Linux with a Security flaw?! Can't be???

[Rogue]

Linux Security Flaw

Why is it that if a security flaw comes out that affects every Microsoft OS, everybody and their damn uncle wants to spew crap about it, but when a major security flaw for Linux comes out, no one says anything?

 

[iamwiz82]

alot of people here think that to be cool in the geek community, you have to hate MS. I happen to use MS software since it WORKS! I dont have to convert my test documents to rtf to be able to send it to someone in another company. MS has become a standard, for the most part.

 

[DaiShan]

lol did you see what site you got that off? MSnbc! actually all os'es are prone to security flaws, even linux, but in linux you can simply re-compile to kernel yourself and fix the problem, you don't have to wait for ms to come out with a patch that does a half-@$$ed job to fix it.

 

[jhu]

uh, this is not a linux flaw! this affects any program (windows, linux, freebsd, etc.) that happens to use zlib. get your facts straight.

 

[rahvin]

There is almost always a difference between a potentional exploit in linux and an exploit in windows. Linux being an OPEN operating system has it's code frequently audited by numerous security "experts" looking for fame. They submit potentional exploits with or without code to accomplish the exploit. In the case of the zlib exploit you are refering to there was an exploit discovered in the code but at the time of release there were no known programs available to exploit the code and obtain root access. In effect the exploit was discovered before it could ever be used. In the case of most MS exploits, the exploit is discovered and acknowledged AFTER the exploit is in the wild with script-kiddie tools developed. Often you are lucky if the MS hole is patched within a month, linux is patched much quicker (longest I have ever seen is 3 days to a patch with up to a week on a major distribution).

See the difference?

 

[Skyclad1uhm1]

<< Linux Security Flaw

Why is it that if a security flaw comes out that affects every Microsoft OS, everybody and their damn uncle wants to spew crap about it, but when a major security flaw for Linux comes out, no one says anything? >>



Because with Linux there is a fix out BEFORE hackers abuse it. Microsoft has told users several times (before the complains got too loud) to wait for service packs or new products.
There is a new zlib available, and with that you can recompile X if needed, thus fixing the bug. All new releases will be without the bug.

If you buy Windows 2000 you get a CD without any service packs or other fixes, while a lot of (security) bugs have been found in the product already. If you download a Linux distribution you get a version which is totally up-to-date, including the recent fixes.

 

[Elledan]

<< uh, this is not a linux flaw! this affects any program (windows, linux, freebsd, etc.) that happens to use zlib. get your facts straight. >>


Yup, this is unrelated to Linux itself.

Always those damn Micros~1 fanboys spewing crap about Linux and its users

 

[RSMemphis]

<< uh, this is not a linux flaw! this affects any program (windows, linux, freebsd, etc.) that happens to use zlib. get your facts straight. >>



Actually, freebsd uses a different malloc and is therefore not affected.
I checked immediately when I heard the heads up.

 

[Descartes]

Ok, so this isn't a flaw in Linux itself, but zlib is inherent in every Linux system. You can criticize Windows when issues unrelated to Windows, but inherent in the platform (third-party of otherwise) cause issue?

That makes sense.

 

[Descartes]

<< lol did you see what site you got that off? MSnbc! actually all os'es are prone to security flaws, even linux, but in linux you can simply re-compile to kernel yourself and fix the problem, you don't have to wait for ms to come out with a patch that does a half-@$$ed job to fix it. >>



Typical. Always in reference to something MS, people will add such dribble as, "half-@$$ed." What MS patch did you apply that did a "half-@$$" job, and how did you determine that it did a "half-@$$" job?

 

[mikebb]

<< Typical. Always in reference to something MS, people will add such dribble as, "half-@$$ed." What MS patch did you apply that did a "half-@$$" job, and how did you determine that it did a "half-@$$" job? >>



The simple fact that a multi-billion dollar company like M$ releases a new "stable, secure" OS, then mere weeks later releases multiple patches to fix HUGE security holes speaks volumes about M$'s half-a$$edness.

 

[n0cmonkey]

<< Linux Security Flaw

Why is it that if a security flaw comes out that affects every Microsoft OS, everybody and their damn uncle wants to spew crap about it, but when a major security flaw for Linux comes out, no one says anything? >>



Ive seen more about this than I have about the Air Force having a sit down with Microsoft about their lack of security. And if it helps I made a thread about this as soon as I could in OS just to let people know the problem is out there. I have been doing this with most recent UNIX-related holes, *INCLUDING* OpenSSH which many people on the boards know I will defend in most circumstances.

