Linux vs MS Security - Linux

This is a discussion on Linux vs MS Security - Linux ; Now and then I encounter a Microsoftie who claims Linux is as vulnerable as Windows because there are a comparable number of security patches released. Not being a security guru I don't have the facts to rebut. So here are ...

+ Reply to Thread
Results 1 to 19 of 19

Thread: Linux vs MS Security

  1. Linux vs MS Security

    Now and then I encounter a Microsoftie who claims Linux
    is as vulnerable as Windows because there are a comparable
    number of security patches released. Not being a security
    guru I don't have the facts to rebut. So here are my
    questions.

    1 (SPAM) What percentage of SPAM is transmitted by compromised
    Linux systems compared to Microsoft?

    2 How does Linux compare with Windows for spyware vulnerability?

    3 How many Linux worms/virii in the last ten years??

    --
    Chuck Forsberg caf@omen.com www.omen.com 503-614-0430
    Developer of Industrial ZMODEM(Tm) for Embedded Applications
    Omen Technology Inc "The High Reliability Software"
    10255 NW Old Cornelius Pass Portland OR 97231 FAX 629-0665


  2. Re: Linux vs MS Security

    Chuck Forsberg WA7KGX N2469R wrote:

    > Now and then I encounter a Microsoftie who claims Linux
    > is as vulnerable as Windows because there are a comparable
    > number of security patches released. Not being a security


    If you go by the number, yes, maybe even more. However, what does this
    number tell you? Not much. Nothing in fact, because the number isn't set of
    against another measure. For example LOC. Or what the numbers are about.

    > 1 (SPAM) What percentage of SPAM is transmitted by compromised
    > Linux systems compared to Microsoft?


    A badly configured Linux box is just as dangerous in that respect as a
    Windows box. In fact I can remember a client having trouble with Exchange
    being configured as an open relay by default out of the box. Go figure. I
    think however that the number of Linux boxen turned into a spamspew by
    means of a trojan is far lower.

    > 2 How does Linux compare with Windows for spyware vulnerability?


    What spyware? There are ways to do keyboard logging, but everybody uses ssh
    nowadays and is behind a firewall. Even if one has a Linux box.

    > 3 How many Linux worms/virii in the last ten years??


    There are numbers about that. I think the total number of virii for
    UNIX/Linux lies around 300. That said, infections generally tend to be
    contained because of the more rigorous security in UNIX.

    --
    Ruurd
    ..o.
    ...o
    ooo

  3. Re: Linux vs MS Security

    On Thu, 25 Aug 2005 10:39:23 -0700, Chuck Forsberg WA7KGX N2469R wrote:

    > Now and then I encounter a Microsoftie who claims Linux is as vulnerable
    > as Windows because there are a comparable number of security patches
    > released.


    (Assuming this isn't a troll to start yet another pissing contest)

    Security patches being released is a good thing... if they actually fix
    the security problem and don't create new ones. The number of patches
    released is no measure of the security of the OS... the response to
    security issues from the developer is.

    Linux patches usually fix the issue at hand and don't usually introduce
    new issues.

    Many of the Microsoft patches throughout the years have either not fixed
    the issue at hand or created new and sometimes worse issues.

    Microsoft has actually benefited from being compared to Linux on a
    security front. There was a time when MS's policy about some of its
    security issues was "It will be fixed in the next OS release"... RedButton
    comes to mind.

    Though I still don't trust any MS box being connected directly to the
    internet without something in between it and the rest of the world, it is
    safe to say that MS has vastly improved it's response to security issues
    since the NT 4.0 days... whether they have been successful at making their
    OS reasonably secure is a matter of opinion.

    > Not being a security guru I don't have the facts to rebut. So here are
    > my questions.
    >
    > 1 (SPAM) What percentage of SPAM is transmitted by compromised Linux
    > systems compared to Microsoft?


    < .5% (high estimate) - the only way I can imagine a Linux box being
    zombied to be a spam server is if the admin manually downloads and
    installs a compromised piece of software. You will not have your Linux box
    taken over by browsing a web page as you can in Windows.

    > 2 How does Linux compare with Windows for spyware vulnerability?


    It's extremely difficult to install and run a program on a secure *nix
    system. See answer to #1.

    > 3 How many Linux worms/virii in the last ten years??


    Don't know... But most viruses and worms are written by people who aren't
    very good programmers... so, naturally, they tend to write them for the
    easiest systems to compromise. There hasn't been a TCP/IP specific worm
    written since the early '80s.

