Open Source: FOSS Security Updates vs Microsoft Patch Day

It is almost that time again. The ritual of installing Microsoft patches released on the second Tuesday of each month to fix security problems with its operating systems and software. My company will be monitoring and installing these updates again for some of our local clients this week.

It is an ironic coincidence that I have received update notices from Mandriva for software installed on my Linux PC systems as well this weekend. These updates come regularly from the upstream developers through Mandriva to Mandriva end-users.  These updates may be simple code fixes for bugs, upgrades to get new versions of software or security fixes to patch possible security problems. While looking at these today I thought it would be interesting to compare vulnerability wise what I am getting from Mandriva today with what Microsoft customers will be getting on Tuesday 14 September 2010.

First, to understand Microsoft's vulnerability code words one must know the terminology Microsoft uses and what it means. This is found in this table borrowed from Microsoft:

Rating Definition
Critical A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.
Important A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.
Moderate Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.
Low A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.

Then one needs to see the Microsoft Security Bulletin Advance Notification for September 2010. If that URL is broken or does not work for one I created a PDF document from that page. What we see are nine "bulletins". The word bulletin is Microsoft-speak for "a problem with our code" or "a vulnerability in our code". The euphemistic term bulletin sounds urgent, no?

Then we see the various software that is afflicted with the problems requiring patches. For our purposes today I am going to ignore all but those that affect Windows 7. Why? Because I am using the latest Mandriva release and anyone using Linux on the desktop is more than likely using a recent release. Or at least a release that is newer than XP sp3 or Vista sp1. So the only fair comparison is to stick with Windows 7.

Windows 7 has three patches. These are all marked as Important which, based on the table above, means they each are "A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources." Looking at that definition again some may wonder what the heck it really means? Essentially it is saying one's system might be compromised, also known as cracked and improperly known as hacked, if this patch is not installed. The compromise cannot be "automatic" based on Microsoft's judgement of the problem in Microsoft's code. So, it likely would require one to click on a URL or open a file to create the compromise. Gee, that cannot be too serious then, right? Oh wait, it CAN be serious! So, you Windows 7 users need to make sure you get those patches.

Now I will examine the updates I am getting from Mandriva. I get a GUI popup that updates are available and  have opened that in one of my desktop workspaces. However getting a list from a GUI is problematic. Here is the list as generated from the Mandriva command line command 'urpmi –auto-update -v':

  beagle                         0.3.9        40.3mdv2010.1 i586
  beagle-evolution               0.3.9        40.3mdv2010.1 i586
  beagle-gui                     0.3.9        40.3mdv2010.1 i586
  beagle-libs                    0.3.9        40.3mdv2010.1 i586
  firefox                        3.6.9        0.1mdv2010.1  i586
  firefox-en_GB                  3.6.9        0.1mdv2010.1  i586
  gnome-python-extras            2.25.3       18.2mdv2010.1 i586
  gnome-python-gtkmozembed       2.25.3       18.2mdv2010.1 i586
  gnome-python-gtkspell          2.25.3       18.2mdv2010.1 i586
  kernel-desktop-2.6.33.7-1mnb   1            1mnb2         i586
  kernel-desktop-devel-2.6.33.7> 1            1mnb2         i586
  kernel-desktop-devel-latest    2.6.33.7     1mnb2         i586
  kernel-desktop-latest          2.6.33.7     1mnb2         i586
  kernel-source-2.6.33.7-1mnb    1            1mnb2         i586
  kernel-source-latest           2.6.33.7     1mnb2         i586
  libnspr4                       4.8.6        0.1mdv2010.1  i586
  libnss3                        3.12.7       0.1mdv2010.1  i586
  libxulrunner1.9.2.9            1.9.2.9      0.1mdv2010.1  i586
  nss                            3.12.7       0.1mdv2010.1  i586
  nvidia-current-kernel-2.6.33.> 195.36.24    3mdv2010.1    i586
  nvidia-current-kernel-desktop> 195.36.24    1.20100901.3> i586
  rootcerts                      20100827.00  1mdv2010.1    i586
  xulrunner                      1.9.2.9      0.1mdv2010.1  i586
  yelp                           2.30.1       4.2mdv2010.1  i586

These updates are better shown grouped and explained this way:

firefox

"Security issues" were identified and fixed in Firefox and Mozilla-Thunderbird. The software below relies on some functionality from Firefox and thus also needs to be updated. Technically this is not a "Linux" update. It is a Firefox update that affects some FOSS software that happens to be on my Linux desktop PC. Happily Mandriva provides for these updates in its package management system. Firefox on Microsoft Windows 7 must also be updated. But that is not shown in the Microsoft security bulletins and one cannot get that update direct from Microsoft.

