[LINK] By the numbers: Windows vs Linux security

Grant Bayley gbayley@ausmac.net
Wed, 3 Oct 2001 17:07:58 +1000 (EST) 

On Wed, 3 Oct 2001, Craig Sanders wrote:

> > Unfortunately the response of the Open Source community is, as the
> > above examples illustrate, all to often to apply a quick fix and not
> > continue the process to the rest of the code base.
>
> that's not the case from what i've seen on various security & linux
> auditing mailing lists - when a particular type of hole is found, it
> is normal practice to search for similar real or potential exploits in
> other code.

I can name plenty of high-profile examples where this isn't the case at
all:

BIND (Berkeley Internet Name Daemon)
  - http://www.isc.org/products/BIND/bind-security.html
  - This codebase has been plagued with problems for years, and even the
    re-write with BIND 9 is considered by some to be a poor one.

Sendmail (mail server)
  - http://www.sendmail.org/
  - This monolithic app has had various minor and major security problems
    over the years.  A few days ago an advisory was posted about a local
    security problem that could lead to compromise of the machine.
    Despite a re-think of the security of the model over the years (smrsh,
    now a non-setuid binary), there are still common problems popping up.

rpc* (Remote Procedure Call services)
  - (implemented in various operating systems, now usually turned off by
     default and/or removed)
  - rpc* services on various operating systems have had many problems over
    the years, with many of them leading to remote system compromise.  <
    24 hours ago, ISS announced a remote-compromise that's possible with a
    particular rpc daemon on HP-UX, AIX, IRIX, Tru64 Unix and Solaris.
    The design of rpc* services has long been known to be flawed, and such
    problems demonstrate flaws in the implementations as well.

The only two examples I know of where any widespread auditing and patching
have been occurring in the open source world are with OpenBSD, whose
philosophy tends to enforce consideration of security impacts before any
software is used, and Owl, a project to create a Linux distribution using
only software components whose design (where possible) and implementation
have been audited by hand.  OpenBSD is at www.openbsd.org and Owl is at
www.openwall.com/Owl/

Grant