    I've never had a compromised *nix system... and, truthfully, I've had very
    few compromised Windows systems, but I'm very security conscious and
    usually use the *nix systems to protect the Windows systems.

    The biggest issue with security lies with the operator, not the OS.

    --
    "Blessed is he who expects nothing, for he shall never be disappointed."
    Benjamin Franklin (I didn't know he was a Buddhist)


  4. Re: Linux vs MS Security

    Chuck Forsberg WA7KGX N2469R wrote:
    > Now and then I encounter a Microsoftie who claims Linux
    > is as vulnerable as Windows


    http://www.techweb.com/wire/security/54201306

    "Not surprisingly, Windows XP SP1 sans third-party firewall had the
    poorest showing. In some instances, someone had taken complete control
    of the machine in as little as 30 seconds."


    --
    Let's not complicate our relationship
    by trying to communicate with each other.

  5. Re: Linux vs MS Security

    On Thu, 25 Aug 2005 10:39:23 -0700, Chuck Forsberg WA7KGX N2469R wrote:
    > Now and then I encounter a Microsoftie who claims Linux
    > is as vulnerable as Windows because there are a comparable
    > number of security patches released.


    No, having to wait for the second Tuesday of the month makes Windows
    more vunlnerable.

    Heh,heh look here to see what it takes to tighten XP.
    http://www.blackviper.com/WinXP/servicecfg.htm
    Is there any chance of the casual user knowing what to disable or set
    manual?

    Guessing linux has more security patches released. Micro$oft does not
    show all patches released. Keeps the comparison looking good for them.

    Micro$oft used to get razzed about number of patches released and was
    not too long after that they changed to once a month releases.
    Reason given was that comercial customers could not keep up testing
    and rolling out patches.

    People are looking for linux expoits and updates usually ready within a
    week and available for download.

    You get to wait for second Tuesday of the month for M$.

    Something to look at here
    http://www.eeye.com/html/research/upcoming/

    > Not being a security guru I don't have the facts to rebut. So here
    > are my questions.


    > 1 (SPAM) What percentage of SPAM is transmitted by compromised
    > Linux systems compared to Microsoft?


    No way to tell unless you want to run code against ip addresses found
    at http://www.spamcop.net/ to guess OS.

    I would bet greater than 90% because malware downloads a smtp server
    and starts spewing email messages.

    > 2 How does Linux compare with Windows for spyware vulnerability?


    Majority of spyware will not install/run on linux.

    > 3 How many Linux worms/virii in the last ten years??


    Not enough for the Antivirus Vendors to make a living with.

    Grand total unix and linux is less than 300.

  6. Re: Linux vs MS Security

    [Ivan Marsh]
    >> 1 (SPAM) What percentage of SPAM is transmitted by compromised Linux
    >> systems compared to Microsoft?


    > < .5% (high estimate) - the only way I can imagine a Linux box being
    > zombied to be a spam server is if the admin manually downloads and
    > installs a compromised piece of software.


    Well. A linux box not beeing maintained or upgraded, or badly
    installed in the first place, is very likely to get compromised. I
    know there exists boxes that have been connected to the net for years
    and years without any maintainance or upgrades beeing performed -
    sysadmins eventually throwing up a firewall to hide the problem.

    For one thing it is not so many years ago when most of the mail server
    software by default was set up as open relays. It was also common to
    have linux distributions where lots and lots of servers was set up by
    default. It used to be normal to let servers run as root. Security
    flaws have always existed, notoriously buffer-overflows. Thus, having
    a linux box with servers running on Internet without patching up the
    software every now and then is a quite risky affair, if a skilled
    person gains root access to the box and starts installing back doors,
    trojans, etc, then it will be extremely difficult to "clean up" the
    system. Of course, this applies to windows as well.

    > You will not have your Linux box
    > taken over by browsing a web page as you can in Windows.


    Of course, a regular linux user would not run his browser as "root",
    thus the box won't be taken over no matter how many holes there are in
    the browser. Some Microsofties I'm regularly discussing security
    with, would claim that the same applies to windows. When people are
    running all their applications as "System Administrator" on their
    windows boxes, it is (according to said Microsofties) due to
    ignorance; everybody should learn a bit about computing before using
    or owning a computer. Well, I tend to disagree, surfing the web
    should be reasonably safe for anyone, and it should be possible for
    Microsoft to deliver a virtually maintainance-free product, or
    eventually, for dealers to do support/maintainance for dummies.

    That beeing said, of course I feel miles safer running Mozilla than
    MSIE, both because I expect Mozilla to be safer and because it is less
    targeted.

