Ubuntu Security: Holes Found, Holes Fixed

Ubuntu Security: Holes Found, Holes Fixed

Summary: Sorry, there's really no news here. Like all other software, Linux and Ubuntu have holes. The difference is that in open-source software the holes are patched as quickly as they're found.

SHARE:

Oh my God! There are security holes in Ubuntu 10.04! The sky is falling! Bill Gates is the maker of the one true operating system; forgive us Bill for we have worshiped at the feet of false Penguin idols. Oh please, give me a break!

Linux, like all other operating systems and software, has security holes. Always has, always will. No one ever said Linux was perfect. It's not. It never will be.

What makes Ubuntu and Linux better than most of their competitors aren't that they are flawless. It's that when bugs are found, they fixed as fast as possible and then the fixes are pushed out to users immediately. There is no monthly Patch Tuesday. If there's a significant problem, its tracked down and fixed. Period. End of statement.

That is after all, the whole point of open source. This specific process is called Linus' Law by its author, Eric S. Raymond in his seminal description of open-source software development, The Cathedral and the Bazaar. Formally, this "law" is that "Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix will be obvious to someone," but if you know it, you probably know it as: "Given enough eyeballs, all bugs are shallow."

It also helps that Linux is inherently more secure than Windows. Linux is based on the design idea that it's working on a multi-user, networked systems. From its very start, it was built to deal with a potentially hostile world. Windows wasn't.

Windows is, yes even now, built on a single-user working on a solo machine model. In addition, Windows was designed to make it very easy for programs to trade data and instructions with each other. That's why it's so easy to move data from say Word to Excel and back again. The bad news is that these IPCs (interprocess communications), procedures that were never designed with security in mind.

Oh Microsoft is trying to improve security while keeping program interoperability, and it's certainly much better than it used to be. For example, Office 2010's sandbox mode is far from perfect, but it's a lot better than letting any document through your Internet door to possibly cause havoc on your PC. And, both Windows 7 and XP SP3 are far more secure than their predecessors.

That said, let's look at what went wrong in Ubuntu this time. First, there's over 30 bugs have been reported, and, yes, fixed. Some of these are serious.

For example, the Common Internet File System (CIFS), which is used to share files with Windows systems  validates Internet Control Message Protocol (ICMP) response packets. An attacker could use this to send denial-of-service (DoS) crafted packets. Mind you, if you're allowing your server to share files using CIFS over the Internet you've got more serious security problems than anything the kernel could ever do to you.

There's also yet another security hole in the Network File System v4 (NFSv4). I say "yet another," because NFS, which started life on Sun OS, Solaris' predecessor, has always had security problems. And, like CIFS, no one who knows their way around a server would ever use it without some kind of tunnel encryption over the Internet.

Actually a closer look at these so-called Ubuntu problems reveals these aren't uniquely Ubuntu's troubles at all. No, these were all Linux kernel problems. Many versions of Linux are potentially vulnerable to these problems.

And, guess what? Just like Ubuntu, the vast majority of Linux distributions, have already patched them! Seriously, if you haven't updated your Linux distribution recently, do so, and you'll be fine. It's also a smart idea to not expose network services to the Internet unless they need to be on the Internet. That's what firewalls are for after all.

Or, as Gerry Carr, Head of Platform Marketing for Canonical, Ubuntu's parent company, put it, "Zero users who installed the update are at risk first of all. Secondly, this is (more accurately was) a Linux kernel vulnerability not an Ubuntu one so not sure why we were called out. Thirdly it would have effected very few users anyhow as it was a backport kernel not the default kernel. Fourthly any reporter who wants to check out the details of an Ubuntu Security notice is welcome to check the detail with the security team. Fifthly Ubuntu continues to be an incredibly secure platform to use thanks to the efforts of the Linux security community and the openness with which we all share security notices and their details."

I couldn't have said it better myself. If you want a real Linux-related security problem to worry about, as opposed to business as usual, I suggest you look to Google's failure to monitor what gets into the Android Market. Now, this is a real problem.

