[ale] Linux Fights Back in India

Bob Toxen bob at verysecurelinux.com
Sun Dec 8 23:29:42 EST 2002


On Fri, Dec 06, 2002 at 02:56:47PM -0500, Matty wrote:
> I believe more exploits have been published for Linux than
> MS this year. I am not pro MS, but a lot of analysts use
> this type of information incorrectly :(

If you are going to mention this sort of FUD, it is *really* important
to explain why it is not a statement about security...

Security exploits are classified by type and severity and how many
systems are vulnerable.  A "remote root exploit" is one where anyone on
the Internet can remotely gain root access to a connected system.  VERY
few Linux vulnerabilites are of this time and they affect few systems,
usually only those few who install some program or feature that not
many people use.

In almost all cases, this year's Linux vulnerabilities only affect someone
who deliberately uses a rarely used program at the same time a cracker
is sending a malicious file or packet.  As I recall, a vulnerability in
the "Pine" mail user agent is typical of these.  Since few people use
it and even fewer use it as root, this vulnerability affects few people.

On the other hand, there are MANY remote administrative vulnerabilities
for Windows because both IE and IIS essentially run as root and most
vulnerabilities affect at least one of these, in my opinion.  Further,
almost every Windows system runs either IE or IIS.


I think that the correct question for realistically assessing risk is:

     How often have there been remote root/admin vulnerabilities for
     Linux and Windows and for each one, what percentages of the installed
     base were vulnerable (both unhardened and hardened systems)?

     For reasonably hardened systems I'm sure that there was for more
     risk to Windows systems.

Bob Toxen
bob at verysecurelinux.com
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale






More information about the Ale mailing list