    --
    This signature has been virus scanned, and is probably safe to read
    Tobias Brox, 6942'N, 1857'E

  7. Re: Linux vs MS Security

    Chuck Forsberg WA7KGX N2469R wrote:
    > Now and then I encounter a Microsoftie who claims Linux
    > is as vulnerable as Windows because there are a comparable
    > number of security patches released.


    As beeing said by others, this is a silly way to measure security.

    The "closed source" and "open source"-community have two quite
    different philosophies when it comes to security, and it is quite hard
    to say that one is better than the other.

    In the "open source"-community, everything is transparent. The bad
    thing about this is, of course, that anyone can find the weak spots,
    and eventually exploit them. The good thing is that the weak spots
    gets found and fixed. Quite often the security faults gets announced
    first, and fixed later - quite often the delay between the security
    alert and the fix is small, often a proposed patch is applied with the
    announcement, though it may take some time until the fix is official
    and part of the linux distributions.

    In the "closed source"-community, the code is secret. The good thing
    about it is that the weak spots quite often are unknown, and thus not
    exploited. The bad thing is, of course, that one can never know how
    many weak spots there are, and eventually how many people have inside
    information about those weak spots. Now I've heard two quite
    different views on how good Microsoft is on patching up their security
    holes, so I'd be pleased if anyone could fill me out on this:

    - The Microsofties I'm regularly discussing security with, claims
    that never (or almost never, or, at least not as they know) have a
    security hole been publicly known _before_ an official patch for the
    security hole were out.

    - The other story I've heard is that Microsoft is very slow on making
    patches, and that known security holes can stay open for as much as a
    month unpatched.

    --
    This signature has been virus scanned, and is probably safe to read
    Tobias Brox, 6942'N, 1857'E

  8. Re: Linux vs MS Security

    On Thu, 25 Aug 2005 21:12:20 +0000 (UTC), Tobias Brox wrote:
    >
    > In the "closed source"-community, the code is secret.


    But then again it is impressive that with M$ closed source how may
    exploits are found.

    > The good thing about it is that the weak spots quite often are
    > unknown, and thus not exploited. The bad thing is, of course, that
    > one can never know how many weak spots there are, and eventually how
    > many people have inside information about those weak spots.


    Quit right. The black hats used to brag about the exploits. Now that
    the criminals are into it, they keep the exploits to themselves.
    Now that the are starting to advoid honeyposts, it is getting harder
    to find out about the malware.

    > Now I've heard two quite
    > different views on how good Microsoft is on patching up their security
    > holes, so I'd be pleased if anyone could fill me out on this:


    Saw a remarks from M$ execs where they did not bother with exploits
    until found in the wild.

    > - The other story I've heard is that Microsoft is very slow on making
    > patches, and that known security holes can stay open for as much as a
    > month unpatched.


    http://www.eeye.com/html/research/upcoming/

  9. Re: Linux vs MS Security

    Chuck Forsberg WA7KGX N2469R wrote:
    > Now and then I encounter a Microsoftie who claims Linux
    > is as vulnerable as Windows because there are a comparable
    > number of security patches released.


    This sounds like a fairly content-free OS-advocacy discussion. Are you
    _sure_ you want to have one?

    I.e., if you stop to think for just a moment, you'll realise multiple
    reasons why the relative _number_ of security patches (a) cannot be
    determined and (b) would be irrelevant to the question at hand, anyway:

    1. Linux distributions differ drastically, from one to the next, as to
    the number and scope of codebases (applications, daemons, etc.)
    furnished with the base OS. E.g., there are over 17,000 packages (per
    supported architecture) in Debian's stable branch. (_However_, basically
    all Linux distributions offer a considerably greater number and scope
    of codebases than do Microsoft's extremely spartan MS-Windows releases.
    This is the biggest single "apples and oranges" portion of the problem,
    though there are others.)

    2. Distributions not only differ greatly about number and scope of
    packages, but also typically offer considerable lattitude about whether
    to install the kitchen sink, almost nothing, or anything in-between.
    Not all software is likely to get installed -- or run, if it is
    installed. However, security patches get released for all contents,
    both often-used and almost-never-used.

    For the preceding two reasons alone -- and there are others -- if there
    were (hypothetically) a "comparable" number of patches released for
    Debian-stable's 17,000 packages and for MS-Windows XP's bare OS +
    Wordpad + MSIE + MS Outlook Express, wouldn't that seem (on just numbers)
    to be an extremely damning indictment of _MS-Windows_?

