LinuxUNIX More Vulnerable Than Windows says CERT !! 7368

This is not a new story.

We know that there are many thousands of buffer overun coding errors implemented in the 30 billion lines of Linux code. Nearly every application that uses gets(fd) instead of fgets(fd,size) is theoretically vulnerable.

There mere fact that Linux code is available for public review, and that there are numerous incentives for identifying these coding errors means that more of these errors will be found.

Furthermore, the fact that Microsoft has used court orders to prevent the disclosure of numerous published vulnerabilities, many of which have been known and uncorrected since 1997 (the release of IE 4.0 and ActiveX controls) - and the fact that none of the code for Windows is accessible without signing nondisclosure agreements which include a promise not to disclose any information without Microsoft's prior written consent - pretty much guarantees that even if 5,000 code flaws were found - that none of them would be published to CERT.

Microsoft only permits publication to CERT when suppressing a known flaw could expose them to civil or criminal liability.

Much more interesting, and more relevant, are the number of successfull attacks against Windows and other Microsoft products, most notably IE, Outlook, and Office Attachements, through the use of ActiveX controls, Macros, Windows Metafiles, and OLE-COM objects - all of which make it possible for a hacker to have a user merely preview a file or attachment, execute any code already residing on the computer, and use this code to download really nasty viruses that include robots, spam engines, virus spreaders, and even illegal surveillance and wiretaps.

Studies have shown that a Windows XP machine is likely to be sucessfully attacked by malware within 12 minutes of being connected to the Internet and used in the normal way.

This is even more vulnerable than Windows NT 4.0 which was likely to be successfully attacked by malware within 12 days.

The first rule of software security is to never download software or executable code which you cannot validate - you need to know exactly what is being downloaded, how it is being downloaded, who is providing the software, and ideally - exactly how that code is supposed to function (source code). Only an authorized administrator should move the downloaded software from the protected download area to the executable area, and the administrator should never actually conduct the download.

ActiveX controls, signed Java Applets, and Windows metafiles are all code which can be downloaded by something as simple as previewing an e-mail file or following a web site link. The certificate authority could be issued by a "trusted" CA that does not do due dilligence in validating the certificate requestors. The certificate could be obtained from a valid CA using a fraudulent credit card. The certificate could be valid, but could be a "ghost" server - which has been configured with the same public and private keys and appears to be identical to a legitimate server.

Once this code is downloaded into memory, it can be executed with no further validation - not even prompting the user. This code can then execute any library function installed on the PC - including functions to read, write, modify, rename, or hide files, functions to alter the registry, to create new users, or perform any other function that could be performed by the user on that machine.

This downloaded code, combined with the installed code, can then be used to bypbutt all security controls and download and install any type of software - without any further security checking. When well known ports such as port 80 (http) or 21 (ftp) are used, the dangerous transfer won't even be identified. Because it is the downloaded application executing this file transfer - there will be no record of it in the browser logs.

The permissions on the executable should be configured so that the executable code cannot be modified - on disk, or in memory - EVEN if it's being run by the administrator (Microsoft code can be modified both on disk and in memory).

The application code should only be run by restricted users - if there is malicious code, it will only be able to alter or modify directories and files to which the restricted user has read and write permission. (Most Windows users run applications as administrator users).

The net result is that less than 1-10th of 1 percent of all Linux systems are successfully attacked with malware - turned into robots or spammers or other hacker tools.

At the same time, less than 1% of all Windows machines will function for more than 1 year without being attacked by malware. Most of those machines that do resist attacks have been configured very much like Linux-Unix systems. Many of them ARE Linux-Unix systems (Windows is actually a client or emulation).

Ironically - the article above is an endorsement for Linux security. Nearly 5000 theoretical flaws - none of which have been successfully exploited on a true Linux or Unix system - have been corrected to prevent the possibility of buffer overflows.