Surprise! Most security vulnerabilities in 2014

[JSixpack]

Take note, you Chrome and Mac OS X users. Gentoo seems quite the exception in the Linux world. Big Blue!

The programs with the most security vulnerabilities in 2014 were not the ones you think

Summary: Google Chrome, Oracle Solaris and Gentoo Linux all beat Microsoft's Internet Explorer in having the most vulnerabilities last year, according to Secunia, while IBM software took 40 percent of the Top 20 places.

--http://www.zdnet.com/article/the-programs-with-the-most-security-vulnerabilities-in-2014-are-not-the-ones-you-think/#ftag=RSSbaffb68

[bendejo]

Oracle Solaris!

Never heard it called that before, had sort of a ghost of xmas past moment. I guess from a battle of the egotistical CEOs perspective it's easy to see why it turned out that way.

The x.org server one is troubling -- does it trickle down to everything that uses X, I wonder.

IBM has so many entries on that list I have to wonder if some ditz in marketing tried to get as many entries as they could, without realizing what the list was about.

No one ever got fired for buying IBM

[Chicog]

Well it will stop that bawbag driving by with his inane "Forget Windows and install Linux" rubbish.

But I don't know why "IBM Software" got singled out, because if you bring Java into the equation Oracle is a huge pain in the behind.

[AyG]

Well it will stop that bawbag driving by with his inane "Forget Windows and install Linux" rubbish.

Forget Windows and install Linux.

The mere existence of a vulnerability doesn't mean it's exploitable. The security model of Linux is vastly superior to that of Microsoft Windows. You'd be extremely hard pressed to find a successful exploit of a Linux vulnerability in the wild.

Furthermore, Linux vulnerabilities are usually patched extremely quickly - unlike those emanating from Redmond.

I have run Linux without a firewall, without any antivirus or antispyware software for more than a decade. Never, ever had any security-related problem whatsoever. Rather doubt there are many Microsoft Windows users who could say the same.

[Chicog]

Tosh. In fact Linux's position as a popular infrastructure OS makes it a big target for professional hackers.

Heartbleed, Shellshock, Ghost.... ring any bells?

[AyG]

Tosh. In fact Linux's position as a popular infrastructure OS makes it a big target for professional hackers.

Heartbleed, Shellshock, Ghost.... ring any bells?

To the best of my knowledge:

- Heartbleed: Not a single personal computer adversely affected.

- Shellshock: Some personal computers made to perform DDoS attacks to other computers, but the personal computers' data was in no way compromised.

- Ghost: No report of this vulnerability being exploited in the wild.

In other words, for the personal computer user, really not a lot to worry about.

Compare that with Windows, where malware is rampant, personal data is stolen, hard disks are encrypted and held to ransom, files are deleted, attached hardware is destroyed, MBRs are corrupted, browser traffic is intercepted and unwanted adverts displayed, &c., &c.. These problems are virtually unknown in the Linux world. Anyone who suggests that the security of Windows and Linux are remotely comparable is clearly misguided.

[Chicog]

Tosh. In fact Linux's position as a popular infrastructure OS makes it a big target for professional hackers.

Heartbleed, Shellshock, Ghost.... ring any bells?

To the best of my knowledge:

- Heartbleed: Not a single personal computer adversely affected.

- Shellshock: Some personal computers made to perform DDoS attacks to other computers, but the personal computers' data was in no way compromised.

- Ghost: No report of this vulnerability being exploited in the wild.

In other words, for the personal computer user, really not a lot to worry about.

Compare that with Windows, where malware is rampant, personal data is stolen, hard disks are encrypted and held to ransom, files are deleted, attached hardware is destroyed, MBRs are corrupted, browser traffic is intercepted and unwanted adverts displayed, &c., &c.. These problems are virtually unknown in the Linux world. Anyone who suggests that the security of Windows and Linux are remotely comparable is clearly misguided.

Firstly I didn't say they are, Windows having by far the largest market share gets most of the attacks.

But anyone that paints Linux as a completely safe operating system needs a bash on the noggin to get their head straight.

http://www.exploit-db.com/platform/?p=linux

And why you think interception of Browser traffic is a Windows only problem, I have no idea.

[AyG]

Tosh. In fact Linux's position as a popular infrastructure OS makes it a big target for professional hackers.

Heartbleed, Shellshock, Ghost.... ring any bells?

To the best of my knowledge:

- Heartbleed: Not a single personal computer adversely affected.

- Shellshock: Some personal computers made to perform DDoS attacks to other computers, but the personal computers' data was in no way compromised.

- Ghost: No report of this vulnerability being exploited in the wild.

In other words, for the personal computer user, really not a lot to worry about.