    3. However, not all "security patches" are created equal. First, some
    are reactive and others are anticipatory. (Guess the tendencies of
    Linux and MS-Windows security patches in that area: You'll probably
    guess right.) Some are against theoretical attacks that may or may not
    ever be made real. Some are to guard against remote privilege
    escalation and system compromise, some are for local-only priviledge
    escalation, some are for remote denial of service, some are for
    local-only denial of service. Those are of radically differing
    importance. E.g., one "hole" in Apache 1.3.x, some years back,
    theoretically allowed a remote attacker to bump off Apache listening
    processes, a few at a time -- and that's it. Apache 1.3's a
    fork-and-exec daemon: You kill a few, it spawns off a bunch more. Big
    deal.

    Not all vulnerabilities are credible or serious. Not all exploits are
    credible or serious.

    Some remote attacks are much more likely to give you root/Administrator
    privilege. (Guess which platform generally has a much greater problem
    with remote-root attacks?)

    Patches that aren't anticipatory, by definition, involve a "window" of
    delay between the time the vulnerability is discovered to (1) the time
    an exploit is discovered and deployed, and (2) the time a patch becomes
    available and known. Guess which platform generally has a problem with
    the patches that fix serious problems arriving in public much later than
    the exploit code did?

    Not all patches are non-problematic. Linux systems tend to have modular
    functionality for, in particular, security-sensitive code: You can
    upgrade or patch one part without adversely affecting another part.
    MS-Windows systems, by contrast, have an ongoing problem in that area:
    Sites delay deploying service packs and hotfixes because they break too
    many other things, while fixing others.

    > 1 (SPAM) What percentage of SPAM is transmitted by compromised
    > Linux systems compared to Microsoft?


    I'm not sure how you'd even determine that.

    > 2 How does Linux compare with Windows for spyware vulnerability?


    Spyware is essentially unknown on Linux to my knowledge. Certainly,
    there is nothing at present remotely like the forest of such things that
    beset MS-Windows XP systems of recent vintage. The only thing I can
    think of, historically, that might qualify is certain releases a long
    time ago of Real Networks's RealPlayer, which were said to have code in
    them, put there by the publisher, to spy on the media-browsing
    activities of users and report back. (I'm not sure that code was
    present in the Linux version.)

    What is in common among MS-Windows spyware packages is that it is
    spy-on-the-user code installed accidentally by the user along with some
    software package the user deliberately installs because believes he wants
    it (the latter). That is, in a way, an artifact of the way MS-Windows
    users operate: installing and running software from any-old-where, with
    a notable lack of caution. This tends not to happen on Linux because
    they rely more heavily on monitored distribution chains, because Linux
    users already have much of the software they need, and because Linux Web
    browsers deliberately lack some dangerous install-from-remote functions,
    notably ActiveX.

    > 3 How many Linux worms/virii in the last ten years??


    Here's a survey. Note the information about vulnerability windows,
    and the fact that the packages in question are in general relevant only
    to machines run in server roles, deliberately exposed as such to public
    networks:

    http://linuxmafia.com/~rick/faq/inde...e=virus#virus5

    --
    Cheers, "Due to circumstances beyond our control, we regret to
    Rick Moen inform you that circumstances are beyond our control."
    rick@linuxmafia.com --Paul Benoit

  10. Re: Linux vs MS Security

    Tobias Brox wrote:

    > The "closed source" and "open source"-community have two quite
    > different philosophies when it comes to security, and it is quite hard
    > to say that one is better than the other.


    Okay, then simply compare the relative amount of internet servers
    compromised.
    A hint: Microsoft wins that race every time.

    > In the "open source"-community, everything is transparent. The bad
    > thing about this is, of course, that anyone can find the weak spots,
    > and eventually exploit them.


    They'd have to be fairly competent programmers to find them in the first
    place - better than the creators of said software, anyway.
    The offhand comment that "anyone can find the weak spots" is too
    hilarious to take seriously.

    > In the "closed source"-community, the code is secret. The good thing
    > about it is that the weak spots quite often are unknown, and thus not
    > exploited.


    Yeah, right - so where do the roughly 10 exploits a month come from that
    are publicly revealed ? Psychics ?
    If what you say holds (and it still may) that means there are so much
    boogs and holes in M$ software it would put a Swiss cheese to shame.

    > - The Microsofties I'm regularly discussing security with, claims
    > that never (or almost never, or, at least not as they know) have a
    > security hole been publicly known _before_ an official patch for the
    > security hole were out.


    Actually, it's the other way around - other people have to tell M$ every
    time that there are huge gaping holes before they will even deign to
    look at it - M$'s official stance is "if people don't complain, we aint
    spendin' money on it".