  • firefox-en_GB (Why no firefox-en_US? I don't know.)
  • beagle
  • beagle-evolution
  • beagle-gui
  • beagle-libs
  • gnome-python-extras
  • gnome-python-gtkmozembed
  • gnome-python-gtkspell
  • libnspr4
  • libnss3
  • libxulrunner1.9.2.9
  • nss
  • rootcerts
  • xulrunner
  • yelp

kernel-desktop-latest

Four "vulnerabilities" were discovered and corrected in the Linux 2.6 kernel. The software below is all related to the Linux kernel and thus also needs to be updated.

  • kernel-desktop-2.6.33.7-1mnb
  • kernel-desktop-devel-2.6.33.7-1mnb
  • kernel-desktop-devel-latest
  • kernel-source-2.6.33.7-1mnb
  • kernel-source-latest
  • nvidia-current-kernel-2.6.33.7-desktop-1mnb
  • nvidia-current-kernel-desktop-latest

The words "security issues" and "vulnerabilities" are not my words. These are how the updates are described by the Linux/FOSS community. If one wants to know about the vulnerabilities and security problems as reported then these two URLs will explain the details:

http://www.mandriva.com/en/security/advisories?name=MDVSA-2010:173 (for Firefox)

http://www.mandriva.com/en/security/advisories?name=MDVSA-2010:172 (for Linux kernel)

Okay, so what does this all mean? Is Linux and FOSS less secure and more vulnerable than Microsoft Windows 7 because there are more updates shown here? No, not really. In fact, even if I did not apply these updates and some virus authors were trying to crack Linux, my risk of my Linux desktop PC being successfully cracked is low to zero. Did you get that? I will repeat what I said, "In fact, even if I did not apply these updates and some virus authors were trying to crack Linux, my risk of my Linux desktop PC being successfully cracked is low to zero."

Some ignorant people argue that Linux and FOSS are not cracked much because Linux and FOSS are not all that popular. The argument then goes on to state that Microsoft systems are cracked often because they are more popular and this makes Microsoft a bigger target. That is absolutely false. Linux security updates if not applied to a typical Linux desktop system will most likely not result in that system being compromised. The converse is not true of Microsoft systems. Don't update Microsoft and one will definitely be at a higher risk of likely to certain one's Microsoft desktop system will be compromised with malware. Even then one's Microsoft PC is still vulnerable due to basic design flaws in the operating system.

Frankly, it requires much more effort to crack a typical Linux desktop PC than to crack a typical Microsoft desktop PC. Heck, even the United States National Security Agency (NSA) thinks so. This is covered in a document about its Security-Enhanced Linux a.k.a. SE Linux. This excerpt from the Introduction is telling (my comments are in red):

Unfortunately, existing mainstream operating systems (meaning Microsoft) lack the critical security feature required for enforcing separation: mandatory access control (MAC) [17] (SE Linux adds this).

The document goes on to state that mandatory access control a.k.a. MAC is needed and is added in SE Linux. However, the interesting point here is that the basic structures needed to be able to add MAC are already in Linux but not in Microsoft systems. This means Linux systems already have a higher security standard "out of the box" than Microsoft. Plus, I doubt even the US NSA can get source code to any Microsoft OS without paying dearly and then signing a raft of Non-Disclosure Agreement documents.

So, go ahead and patch those Microsoft Windows 7 systems and then keep on worrying they will be cracked anyway. I think I will put off my Mandriva updates until after I take care of our Microsoft clients and their monthly "Patch Tuesday" requirements … maybe I'll update my systems in December.

Internal ERACC advertisement: Windows users – need anti-malware (anti-virus) software? Get it from our on-line shopping site here: AVG Software

free hit counter
free hit counter

Notice: All comments here are approved by a moderator before they will show up. Depending on the time of day this can take several hours. Please be patient and only post comments once. Thank you.

Edit Sun Sep 12 21:30:41 CDT 2010: Change the first sentence in the second paragraph based on an accurate observation of the wording by a reader.

Share

Published by

Gene A.

Gene is a "Unix Guy", network technologist, system trouble-shooter and IT generalist with over 20 years experience in the SOHO and SMB markets. He is familiar with and conversant in eComStation (a.k.a. OS/2), DOS (PC, MS and Free), Unix, Linux and those GUI based systems from Microsoft. Gene is also a follower of Jesus (forgiven, not perfect), and this does inform his world view.

