Ubuntu Security: Holes Found, Holes Fixed

Sorry, there's really no news here. Like all other software, Linux and Ubuntu have holes. The difference is that in open-source software the holes are patched as quickly as they're found.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Oh my God! There are security holes in Ubuntu 10.04! The sky is falling! Bill Gates is the maker of the one true operating system; forgive us Bill for we have worshiped at the feet of false Penguin idols. Oh please, give me a break!

Linux, like all other operating systems and software, has security holes. Always has, always will. No one ever said Linux was perfect. It's not. It never will be.

What makes Ubuntu and Linux better than most of their competitors aren't that they are flawless. It's that when bugs are found, they fixed as fast as possible and then the fixes are pushed out to users immediately. There is no monthly Patch Tuesday. If there's a significant problem, its tracked down and fixed. Period. End of statement.

That is after all, the whole point of open source. This specific process is called Linus' Law by its author, Eric S. Raymond in his seminal description of open-source software development, The Cathedral and the Bazaar. Formally, this "law" is that "Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix will be obvious to someone," but if you know it, you probably know it as: "Given enough eyeballs, all bugs are shallow."

It also helps that Linux is inherently more secure than Windows. Linux is based on the design idea that it's working on a multi-user, networked systems. From its very start, it was built to deal with a potentially hostile world. Windows wasn't.

Windows is, yes even now, built on a single-user working on a solo machine model. In addition, Windows was designed to make it very easy for programs to trade data and instructions with each other. That's why it's so easy to move data from say Word to Excel and back again. The bad news is that these IPCs (interprocess communications), procedures that were never designed with security in mind.

Oh Microsoft is trying to improve security while keeping program interoperability, and it's certainly much better than it used to be. For example, Office 2010's sandbox mode is far from perfect, but it's a lot better than letting any document through your Internet door to possibly cause havoc on your PC. And, both Windows 7 and XP SP3 are far more secure than their predecessors.

That said, let's look at what went wrong in Ubuntu this time. First, there's over 30 bugs have been reported, and, yes, fixed. Some of these are serious.

For example, the Common Internet File System (CIFS), which is used to share files with Windows systems  validates Internet Control Message Protocol (ICMP) response packets. An attacker could use this to send denial-of-service (DoS) crafted packets. Mind you, if you're allowing your server to share files using CIFS over the Internet you've got more serious security problems than anything the kernel could ever do to you.

There's also yet another security hole in the Network File System v4 (NFSv4). I say "yet another," because NFS, which started life on Sun OS, Solaris' predecessor, has always had security problems. And, like CIFS, no one who knows their way around a server would ever use it without some kind of tunnel encryption over the Internet.

Actually a closer look at these so-called Ubuntu problems reveals these aren't uniquely Ubuntu's troubles at all. No, these were all Linux kernel problems. Many versions of Linux are potentially vulnerable to these problems.

And, guess what? Just like Ubuntu, the vast majority of Linux distributions, have already patched them! Seriously, if you haven't updated your Linux distribution recently, do so, and you'll be fine. It's also a smart idea to not expose network services to the Internet unless they need to be on the Internet. That's what firewalls are for after all.

Or, as Gerry Carr, Head of Platform Marketing for Canonical, Ubuntu's parent company, put it, "Zero users who installed the update are at risk first of all. Secondly, this is (more accurately was) a Linux kernel vulnerability not an Ubuntu one so not sure why we were called out. Thirdly it would have effected very few users anyhow as it was a backport kernel not the default kernel. Fourthly any reporter who wants to check out the details of an Ubuntu Security notice is welcome to check the detail with the security team. Fifthly Ubuntu continues to be an incredibly secure platform to use thanks to the efforts of the Linux security community and the openness with which we all share security notices and their details."

I couldn't have said it better myself. If you want a real Linux-related security problem to worry about, as opposed to business as usual, I suggest you look to Google's failure to monitor what gets into the Android Market. Now, this is a real problem.

Android itself is relatively secure... unless you install malware on it. Android users have trusted Google to make sure that applications on the Market aren't malware, and Google has fallen down on the job. Google does indeed need to rethink the Android Market. It's great that Android is the leading smartphone platform, but it's not going to stay there if Google lets junk onto people's smartphones and tablets.

Editorial standards