    > - The other story I've heard is that Microsoft is very slow on making
    > patches, and that known security holes can stay open for as much as a
    > month unpatched.


    The average leans towards the 3+ months, actually.

  11. Re: Linux vs MS Security

    Jeroen Geilman wrote:
    > Tobias Brox wrote:


    >> - The other story I've heard is that Microsoft is very slow on making
    >> patches, and that known security holes can stay open for as much as a
    >> month unpatched.

    >
    > The average leans towards the 3+ months, actually.


    My favourite anecdote about that is the F00F bug. See:
    "F00F Bug" on http://linuxmafia.com/kb/Hardware/

    It was a grave bug in Pentium / PPro processors, discovered in 1997,
    that Intel managed to talk its way out of fixing by some subtle
    misdirection that somehow convinced people that the CPU defect was OS
    vendors' problem.

    (Any affected CPU would immediately lock up if induced to load and run
    the instruction "F0 0F C7 C8" by anything at all, with any authority.)

    Regardless, after the bug was publicised on 1997-11-10, the BSDi people
    were first to produce a fix, using information they received from Intel
    under NDA -- in something like 2-3 days. The Linux kernel coders,
    working _without_ NDA information, were able to do likewise within, if
    memory serves, about one day more.

    Microsoft? They got around to hotfixing some but not all of their
    then-supported OS releases about six months later.

    --
    Cheers, "Due to circumstances beyond our control, we regret to
    Rick Moen inform you that circumstances are beyond our control."
    rick@linuxmafia.com --Paul Benoit

  12. Re: Linux vs MS Security

    Rick Moen wrote:

    > My favourite anecdote about that is the F00F bug. See:
    > "F00F Bug" on http://linuxmafia.com/kb/Hardware/
    >
    > It was a grave bug in Pentium / PPro processors, discovered in 1997,
    > that Intel managed to talk its way out of fixing by some subtle
    > misdirection that somehow convinced people that the CPU defect was OS
    > vendors' problem.
    >
    > (Any affected CPU would immediately lock up if induced to load and run
    > the instruction "F0 0F C7 C8" by anything at all, with any authority.)


    I always wondered about that one - I know any non-ancient Linux kernel
    shows it checking for the f00f bug on boot, but I thought it was limited
    to the original Pentiums ? (P54C)
    Or is this not the same as the math rounding error ?
    Perhaps that one was in the original chip...

    Anyway, just goes to show.

  13. Re: Linux vs MS Security

    Jeroen Geilman wrote:

    [F00F bug:]

    > I always wondered about that one - I know any non-ancient Linux kernel
    > shows it checking for the f00f bug on boot, but I thought it was limited
    > to the original Pentiums ? (P54C)
    > Or is this not the same as the math rounding error ?


    A lot of people get those confused. No, this was not the same as the
    infamous FDIV (floating point) error that was such a scandal. Part of
    what was so remarkable was that it was a great deal _worse_, and yet
    Intel managed to palm off the problem onto OS vendors, to fix it with
    software countermeasures.

    The latter did eventually work well for end-customers, with (as I said)
    the time-to-fix depending greatly on which OS it was.


  14. Re: Linux vs MS Security

    In the Usenet newsgroup comp.os.linux, in article
    <440e$432800b9$c690c3ba$12436@TSOFT.COM>, Rick Moen wrote:

    >It was a grave bug in Pentium / PPro processors, discovered in 1997,
    >that Intel managed to talk its way out of fixing by some subtle
    >misdirection that somehow convinced people that the CPU defect was OS
    >vendors' problem.


    ----------------------------------------
    ] Path: excalibur.flash.net!nntp.flash.net!sunqbc.risq.qc. ca
    !cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!cs.utexas.ed u
    !geraldo.cc.utexas.edu!not-for-mail
    ] From: noname@noname.com
    ] Newsgroups: comp.os.linux.advocacy
    ] Subject: This code will lock up any P5 machine, even usermode Linux!
    (F0 0F C7 C8)
    ] Date: Thu, 06 Nov 1997 21:57:33 -0800
    ] Organization: The University of Texas at Austin, Austin, Texas
    ] Lines: 7
    ] Message-ID: <3462ADCD.135B@noname.com>
    ] NNTP-Posting-Host: dial-102-5.ots.utexas.edu
    ] Mime-Version: 1.0
    ] Content-Type: text/plain; charset=us-ascii
    ] Content-Transfer-Encoding: 7bit
    ] X-Mailer: Mozilla 3.0 (Win95; I)
    ]
    ] Hi,
    ]
    ] Check this out. If you execute F0 0F C7 C8 on a P5 it will lock the
    ] machine up. This is true for any operating system including usermode
    ] Linux. It's pretty cool. Basically, the opcodes are an invalid form
    ] of cmpxchg8b eax with a lock prefix. Has anyone seen this before? The
    ] problem doesn't show itself for the Pentium Pro or Pentium 2.
    ----------------------------------------

