Merged: W32 Blaster Virus

[DeadKenny]

Quote:

Originally posted by BenH
And who has the largest number of patches, not including the 150 linux distros which MS loves to factor in on its FUD? And in regard to Apache (given that it mainly runs on Linux), how many patches vs IIS? AIRC the last major exploit was discovered about 18 months ago and had a working patch released within hours.

I do an update on my RedHat system every month or two and there are more updates than on Windows Update in the same period of time. Half of those RedHat updates are usually described as security fixes. It doesn't really indicate much either way though.

As for IIS vs Apache patches, I don't think IIS has needed a patch for some time, but I'm not going to argue IIS is better (regardless of who has the more patches) because I do prefer Apache myself anyway (running on linux).

The difference with patches is MS "fixes the barn door after the horse has bolted", which is part of the problem, whereas the linux community fixes it usually before it's an issue.

Or rather MS spends a huge amount of time and money regression testing so their fixes are not going to break systems and cost people a lot of money, whereas on linux they fix it and then fix those bugs, then fix those bugs, and you have to wait until someone comes up with a decent fix or you fix it yourself (that's the problem of open source, it's a "do it yourself or wait, test in production" strategy).

MS has often fixed the problem well before it's an issue but as soon as they make the problem public the kids go off and write their virus/trojans/worms knowing a lot of people don't patch. Add to that the fact their fix may be written but not tested so needs time for testing, that gives them time to write the stuff.

[darant]

I can confirm that engineers are dealing with the problem as I type.

[downquark1]

I got all the criticals windows updates from "windows update" is this patch included in the list automatically?

I'm also behind a router.

[hawkmoon]

Quote:

Originally posted by downquark1
I got all the criticals windows updates from "windows update" is this patch included in the list automatically?

I'm also behind a router.

It should be - if you go to windows update there is a link under Other Options called View installation history. Look for a security update with the number 823980 next to it. If you see it in the list then you have been patched.

[Alan Waddington]

Quote:

Originally posted by downquark1
I got all the criticals windows updates from "windows update" is this patch included in the list automatically?

I'm also behind a router.

It should have done, but it's worth checking it actually installed. Windows Update sometimes fails.

If the router is a NAT router, then you should be protected. My router is all that's currently protecting my 2nd machine (W2K), which is currently being defragged before any more updates are applied.

[BenH]

Quote:

Originally posted by DeadKenny
Or rather MS spends a huge amount of time and money regression testing so their fixes are not going to break systems and cost people a lot of money, whereas on linux they fix it and then fix those bugs, then fix those bugs, and you have to wait until someone comes up with a decent fix or you fix it yourself (that's the problem of open source, it's a "do it yourself or wait, test in production" strategy).

Oh come on, how many patches have been recalled for any one linux distro? How many patches crash the server?

I only recall one patch for SuSE 7.3 that had tro be recalled, infact I'm so confident of SuSE doing a good job that all my servers are set to automatically update. Something I would never dream of doing on one of the few remaining NT boxes. MS couldn't care less if one of their patches broke your system for a few hours, after all you cant sue them thanks to the EULA, whereas the open source community cannot dare take that attitude, and quite frankly wouldn't as they take pride in their work.

Sure one or two projects may ignore a bug report, currently there is one in gnomecanvas thats been there for 8 months giving me a headache. People are working on it but it'll take time to come through and in the meantime I can figure out a workaround. While I was writing M$ based apps, I came across quite a few bugs and was faced by a wall of silence by microsoft. They dont care, and they dont need to care, hence part of the reason for the growth of Linux.

Prehaps you should consider changing your distro, after all RH can only handle about 20-30 users at once

Regards,

Ben

[hawkmoon]

Quote:

Originally posted by BenH
Theres also the fact that as its open source its inherently more secure as the exploits are out there in the open for everyone to see and fix. As opposed to closed source which tries to sweep its mess under a carpet of secrecy.

There is no security in obscurity as any CISSP should be able to tell you.

Regards,

Ben

Yes this maybe true, but yet again most of the time it is no different to MS, the exploit can only be patched once the vunerability / bug has been detected and by the time it has been detected it is usually a little late as it has already been exploited.

Or are you trying to claim that open source software is bug free?

As Deadkenny says - I see more security updates for my Linux Distro's than I do for Windows.

There are certaily serious issues with Linux, for example IIRC samba versions between 2.0.x and 2.2.7 (I think) had a vunerability that could allow an anonymous attacker to acquire super-user rights - it took them a long-time to block this exploit as you can see with the version numbers.

There are plenty others that allow attackers to get root or super-user rights.

Boths OS's have vunerabilities and eploitable bugs.

The only advantage that Linux really has it that it is more secure out-of-the-box than Windows, but with a little work both can be made pretty secure.

