Linux is a SECURITY DISASTER!!!!!!!!!!!!!! 4767

In comp.os.linux.advocacy, Heather wrote on 12 Sep 2005 17:40:53 -0700

Hm...

indicates the following.

09-13 Debian vulnerabilities fixed in sound package 09-13 Fedora core for DHCP update 09-12 RedHat XFree86 update 09-12 Gentoo Python PCRE heap overflow update 09-12 Debian TDiary cross site request forgery update 09-12 Fedora core OpenSSH update 09-12 Fedora Core Evolution data server update 09-12 Fedora Core TVTime update 09-12 Fedora Core XDelta update (2) 09-12 Fedora Core slib update 09-12 Fedora core VTE update 09-12 Fedora core 3 VTE update 09-12 Debian MODSSL ACL restriction bypbutt update 09-10 Fedora Core Mozilla update (2) 09-10 Fedora Core Firefox update (2) 09-09 Redhat CRITICAL Mozilla security update 09-09 RedHat CRITICAL Firefox security update 09-09 Fedora Core SELINUX update 09-09 Fedora Core E2FSProgs update (2) 09-09 Fedora Core Util-Linux update 09-09 Fedora Core Unzip update 09-09 Fedora Core Subversion update 09-09 Fedora Core File update 09-09 Debian CVS packages insecure temporary files fix 09-08 Fedora Core Gtk update 09-08 Fedora Core Gtk2 update 09-08 RedHat MODERATE Exim update

This is probably enough for now, especially since I've crossed over into 09-08. Notice three things.

1 Most of these do not indicate security issues. This is probably a flaw in the website; ideally the website would indicate whether an update can do local, local root, remote, or remote root compromisation, and-other can interact to produce such compromisation. There might also be a category for subversion and-or theft by masquerading -- the only thing coming to mind here, though, is an old login hack, or an NFS hijack. (Sometimes the old ones are the best ones, though. :-) Especially on remotely accessible equipment.)

2 Most of them indicate "update" or "fix" -- which means this is a fix to the problem, not an indication of the problem proper.

3 Most of these are not Linux proper (though the sound package might be); most of these are various system utilities and-or libraries. Therefore, they aren't Linux specific.

Mixed bag, but then security bugs are like that.

Fortunately for you, TA05-221A is patched. Unfortunately, one has to ask the question as to why a JPEG buffer overflow, COM memory corruption, and Plug and Play can lead to a remotely compromisable system (with SYSTEM privileges, not merely root ones!) in the first place. (I suppose one could say Remote Desktop could -- after all, it's remote. The PrintSpooler vulnerability might also allow someone already on the localnet to do something stupid remotely.)

Even the worst case scenarios I can think up using an Apache webserver (on a suspect website, *not* on the user's own box), a vulnerable browser, a naive user, and an unaware (but adept) system administrator only suggests that the website can insert a Trojan Horse which might lead to mailspamming or some such, or completely wipe out everything in the user's account -- and if the sysadmin has various monitor logs, such as excessive traffic, he can spot trouble quickly (which means he's no longer unaware, of course).

But never mind that; everyone knows Windows is more secure than Linux anyway -- especially the viruses, snug in their new home in an infected Windows system, gaily chatting amongst themselves, resistant to eradication. In a pinch I can download a new Gentoo install stage, wipe my system, and rebuild it from scratch, *including compiles*.

Is there an option on Windows to do the same?

Hello?

-- It's still legal to go .sigless.