    I don't think anyone ever identified the discoverer. There was some talk
    that whoever it was worked for Cyrix and was reverse engineering the chip.
    Others claimed that it was more likely a computer science student at the
    University of Texas at Austin. I imagine if Intel were serious, they could
    have filed a complaint and the police would have had a look the the dialin
    logs - never heard a word about that.

    >Regardless, after the bug was publicised on 1997-11-10,


    Are you sure of the date? The original posting (above) was late on the
    sixth, and the next few days were like someone stomped on a fire ant nest.

    >the BSDi people were first to produce a fix, using information they
    >received from Intel under NDA -- in something like 2-3 days.


    google groups has a thread in comp.unix.bsd.freebsd.misc dated Tue, 11
    Nov 1997 16:38:48 -0700 announcing the BSDi fix. It was withdrawn on the
    12th apparently because it was released in violation of the NDA, and there
    was a lot of bickering in that group over the Linux fix.

    >The Linux kernel coders, working _without_ NDA information, were able to
    >do likewise within, if memory serves, about one day more.


    -------------------------------------------
    ]From: torvalds@transmeta.com (Linus Torvalds)
    ]Newsgroups: comp.os.linux.misc,comp.os.linux.hardware
    ]Subject: Pentium bug workaround, please test!
    ]Date: 12 Nov 1997 19:27:02 GMT
    ]Organization: Transmeta Corporation, Santa Clara, CA
    ]Lines: 20
    ]Message-ID: <64cvu6$b3f$1@palladium.transmeta.com>
    ]NNTP-Posting-Host: penguin.transmeta.com
    ]
    ]I just made 2.1.63 available on the normal ftp site (ftp.kernel.org,
    ]directory pub/linux/kernel/v2.1). The most exciting change is probably
    ]the preliminary patch by Ingo Molnar that should work around the by now
    ]well-known Pentium lock-up bug. Many thanks to Ingo who put together
    ]the patch from various snippets of information floating around.

    [...]

    ]Please give it a good testing, especially the Pentium bug workaround.
    ]Throw all the tests you have at it, to see that it really works. We'll
    ]be doing a 2.0.x patch for that too, but it's probably not going to
    ]appear for a few days, so in the meantime testing this fix on 2.1.x
    ]would be a GoodThing(tm)...
    ]
    ] Linus
    -------------------------------------------

    and

    -------------------------------------------
    ]From: set-usenet-879492588@reality.samiam.org (Sam Trenholme)
    ]Newsgroups: comp.os.linux.development.system,comp.os.linux.adv ocacy,
    comp.os.linux.misc
    ]Subject: F00F bug *fixed* in 2.0.x kernels
    ]Date: 14 Nov 1997 07:27:58 GMT
    ]Organization: Linux reality.samiam.org 2.0.30 #2 Mon Sep 15 1997 i686 unknown
    ]Lines: 41
    ]Message-ID: <64guhu$p7k@news9.noc.netcom.net>
    ]NNTP-Posting-Host: reality.samiam.org
    ]X-NETCOM-Date: Fri Nov 14 1:27:58 AM CST 1997
    ]
    ]Linux 2.0.x users:
    ]
    ]The Linux developers have, again, done the impossible. Within seven days
    ]of the serious FOOF bug in the Pentium being discovered, the kernel
    ]developers have not only figured out a software fix for the problem, but
    ]have patches for *both* the 2.1.63 and the 2.0.31 kernels which make
    ]Linux immune to the F00F bug.
    ]
    ]The patch for the F00F bug successfully works on the latest pre-2.0.32
    ]version. As I type these words on my Pentium Linux laptop, the sequence
    ]F0 0F C7 C8 is being run over and over again in an infinite loop.
    -------------------------------------------

    >Microsoft? They got around to hotfixing some but not all of their
    >then-supported OS releases about six months later.


    Did they ever fix it at all? I know Novell didn't. My understanding was
    that they claimed there was no need to fix it, as no compiler would
    produce that machine code. Obviously wrong, as anyone who has ever coded
    ANYTHING knows (how do they think it was discovered in the first place,
    magic?), but that was their story at the time.