10 thoughts on “Open Source: FOSS Security Updates vs Microsoft Patch Day”

    1. Heh, thanks ChoobieDoobieDoo. You are correct, ironic does not really fit. But coincidence does not convey what I was feeling at the time that happened. Perhaps it was an ironic coincidence as I was not expecting that to occur. I’ll change it to ironic coincidence.

  1. Lord save us from FLOSSies! I swear I don’t know which group is more delusional, yours or the Jobsians. At least the Jobsians get shiny iStuff for their Koolaid drinking.

    Are you forgetting the SIX YEAR vulnerability that just now got patched? Six years, and yet it was never exploited, why? Do you think a vulnerability that had been reported that could have been easily exploited on windows would have gone that long?

    Nope, it is because NOBODY CARES ABOUT YOU that is why. Linux on the server isn’t a major target because Linux server admins lock those things down tighter than a nun’s thighs, and frankly Win2K which is a dead OS has more desktop users than you. It is just simple math FLOSSies, if I write a bug for Windows I can have 100s of 1000s of bots which MAKE ME MONEY. But hey, if Linux is so secure, why not just leave a box running with no patches and no firewall and post its IP on 4chan? Put your money where your mouth is? You won’t because you WILL be pwned.

    But don’t worry, you can keep drinking the RMS Koolaid and believe next year is “the year of the Linux desktop” while Windows 7 breaks sales records and everyone carries iStuff.

    1. Thank you for reading, Kevin. Your unnecessarily snide comment is appreciated. 🙂

      No I did not forget “the SIX YEAR vulnerability” in the Linux kernel. Since you know so much about it, why not tell us all how it could be exploited? For example could someone running a GUI e-mail application on Linux just click on a URL in an e-mail message titled, oh let’s say “Here you have” and get “pwned”? Since you are an expert at all things “FLOSSie” and “Jobsian” I am sure you know. Do tell. Seriously, I have read about the kernel bug and I have my doubts about that sort of exploit. Perhaps you can clear up my doubts.

      Actually Linux servers facing the internet are a major target. Linux servers on the internet are probed constantly for open ports that may have unpatched services running. If you have ever watched the drop logs for iptables you would know that. Here is a sample from the logs on my company firewall/router from just now:

      Sep 13 12:33:56 router kernel: Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=00:0c:6e:7d:4a:58:00:06:0d:4c:c8:df:08:00 SRC=221.192.199.46 DST=xxx.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=256 DF PROTO=TCP SPT=12200 DPT=8085 WINDOW=8192 RES=0x00 SYN URGP=0
      Hmm, “SRC=221.192.199.46”, another probe from China …

      Sure some probes are looking for Microsoft servers and desktops too. But mostly they are looking for live systems to scan for open ports to exploit. The majority of the systems directly connected to the internet are not running a Microsoft OS. A high percentage are Linux based systems. Draw your own conclusions, but having had to deal with exploited Linux servers in my early IT career I already know the facts. The services running are the problem in most cases, not the flaws in an OS kernel.

  2. Kevin, it’s interesting to see you here, when we “FLOSSies” are who you want to be saved from in the first place. Actually, wasn’t the six-year vulnerability more like a seven or eight year vulnerability? And how many Linux users needed to install an expensive Firewall/AV suite as a result of it?

    Go ahead and write that Windows bug, as it will be just one more to not cause me any concern.

  3. I have never understood where people can get away with saying that the possibility of Linux being hacked is close to zero. Where is the proof of theese claims? Has anyone ever REALLY backed up this statement with any kind of evidence?

    1. Artremis, thank you for reading. That is a fair question. But note I did say “low to zero”, not just zero.

      I would actually like to see some proof of concept (POC) code that could take over a Linux based desktop PC from within userspace. I have followed security lists, such as SecurityFocus Bugtraq, for years and have never seen such. POC is provided even for obscure systems like Netware, HPUX and IOS on the various security mailing lists when researchers find exploitable holes on such. I guarantee there are more Linux deployments “out there” than those three systems combined. I know there are security researchers, including “bad guys”, who are looking for exploits on Linux. That is how some bugs are found and fixed. If these researchers found any bug that could allow an exploit to take over a Linux PC from a user’s desktop I would have read about it. Heck, it would be Big News so you would hear about it too.

      To say it absolutely cannot happen would be false. Further one cannot prove such a negative assertion. But it apparently is so difficult to find an exploit that can take over a Linux desktop PC from userspace, even with source code available to see, that no one can do it … at least not yet.

Leave a Reply

Your email address will not be published. Required fields are marked *

Follow the directions below to post a comment if you are human. After 3 failed tries reload the page to start with new images.