Compare that with Windows, where malware is rampant, personal data is stolen, hard disks are encrypted and held to ransom, files are deleted, attached hardware is destroyed, MBRs are corrupted, browser traffic is intercepted and unwanted adverts displayed, &c., &c.. These problems are virtually unknown in the Linux world. Anyone who suggests that the security of Windows and Linux are remotely comparable is clearly misguided.

Firstly I didn't say they are, Windows having by far the largest market share gets most of the attacks.

But anyone that paints Linux as a completely safe operating system needs a bash on the noggin to get their head straight.

http://www.exploit-db.com/platform/?p=linux

And why you think interception of Browser traffic is a Windows only problem, I have no idea.

I can't be bothered providing a detailed reply. However, do you actually understand the link you've provided?

Look at the very first item. The code includes the comment:

"I discovered this stupid bug independently on January 25, 2003, that is (almost) two month before it was fixed"

In other words, this is a list of historic bugs, quickly fixed, and with no evidence of real life exploits.

[Chicog]

Tosh. In fact Linux's position as a popular infrastructure OS makes it a big target for professional hackers.

Heartbleed, Shellshock, Ghost.... ring any bells?

To the best of my knowledge:

- Heartbleed: Not a single personal computer adversely affected.

- Shellshock: Some personal computers made to perform DDoS attacks to other computers, but the personal computers' data was in no way compromised.

- Ghost: No report of this vulnerability being exploited in the wild.

In other words, for the personal computer user, really not a lot to worry about.

Compare that with Windows, where malware is rampant, personal data is stolen, hard disks are encrypted and held to ransom, files are deleted, attached hardware is destroyed, MBRs are corrupted, browser traffic is intercepted and unwanted adverts displayed, &c., &c.. These problems are virtually unknown in the Linux world. Anyone who suggests that the security of Windows and Linux are remotely comparable is clearly misguided.

Firstly I didn't say they are, Windows having by far the largest market share gets most of the attacks.

But anyone that paints Linux as a completely safe operating system needs a bash on the noggin to get their head straight.

http://www.exploit-db.com/platform/?p=linux

And why you think interception of Browser traffic is a Windows only problem, I have no idea.

I can't be bothered providing a detailed reply. However, do you actually understand the link you've provided?

Look at the very first item. The code includes the comment:

"I discovered this stupid bug independently on January 25, 2003, that is (almost) two month before it was fixed"

In other words, this is a list of historic bugs, quickly fixed, and with no evidence of real life exploits.

That will be because it's page one of 92.

[AyG]

Firstly I didn't say they are, Windows having by far the largest market share gets most of the attacks.

But anyone that paints Linux as a completely safe operating system needs a bash on the noggin to get their head straight.

http://www.exploit-db.com/platform/?p=linux

And why you think interception of Browser traffic is a Windows only problem, I have no idea.

I can't be bothered providing a detailed reply. However, do you actually understand the link you've provided?

Look at the very first item. The code includes the comment:

"I discovered this stupid bug independently on January 25, 2003, that is (almost) two month before it was fixed"

In other words, this is a list of historic bugs, quickly fixed, and with no evidence of real life exploits.

That will be because it's page one of 92.

So I go to the very last page, to the very last "exploit". I read:

"The Linux kernel is prone to a local denial-of-service vulnerability.

Attackers can exploit this issue to cause the kernel to crash, denying service to legitimate users.

NOTE: This issue affects Linux kernels running as guest images. "

This is a LOCAL attack.

It dates from 2011.

It only affects "Linux kernels running as guest images".

It only affects kernels with versions less or equal to than 3.1.8 - in other words it was fixed almost immediately.

Perhaps you could post some real life examples where Linux users have (as I stated previously) "personal data is stolen, hard disks are encrypted and held to ransom, files are deleted, attached hardware is destroyed, MBRs are corrupted, browser traffic is intercepted and unwanted adverts displayed, &c., &c.. - all real problems for Microsoft Windows users, yet fantasy problems for Linux users.

[Chicog]

Oh go on then, let's have a laugh.

Of course it's not on the scale of Windows attacks for obvious reasons.

At the end of 2013 security experts detected thousands of infected Linux systems all around the around. The victims’ systems were infected by an OpenSSH backdoor trojan and credential stealer named Linux/Ebury, the malware allows hackers to take control of the affected victims’ PC.

http://securityaffairs.co/wordpress/23178/cyber-crime/linux-operation-windigo-by-eset.html

Java botnet hits Mac, Linux and Windows machines

Makes infected systems unknowingly launch DDoS attacks

By Lee Bell

Tue Feb 04 2014, 16:45

http://www.theinquirer.net/inquirer/news/2326894/java-botnet-hits-mac-linux-and-windows-machines

A security firm has disclosed details on a grievous bug, called “grinch,” which impacts all Linux platforms potentially allowing an attacker administrative access to systems where they can go on to remotely install malicious applications, steal data, or perform other malicious acts of their choosing.