    Old guy

  15. Re: Linux vs MS Security

    Moe Trin wrote:

    [F00F bug:]

    >>Regardless, after the bug was publicised on 1997-11-10,

    >
    > Are you sure of the date? The original posting (above) was late on the
    > sixth, and the next few days were like someone stomped on a fire ant nest.


    No, I was actually up during the middle of the night after donating
    blood and then crashing for several hours, really had no business
    attempting to be coherent on Usenet at that time, and only partially
    succeeded. Ordinarily, I'd have properly re-found the date stamp on the
    original newsgroup posting before saying that, but I was just too tired.
    (That's a poor excuse, I know. I knew I was likely to get it slightly
    wrong, but was exhausted and momentarily didn't care. My lazy
    guesstimate about the number of months until Microsoft's NT patch was
    off, too -- but in the ballpark.)

    [Microsoft:]

    > Did they ever fix it at all?


    Now that you mention it.... Hmm, I notice that their earlier
    http://premium.microsoft.com/support.../q163/8/52.asp page that
    they posted in 1998 doesn't exist, any more. Ah, here:

    http://support.microsoft.com/kb/163852/EN-US/

    I found that by googling for Intel's mind-numbing moniker for the
    problem, "Invalid Operand with Locked CMPXCHG8B Instruction". Page
    claims that NT 3.51 got some sort of hotfix, but they don't actually
    name or link that hotfix. NT 4.0 got a fix as part of SP 4.0. Win95
    _never_ got any sort of fix, it seems -- just as I was saying in '98.

    It's a bit frightening to think that I might personally have been -- for
    a while -- the best-informed commentator on this problem other than
    Robert Collins (who wasn't saying much). And I was a rank amateur. ;->

    > I know Novell didn't. My understanding was that they claimed there
    > was no need to fix it, as no compiler would produce that machine code.
    > Obviously wrong, as anyone who has ever coded ANYTHING knows (how do
    > they think it was discovered in the first place, magic?), but that was
    > their story at the time.


    Yes, that was quite bogus. Here's the actual vendor statement, from
    Intel's inforamtional page:

    "Novell's network operating system NetWare/IntranetWare is not
    affected by the invalid instruction erratum found in the Pentium
    processor. NetWare/IntranetWare requires proper authentication to run
    NLM's [sic] and applications on the server. Due to this secure
    access, NetWare/IntranetWare is not susceptible to NLM's [sic] or
    applications that would use the invalid opcode. For further
    information, please contact Novell at 1-801-861-5533 or www.novell.com."

    Tom Oldroyd
    Senior Marketing Manager
    Novell Inc.

    --
    Cheers, "Due to circumstances beyond our control, we regret to
    Rick Moen inform you that circumstances are beyond our control."
    rick@linuxmafia.com --Paul Benoit

  16. Re: Linux vs MS Security

    Rick Moen wrote:

    ....

    >>1 (SPAM) What percentage of SPAM is transmitted by compromised
    >>Linux systems compared to Microsoft?

    >
    > I'm not sure how you'd even determine that.


    Trace the chain back to the originating IP? I suspect that the majority, if
    not all, of spam from compromised systems come from Windows systems.

    ....

    >>3 How many Linux worms/virii in the last ten years??


    A Linux virius is muchless likely due to the hostile nature of the OS (to
    such programs) - most breaches are normally not by an automatic virius, but
    by a remote user initiated script once they've found a service with a hole.

    With respect to the running of viruses, here's someone's attempts at running
    (and benchmarking) some viruses [for Windows] (via wine on Linux), enjoy:

    http://os.newsforge.com/article.pl?s...30222&from=rss





  17. Re: Linux vs MS Security

    Robert Newson wrote:

    >>>1 (SPAM) What percentage of SPAM is transmitted by compromised
    >>>Linux systems compared to Microsoft?

    >>
    >> I'm not sure how you'd even determine that.

    >
    > Trace the chain back to the originating IP?


    In theory, yes. Hope you have a funding grant for that. ;->

    > I suspect that the majority, if not all, of spam from compromised
    > systems come from Windows systems.


    Yes, seems likely. I was just trying to stick to what I knew for sure.

    >>>3 How many Linux worms/virii in the last ten years??

    >
    > A Linux virius is muchless likely due to the hostile nature of the OS (to
    > such programs) - most breaches are normally not by an automatic virius, but
    > by a remote user initiated script once they've found a service with a hole.


