX and HP-UX have had ( still have) serious compromises. So did MVS. Z/OS (mainframe os) has them. Basically anything written by humans has holes and can be exploited. Nothing new here, trusted app gives user zero authority, or is forced to shell out giving user a prompt with su rights. People were cheating unix this way before linus was in diapers.

The mechanics of computing are very simple and people with understanding of this can compromise systems.

isn't the entire purpose of having open-source to allow users to improve the operating system flaws in the way which fits their needs?