lucky13
Group: Members
Posts: 1478
Joined: Feb. 2007 |
 |
Posted: June 13 2008,11:28 |
 |
Layers...
First layer, kernel. Linux is just a kernel. It has its own set of security issues, just like any other complex, complicated set of code known as an operating system. Check the changelogs and security advisories and patches (such as novmsplice).
----------------------- edit ----------------------------------
I just remembered that grsecurity recently had this note about the problem of transparency and openness in 2.6:
"Due to Linux kernel developers continuing to silently fix exploitable bugs (in particular, trivially exploitable NULL ptr dereference bugs continue to be fixed without any mention of their security implications) we continue to suggest that the 2.6 kernels be avoided if possible."
http://www.grsecurity.net/news.php
------------------- end edit ------------------------------------
Above that in the next layer are all the utilities that make the kernel useful. Those, too, have vulnerabilities that affect security. Just because they're used in Linux/Unix doesn't make them any safer than if they're used in any other OS (including Windows).
The next layer includes userland applications. Some of these are very complex sets of code and with that complexity they're more susceptible (exponentially?) to security breaches. For example, Firefox and Open Office are among the larger and more complex applications made available in many Linux distros. Both of these applications have long histories of security problems and often have made new security releases within days of previous releases. Both, of course, are also available for other operating systems. It's not the OS -- the first two layers of kernel and utilities -- that's responsible for these security issues. It's all the interrelated pieces of the complex puzzles such as libraries used, as well as the way those are implemented in the whole scheme of things, that's problematic. Especially today with the increased risk of cross-scripted attacks that take advantage of holes in "Software A" to do something else with "Software B" to compromise a system running on "Operating System C." These attacks often transcend OS. (edit - see below)
You're not inherently safer using Open Office or Firefox in Linux than you are in Windows or OSX. The same issues plague the same software without regard for OS. The degree of severity can vary from OS to OS, especially if run as root (don't do that!!) and thereby having full system access.
Security is a function of a lot of things and the weakest link is always the user -- not the OS. The OS can make it easier or more difficult to be secure, but the OS is NOT your security blanket. Blindly trusting an OS as a security measure is folly.
Edit 2: from my pwn2own collection:
"The flaw is in something else, but the inherent nature of Java allowed us to get around the protections that Microsoft had in place," he (Macaulay) said in an interview shortly after he claimed his prize Friday. "This could affect Linux or Mac OS X."
http://blogs.zdnet.com/security/?p=993
--------------
"It felt kind of like having a pitbull terrier on my rear end."
-- meo (copyright(c)2008, all rights reserved)
|
.
DSL Market ,
Great VPS hosting provided by Tektonic