    Part of the point of my long-standing Linux virus "rants" (essays) on
    the Web was that, as a novice Linux admin, you have a lot bigger worries
    than malware -- and that Linux malware as a general category is a
    trivial aftereffect of much more basic and severe underlying
    administrative deficiencies, which logically should get your attention,
    instead.

    > With respect to the running of viruses, here's someone's attempts at running
    > (and benchmarking) some viruses [for Windows] (via wine on Linux), enjoy:
    >
    > http://os.newsforge.com/article.pl?s...30222&from=rss


    Yes. In as much as Matt Moen (the author) and I appear to be part of
    the far-flung extended Moen clan, and since we've both written about
    Linux viruses, we made a point of having dinner together during the
    recent LinuxWorld in San Francisco. He's a nice guy (and I wrote him
    fanmail when his article first appeared).

    --
    Cheers, "Due to circumstances beyond our control, we regret to
    Rick Moen inform you that circumstances are beyond our control."
    rick@linuxmafia.com --Paul Benoit

  18. Re: Linux vs MS Security

    In the Usenet newsgroup comp.os.linux, in article
    <44a5b$4328dda6$c690c3ba$27741@TSOFT.COM>, Rick Moen wrote:

    >>[Microsoft:]

    >
    >> Did they ever fix it at all?

    >
    >Now that you mention it.... Hmm, I notice that their earlier
    >http://premium.microsoft.com/support.../q163/8/52.asp page that
    >they posted in 1998 doesn't exist, any more.


    Well, it was a few years ago ;-) Besides, who is trying to run XP
    on a puny little Pentium 266? (My firewall is a 386SX-16, and I have several
    486 and early Pentiums running as servers.)

    >Page claims that NT 3.51 got some sort of hotfix, but they don't actually
    >name or link that hotfix. NT 4.0 got a fix as part of SP 4.0. Win95
    >_never_ got any sort of fix, it seems -- just as I was saying in '98.


    That's ridiculous. Of course, there are so many other ways to screw up
    a windoze box, maybe they were thinking of priorities (yeah, right).

    >> I know Novell didn't. My understanding was that they claimed there
    >> was no need to fix it, as no compiler would produce that machine code.


    >Yes, that was quite bogus. Here's the actual vendor statement, from
    >Intel's inforamtional page:
    >
    > "Novell's network operating system NetWare/IntranetWare is not
    > affected by the invalid instruction erratum found in the Pentium
    > processor.


    That is false, but

    > NetWare/IntranetWare requires proper authentication to run
    > NLM's [sic] and applications on the server. Due to this secure
    > access, NetWare/IntranetWare is not susceptible to NLM's [sic] or
    > applications that would use the invalid opcode.


    That part is sorta true. You can't run user-land crap on a Novell server,
    and all of the CNE/CNA that I know wouldn't let a luser within ten paces
    of the server. Netware replaces DOS as the O/S, with completely different
    libraries, and so on. DOS was only used to boot the server, and could be
    (and usually was) removed from memory once the server started. There was
    a 'removedos' command to do so, freeing up memory for cache. Additionally,
    the creation of NLMs and applications that run on the server is quite
    limited (compared to DOS/Win or *nix), such that you _usually_ know where
    the binary came from and is thus much less likely to be bent. It's a form
    of 'security by obscurity' (nobody writes code for "that" old P.O.S), but
    it works to a limited extent. It certainly wasn't impossible to create a
    malicious binary - it was just a lot harder to get it installed in a place
    where it would be run. Screwing up the workstations was easy, because
    they ran DOS/Windoze with a networking shim added. Any luser could run a
    virus and wedge the workstation, but that had no effect on the server.

    Old guy

  19. Re: Linux vs MS Security

    Chuck Forsberg WA7KGX N2469R wrote:
    > Now and then I encounter a Microsoftie who claims Linux
    > is as vulnerable as Windows because there are a comparable
    > number of security patches released. Not being a security
    > guru I don't have the facts to rebut. So here are my
    > questions.
    >
    > 1 (SPAM) What percentage of SPAM is transmitted by compromised
    > Linux systems compared to Microsoft?
    >
    > 2 How does Linux compare with Windows for spyware vulnerability?
    >
    > 3 How many Linux worms/virii in the last ten years??
    >

    I was one of the first to deploy a linux box (slackware 1.?) with a
    cable modem and left it run for 7years untouched had 3.3MB of attempts
    in the auth.log not one got in 7 YEAR's
    that was when linux first came out kernel 1.3x I think benn along time ago
    #include
    #DIFINE M$ = "sucks"

+ Reply to Thread