Android itself is relatively secure... unless you install malware on it. Android users have trusted Google to make sure that applications on the Market aren't malware, and Google has fallen down on the job. Google does indeed need to rethink the Android Market. It's great that Android is the leading smartphone platform, but it's not going to stay there if Google lets junk onto people's smartphones and tablets.

Topics: Browser, Google, Linux, Open Source, Operating Systems, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

119 comments
Log in or register to join the discussion
  • Ubuntu Linux: The safest operating system on the planet

    I stake my reputation on it.
    Dietrich T. Schmitz, ~ Your Linux Advocate
    • So how long did they know about those holes?

      @Dietrich T. Schmitz, Your Linux Advocate <br>Common sense tells us they knew these holes existed for quite some time but never let anyone know, and I stake my reputation on that statement.<br><br>You don't fix this many mstakes in 10 minutes.<br><br>
      Will Farrell
      • RE: Ubuntu Security: Holes Found, Holes Fixed

        @Will Farrell

        "No one ever said Linux was perfect"

        yeah, no one except all the Linux zealots on this site
        nomorebs
      • Spin, lies and zealotry

        @Will Farrell
        You will not get an answer from either SJVN his fellow Linux peddler.

        But you ask a *very* relevant question. From SJVNs spin you would be led to believe that they were found and just fixed.

        But let sample a few of the vulns, shall we?

        CVE-2009-4895: Information *released* 2009-12-04; the actual assigned (initially reported) 2010-06-15. That 9 months before patch.

        CVE-2010-0435: Released 2010-11-05; reported 2010-01-27. This one 1 year and 2 months plus from reported to patched. Eew!

        CVE-2010-2066: Released 2010-05-31; Reported 2010-05-25. 10 months.

        CVE-2010-2226: Released 2010-06-18; Reported 2010-06-09. 9 months.

        These were just the first 4 of this mega vuln set. Not only does Linux/Ubuntu experience many times over the number of vulnerabilities compared to any other operating system (except OS X), they are also exceedingly slow at patching. Remember the debacle when Microsoft didn't want to commit to a 6 month schedule within 5 days? <b>How do you feel about one year and 2 months?</b>

        What we are watching here is zealots in full damage control mode and spinning faster than an F5 to try to keep the myth alive that Linux security is superior to other operating systems.
        honeymonster
      • ATTENTION

        @Will Farrell <br><br>How do you like this gem, hidden in the advisory:<br><br><i>ATTENTION: Due to an <b>unavoidable ABI change</b> the kernel updates have been given a new version number, which <b>requires you to recompile and reinstall</b> all third party kernel modules you might have installed. If you use linux-restricted-modules, you have to update that package as well to get modules which work with the new kernel version. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-server, linux-powerpc), a standard system upgrade will automatically perform this as well.</i><br><br>Oh the joy. Not only is that OS leaking worse than a sieve and late with patches, it is also hard to patch because of the stupid ABI and requires recompiles.<br><br>Ye - what were you saying?
        honeymonster
      • RE: Ubuntu Security: Holes Found, Holes Fixed

        @ honeymonster

        Very interesting. No wonder Charlie Miller (who actually knows something about OS security) holds the view that Linux is 'no harder, in fact probably easier' to hack than Windows.

        http://www.oneitsecurity.it/01/03/2010/interview-with-charlie-miller-pwn2own/
        WilErz
      • RE: Ubuntu Security: Holes Found, Holes Fixed

        @honeymonster

        You have posted a comment based off four CVEs related to a Linux Open Source topic. CVE-2009-4895 , CVE-2010-0435, CVE-2010-2066, and CVE-2010-2226
        (Thanks to Al, Dan and Gleb for finding these bugs.).

        All of these CVE's are local exploits. Two are ranked at Medium and the other two are ranked at Low. These 4 bugs, from being reported to fix are no different than the time frames that Windows or Apple would fix a similar ranked CVE.

        If I had a PC seating in front of me and I had the indent to access that PC, an admin/user name or password means nothing. It does not matter if it is Linux, Windows or Apple.

        All OS, (Software) have bugs, or flaws.
        daikon
      • The vulns include both (local) root privilege vulns as well as remote vulns

        @daikon

        I just sampled the set by starting with the first 4.