Just imagine if someone did this for every half assed virus someone happens to create for Windows. We would see nothing but virus warnings. So STFU, the linux community (and the Microsoft community apparently) is talking about this problem, and plenty of others, quite openly. Even if you are too goddamned blind to see it or too stupid to know where to look.

This appears to affect every modern UNIX/UNIX-like system out there except Open, Free, and Net BSD. HPUX, Solaris, AIX, IRIX, and Linux admins should all update asap.

Have a great day

 

[manly]

Interestingly enough, the problem isn't limited strictly to zlib.

Here's SuSE's security announcement

And in response to the defenses of Microsoft security policy, I contend they only seem to care about security so much as it damages their business interests. For years, they've been slow and selective to updating problems on Windows operating systems. The latest PR spin that security is now job 1 at M$ came shortly after the Gartner Group advised clients that the TCO for Microsoft products is high due largely to security problems.

Furthermore, Microsoft cries about bugs in their software more than any other company, often blaming the white hats who notify them of the problem and provide a limited time window for them to react and fix the problem. You'd think that by now, they'd realize that their dominant OS position means Winblows will receive extra effort by crackers. But instead they'd rather blame everyone else for the bugs they create, and the poor security they often design in their products.

Remember, it's not a bug, it's a feature.

 

[Nemesis77]

zlib can (and is) be used by alot of different programs on many different OS'es. So this isn't a Linux-flaw as such. I can't remember when (if ever) I have heard of a "real" Linux hole. The hole has always been in a third-party software (BIND for example).

And, like it was said, I haven't heard of anyone exploiting this bug yet. And that's the way it is with Linux: holes get fixed BEFORE they are exploited. In Windows, they get fixed AFTER they are exploited.

Red Hat had patches ready before the security-announcement was made. Debian had fixes available about 3 hour after the announcement, with other distros following close behind. Problem was fixed in a matter of hours, end of story.

Now, if some admin hasn't updated his systems yet, he deserves to be cracked. It would really be his own fault. In my case, plugging this hole was as difficult as typing "apt-get update" and "apt-get dist-upgrade".

 

[ElFenix]

the other thing is that linux is usually run by people who are knowledgeable enough to fill any hole found through some coding or jury rigging or external programs. windows, on the other hand, is usually run by people who know jack about security and barely know how to format a floppy.

 

[gwlam12]

linux is nto as popular

 

[n0cmonkey]

<< linux is nto as popular >>



And that has what to do with this thread? Sorry to be an ass (you may have a point about something), but I dont understand

 

[Nemesis77]

<< linux is nto as popular >>



Really? It IS the second most popular server-OS in the world and the most popular web-server OS (I'm not 100% sure about that. But if it isn't the most popular, it's second most populat at least) in the world. Yet, exploits of Linux are few and far between.

For example: Windows and IIS aren't the dominant web-serving platform in the world, Apache is with about 60% market-share. And I guess the most server it runs on is Linux. Yet, IIS/Windows exploits are common thing, not so with Apache, even when it's market-share is about double that of IIS's.

 

[n0cmonkey]

Apparently this affects some Microsoft software also! Not just Windows software in general, but some software created by *MICROSOFT*. So much for not using Open Source code. too bad Ameesh(?) isnt around to comment on this one

 

[Ulfwald]

Look at it this way,

MS has to patch it's flaws, otherwise you violate the software agreement.

Linux can be patched by anyone with programing skills.


MS, can take weeks or months to develope a patch

Linux, a patch can be turned out in a day or two by a bunch of super geeks working together.


Linux, a better OS.

 

[manly]

<< Apparently this affects some Microsoft software also! Not just Windows software in general, but some software created by *MICROSOFT*. So much for not using Open Source code. too bad Ameesh(?) isnt around to comment on this one >>



Does this mean that zlib is BSD (or similarly) licensed? Any bets on how long it'll take M$ to release a fix for all affected products? :disgust:

 

[tops2]

linux just isn't really popular for desktops, but its popular in other segments, such as the examples others have mentioned

 

[n0cmonkey]

<<

<< Apparently this affects some Microsoft software also! Not just Windows software in general, but some software created by *MICROSOFT*. So much for not using Open Source code. too bad Ameesh(?) isnt around to comment on this one >>



Does this mean that zlib is BSD (or similarly) licensed? Any bets on how long it'll take M$ to release a fix for all affected products? :disgust: >>



Thanks for reminding me, I was going to check on that. zlib license. Unfortunately its not very descriptive and it looks like they could pull a Darren Reed if they really wanted to... But then again depending on how you read it, it could mean you can close source it without problems. *shrug*