The same goes for IIS and Apache aswell.

Why does it seem that every thread reduces down to the usual mine is better/bigger/stronger than yours?

Why not just agree to differ and leave it at that?It's not really worth the aggro and besides it's somewhat off topic.

Incog

[Ramrod]

Quote:

Originally posted by Incognitas
Why does it seem that every thread reduces down to the usual mine is better/bigger/stronger than yours?

Why not just agree to differ and leave it at that?It's not really worth the aggro and besides it's somewhat off topic.

Incog

....the voice of reason

[Ramrod]

Reuters

[BenH]

Quote:

Originally posted by hawkmoon
Yes this maybe true, but yet again most of the time it is no different to MS, the exploit can only be patched once the vunerability / bug has been detected and by the time it has been detected it is usually a little late as it has already been exploited.

Or are you trying to claim that open source software is bug free?

Certainly not, I do however say that Linux and its mature/Beta grade software has far fewer bugs than its closed source equivalent because of A) Its huge tester base B) The open nature of the code allows others to identify the nature of the bug and correct it if they are able and C) There is a far greater incentive for the programmer to doi a good job. With the code available for all to see, then the programmers ego could be done serious harm by bodging something together

Quote:

As Deadkenny says - I see more security updates for my Linux Distro's than I do for Windows.

How many bug fixes and security updates do those service packs hold? The fundamental difference betwen a linux security update and the windows equivalent is that in the Linux case the programmer has spotted one of their own mistakes and corrected it; whereas in MS's case its a matter of them not being able to keep the bug under wraps any longer

Quote:

There are certaily serious issues with Linux, for example IIRC samba versions between 2.0.x and 2.2.7 (I think) had a vunerability that could allow an anonymous attacker to acquire super-user rights - it took them a long-time to block this exploit as you can see with the version numbers.

Can you point me at any references for this? I've just started using Samba 3 extensively to serve as a replacement for PDC's

Quote:

There are plenty others that allow attackers to get root or super-user rights.

There are indeed, most requiring an unimaginable level of stupidity on the users part 'Just set everything in inet.d to 777' or physical access to the system; in which case your doomed no matter what your OS.

Quote:

Boths OS's have vunerabilities and eploitable bugs.

Yes they do, but for one their fixable, for the other you have to wait on bended knee for a fix.

Also could you please start differentiating between bugs and exploits, an overrun that causes X to crash is not the same as allowing code to be executed without the users knowledge.

Quote:

The only advantage that Linux really has it that it is more secure out-of-the-box than Windows, but with a little work both can be made pretty secure.

The same goes for IIS and Apache aswell.

Linux can be made obscenely secure, hence the reason the NSA and many other intelligence agencies uses it. Windows, despite MS's shared source initiative, remains replete with undiscovered and deliberately included exploits because of the philosopy of MS.

Regards,

Ben

[BenH]

Quote:

Originally posted by Incognitas
Why does it seem that every thread reduces down to the usual mine is better/bigger/stronger than yours?

Why not just agree to differ and leave it at that?It's not really worth the aggro and besides it's somewhat off topic.

Incog

Tradition?



Best,

Ben

[Richard M]

Quote:

Originally posted by hawkmoon

As Deadkenny says - I see more security updates for my Linux Distro's than I do for Windows.

Yes but all or most of the Windows flaws are problems with Microsoft software, the bugs in Linux we hear of are usually with third party software such as Apache, not the actual Linux "system".

So, if we take the amount of bugs in Windows and all third party software and compare that to the amount for Linux and third party software, Linux will have quite a few less.

You can certainly feel safer using Linux (I'm using Mandrake 9.1 right now with Mozilla) because most script kiddies will only know how to compromise a Windows system and it takes a bit more knowledge to break into a Linux OS.
Plus, you are more safe from virus and trojans.

As mentioned earlier in the thread, Linux comes pretty secure out of the box anyway, I'm not running any servers on this machine - the most important thing is making sure the system if up to date and the root password is strong.

[Lord Nikon]

Plus when a new linux kernel is released, that is what it is... new

Looking at this recent exploit that has come to light...

Affected Versions....

NT 4 circa 1995?
Windows 2000 2000
Windows XP 2001
Windows 2003 2003

So the issue has existed for 8 years accross 4 platforms..

How much legacy code do they blindly copy between versions?

[hawkmoon]

Quote:

Originally posted by BenH
Tradition?



Best,

Ben

Personally I don't really see it as a "mine is better than yours argument"

I just see the merits of both Windows and Linux - I've got both running here.

As for the advisory in Samba - you can find it here. https://rhn.redhat.com/errata/RHSA-2003-137.html

Samba versions above 2.2.8 don't have this exploit.