        <i>Almost 40 vulnerabilities, which allow <b>remote</b> and local exploits, have been discovered in the Linux Ubuntu 10.04 Long Term Support (LTS) kernel</i>.
        This is the summary from the article SJVN tried to put a different spin on.

        Local exploits are almost as dangerous as remote ones, <i>especially</i> if they include the ability to gain root privileges as these ones do. Local vulns are just one browser vuln away from allowing a remote attacker to exploit it. "Local user" does NOT mean that the user has to sit in front of the computer. It means that the attacker needs to have <i>code running</i> on the computer. And that's what happens when a browser vuln is exploited. Then the attacker is a local user.

        And if you are using Firefox which is the browser with most security vulnerabilities (actually it is the <i>application</i> with most holes of <i>all</i> applications, browsers and other software) you are easy picking. Firefox doesn't have a built-in sandbox like Chrome and IE, and Ubuntu doesn't switch on apparmor for FF by default. Not that it matters much: If an attacker can get his code to run in a monolithic kernel it is game over anyway.

        <i> It?s that when bugs are found, they fixed as fast as possible and then the fixes are pushed out to users immediately. There is no monthly Patch Tuesday. If there?s a significant problem, its tracked down and fixed. Period. End of statement.</i>

        This is what SJVN wrote. Does more than a year qualify as "immediately"? Apparently there *is* a "significant problem", but it is *not* tracked down and fix. Kernel ABI are broken and patchsets need to be coordinated. I am well aware that other OS vendors also do not patch *immediately*, but that doesn't absolve SJVN from lying about this and trying to spin these vulns as if they have just been discovered and immediately fixed.

        Actually it is worse than this. If you consider the release date of these CVEs you will see that it often takes *months* for the patches to filter down through the distro ecosystem. During that time vuln information is in the open for would-be attackers to exploit. The open source model creates a systemic problem for patches: Too many interests must be accomodated, vuln information cannot be kept secret until a time when all distros are ready to patch. Consequently, some distros - like Ubuntu - will rake up risk days.
        honeymonster
      • RE: Ubuntu Security: Holes Found, Holes Fixed

        @nomorebs ...
        Whare? They all look like windows zealots here to me/
        radleym
      • another honeymonster FUD fest

        @honeymonster

        USN-1083-1 only refers to "linux-lts-backport-maverick vulnerabilities" which is the maverick kernel version running on LTS (v2.6.35.x). The default for lynx / LTS is 2.6.32.x - so these were just for backport ONLY. The LTS kernel was patched long before on USN-1000-1 dated October 19, 2010.
        ~doolittle~
    • So it's &quot;safe&quot; and not &quot;secure&quot;.

      @Dietrich T. Schmitz, Your Linux Advocate: <i>Ubuntu Linux: The safest operating system on the planet</i><br><br>Given its small market share I'd have to agree with you.
      ye
      • RE: Ubuntu Security: Holes Found, Holes Fixed

        @ye

        If you think Linux's security comes via small market share then congrats for being in 1990.

        FYI Security through obscurity is a deprecated principle.
        m4n1sh
      • Only in the minds of Mac and Linux fanboys.

        @m4n1sh: [i]FYI Security through obscurity is a deprecated principle.[/i]

        For everyone else they realize the reality of it. Even DTS acknowledge as much when he used the word "safe" instead of "secure".
        ye
    • RE: Ubuntu Security: Holes Found, Holes Fixed

      @Dietrich T. Schmitz, Your Linux Advocate
      Safe and Secure as any other OS, I would say.
      choyongpil
    • RE: Ubuntu Security: Holes Found, Holes Fixed

      @Dietrich T. Schmitz, Your Linux Advocate

      Wow defensive much? This article seems to spend so much time trying to convince us that a 1990s clone of Unix is somehow more secure than Windows.

      Even when you cut it down to a phone OS it still has holes. It's just another simple OS without modern applications, featuring clones of 1990s proprietary software and no games (unless they manage to work in WINE).