http://www.scmagazine.com/impact-of-linux-bug-grinch-spans-servers-workstations-android-devices-and-more/article/388689/

[dharmabm]

Wow, the only word that comes to mind is 'clueless'

sent from my slim 1+ using tapatalk

[dharmabm]

As AyG points out, most Linux vulnerabilities are patched within days (if not hours) of discovery, while Redmond and Oracle sometimes take weeks before patches are available. If you update daily or even weekly there is very little chance of a Linux desktop being exploited. If you are a server admin then you should probably lose your job if you are not on top of these issues on a daily basis.

sent from my slim 1+ using tapatalk

[dharmabm]

And why you think interception of Browser traffic is a Windows only problem, I have no idea.

Because patches are made available immediately when vulnerabilities are discovered in GNU/Linux (and we don't use IE)

sent from my slim 1+ using tapatalk

Edited March 30, 2015 by dharmabm

[Chicog]

And why you think interception of Browser traffic is a Windows only problem, I have no idea.

Because patches are made available immediately when vulnerabilities are discovered in GNU/Linux (and we don't use IE)

Which, as the report says, had less vulnerabilities than Gentoo Linux.

You said it yourself - "when vulnerabilities are discovered".

You do know they're not always discovered by the good guys, right?

[Chicog]

As AyG points out, most Linux vulnerabilities are patched within days (if not hours) of discovery, while Redmond and Oracle sometimes take weeks before patches are available. If you update daily or even weekly there is very little chance of a Linux desktop being exploited. If you are a server admin then you should probably lose your job if you are not on top of these issues on a daily basis.

If you're any kind of admin and you don't keep tabs on exploits and your network traffic, you should probably lose your job.

[Chicog]

I'll leave you tonight with a quote from the Secunia report in the OP:

But the biggest security disasters of the year were in open source software with HeartBleed, SSL and ShellShock. Secunia notes that these problems "brought attention to a previously neglected potential security issue: the use of open source applications and libraries in IT environments." It adds: "It is therefore important to be aware of which open source libraries are in use in an environment, and to have a solid mitigation strategy in place. Because the applications that use these libraries are not always patched - often, they are not even reported vulnerable."

[dharmabm]

I'll leave you tonight with a quote from the Secunia report in the OP:

But the biggest security disasters of the year were in open source software with HeartBleed, SSL and ShellShock. Secunia notes that these problems "brought attention to a previously neglected potential security issue: the use of open source applications and libraries in IT environments." It adds: "It is therefore important to be aware of which open source libraries are in use in an environment, and to have a solid mitigation strategy in place. Because the applications that use these libraries are not always patched - often, they are not even reported vulnerable."

Which all had little, if any impact on the average desktop user. Maybe I'm wrong, but isn't that what we are taking about?

sent from my slim 1+ using tapatalk

Edited March 30, 2015 by dharmabm

[bendejo]

Well it will stop that bawbag driving by with his inane "Forget Windows and install Linux" rubbish.

Forget Windows and install Linux.

The mere existence of a vulnerability doesn't mean it's exploitable. The security model of Linux is vastly superior to that of Microsoft Windows. You'd be extremely hard pressed to find a successful exploit of a Linux vulnerability in the wild.

Furthermore, Linux vulnerabilities are usually patched extremely quickly - unlike those emanating from Redmond.

I have run Linux without a firewall, without any antivirus or antispyware software for more than a decade. Never, ever had any security-related problem whatsoever. Rather doubt there are many Microsoft Windows users who could say the same.

It's not about history, it's about the future.

Sounds like someone who likes to brag "I've never been sick a day in my life!" It says nothing about what tomorrow may bring.

[Chicog]

I'll leave you tonight with a quote from the Secunia report in the OP:

But the biggest security disasters of the year were in open source software with HeartBleed, SSL and ShellShock. Secunia notes that these problems "brought attention to a previously neglected potential security issue: the use of open source applications and libraries in IT environments." It adds: "It is therefore important to be aware of which open source libraries are in use in an environment, and to have a solid mitigation strategy in place. Because the applications that use these libraries are not always patched - often, they are not even reported vulnerable."

Which all had little, if any impact on the average desktop user. Maybe I'm wrong, but isn't that what we are taking about?

Do you not consider the implications of stolen credentials to be an "impact" then?

[lapd]

Tosh. In fact Linux's position as a popular infrastructure OS makes it a big target for professional hackers.

Heartbleed, Shellshock, Ghost.... ring any bells?

Heartbleed was not an OS vulnerability. With Shellshock I think you needed access to the console to begin with.

I'm not about to suggest that Linux is 100% perfect totally secure blah blah. It most certainly is much more secure than Windows. That I can tell you with 100% certainty.

Edited April 1, 2015 by lapd