      It may suit you DTS, but most of us have higher expectations and needs ;-)
      tonymcs@...
      • RE: Ubuntu Security: Holes Found, Holes Fixed

        @tonymcs@...

        Actually, Linux IS safer than Windows. It's a question of 1960's research verses a base 1950's system design. Unix from the late 1960's benefited from the research done on Multics and what came before that system.

        Windows started with DOS, which is based on 1950's single user systems. Upgrades since then have kept the backwards compatibility. That is why Windows is still not secure, after 30 years. (And yes, I was using Windows 3.1 30 years ago.)

        For another take, go down to the local high school and ask which OS is the easiest to break into. I did, and the answer is always Windows. It's just the low hanging fruit on the internet tree.
        YetAnotherBob
      • RE: Ubuntu Security: Holes Found, Holes Fixed

        @tonymcs@...
        Linux consist of the kernel itself..
        These holes are programs within the distro itself..
        If you wish we can go by how many holes all windows programs have and count it towards windows..
        Itunes, Adobe Flash, Adobe Reader adds 199 to windows just in 2011
        Anthony E
      • RE: Ubuntu Security: Holes Found, Holes Fixed

        @ YetAnotherBob<br><br>You're about a decade out of date for consumer Windows, and ever further out of date for the business versions. Win16/Win9x was indeed based on MS-DOS, but the final version of that operating system, called Windows Me, was released in 2000. Windows 2000, XP, Vista and 7 (along with the upcoming 8) are all descendants of Windows NT, which is an entirely different operating system. Microsoft just cleverly recycled the brand and included transparent emulation of the old OS in the new one.<br><br>Windows NT was actually started in 1988 as OS/2 3.0 (or NT OS/2) by a development team who defected from DEC to Microsoft. It wasn't actually OS/2 at all, but a new, portable OS designed to run on 32-bit Risc and x86 CPUs, starting with the Mips R4000 and Intel 80386. It was designed as a multi-tasking, multi-user OS, similar in architecture to VMS, but also inspired by CMU Mach, and featuring an advanced security model using features like access control lists (in contrast to the simple mode bits of traditional Unix). However, NT was also designed to emulate Microsoft's older OSes, including OS/2 (hence the name), MS-DOS, Windows and Unix.<br><br>In charge of the NT OS/2 team was Dave Cutler, who in the 1970s/80s led the development of DEC's advanced, multi-user minicomputer operating systems, including RSX-11M and VMS. NT's design is similar in many ways to VMS, although NT is portable (written in C), whereas VMS was written in assembly. NT also incorporates ideas from CMU Mach, giving it a 'hybrid kernel' design. VMS and Mach were far more advanced than contemporary Unix variants, though Unix gradually incorporated many of their features (one of the first features to be copied from VMS to Unix was demand-paged virtual memory, added to BSD 3.0 around 1980 or so).<br><br>When Windows sales took off, Microsoft decided to add another emulation layer to NT: an extended, 32-bit version of the Windows API. IBM, fearing that this would supplant the 32-bit OS/2 API refused to agree, and so the two firms parted ways. IBM kept OS/2 2.0, which they developed into IBM OS/2, whilst Microsoft kept NT OS/2, which they developed into Windows NT (focusing on Windows emulation and leaving the OS/2 and Unix emulation subsystems in an underdeveloped state).<br><br>Open source zealots continue to spread misinformation about (NT-based) Windows, with claims that it's 'based on MS-DOS', 'started as a single user OS', 'wasn't designed for multi-tasking', 'wasn't designed to be secure', 'wasn't designed for networked environments', etc. Every one of these claims is categorically false. Whether the zealots who spread this nonsense suffer from ignorance or dishonesty isn't clear, but they clearly suffer from one or the other.
        WilErz
      • Windows 3.1

        @YetAnotherBob

        <i>I was using Windows 3.1 30 years ago.</i>

        Interesting, since Windows 3.1 was released only 19 years ago.
        daftkey
      • RE: Ubuntu Security: Holes Found, Holes Fixed

        @tonymcs@...
        another wintard who doesnt have a clue?
        frodowiz