# Proof that All OSes have security holes not just MS...



## gcutler (Mar 23, 2002)

Got this e-mail warning about my Redhat install. Very glad to get it, but recently there have been some who seem to feel that MS has the only OSes with Security holes. As you can see, holes occur on Linux as well. Matches my philosophy "No One Is Innocent"

==============================================

Red Hat Network has determined that the following advisory is applicable to
one or more of the systems you have registered:

Complete information about this errata can be found at the following location:
https://rhn.redhat.com/network/errata/errata_details.pxt?eid=1309

Security Advisory - RHSA-2002:262-07
------------------------------------------------------------------------------
Summary:
New kernel fixes local denial of service issue

The kernel in Red Hat Linux 7.1, 7.1K, 7.2, 7.3, and 8.0 are vulnerable to
a local denial of service attack. Updated packages are available which
address this vulnerability, as well as bugs in several drivers.

Description:
The Linux kernel handles the basic functions of the operating system.
A vulnerability in the Linux kernel has been discovered in which a non-root
user can cause the machine to freeze. This kernel addresses the
vulnerability.

Note: This bug is specific to the x86 architecture kernels only, and does
not affect ia64 or other architectures.

In addition, a bug in the maestro3 soundcard driver has been fixed as well
as a bug in the xircom pcmcia driver network driver and the tg3 network
driver for Broadcom gigabit ethernet chips.

All users of Red Hat Linux 7.1, 7.1K, 7.2, 7.3, and 8.0 should upgrade to
these errata packages, which are not vulnerable to this issue.

Thanks go to Christopher Devine for reporting the vulnerability on bugtraq,
and Petr Vandrovec for being the first to supply a fix to the community.

References:
http://online.securityfocus.com/archive/1/299687/2002-11-11/2002-11-17/0
------------------------------------------------------------------------------


----------



## MarkA (Mar 23, 2002)

I don't think MacOS X has had any security holes, nor has the OS it's based on - FreeBSD. Not sure though.


----------



## James_F (Apr 23, 2002)

Come on Zac, you know better than to say that. Its runs Apache and has software running on it. Of course it has security holes.


----------



## gcutler (Mar 23, 2002)

I changed the title of the thread, to be more accurate in my theory as the e-mail proved that OSes other than MS have holes, not ALL oses have holes. But I back up james' statement in reply to Zac...


----------



## gcutler (Mar 23, 2002)

> _Originally posted by Zac _
> *I don't think MacOS X has had any security holes, nor has the OS it's based on - FreeBSD. Not sure though. *


Thats like saying it has no bugs (nothing is bug free or security hole free). Chances are, no Security Holes found YET!!!


----------



## Mark Holtz (Mar 23, 2002)

We just finished some upgrades on our FreeBSD systems just to address security issues.


----------



## MarkA (Mar 23, 2002)

Okay, guess I was wrong. I just heard it somewhere. Still, I'm sure there are OSes with no security holes around (likely also ones with very little functionality)


----------



## Rick_EE (Apr 5, 2002)

It all has to do with the size of the target. Security holes exist. MS is easily the biggest target, so those are the first and most likely to be exploited.


----------



## gcutler (Mar 23, 2002)

Not only Biggest, but most hated. IBM has similar set of server products that run on NT/2000 with a very large population, but at least now a days, people rather try and exploit MS than IBM sw. But IBM would be in same situation if they became the biggest target on the playing field.


----------



## lee635 (Apr 17, 2002)

Here's one of my favorite stories. I was at a SANS computer security conference several years ago. And the microsoft class was just huge, in one of those giant hotel rooms, with a big powerpoint slide behind the speaker, and an elaborate speaker system so you could hear in the back. And the guy was just racing through all the various exploits. And this one is a known problem but there is no fix out yet, and so on.

Then, I walked over to the Novell meeting and there were like two dozen people sitting in a circle and the leader was saying, well be sure to lock up your server, keep your patches up-to-date, and don't share passwords.

Poor Novell -- great engineers, just MS marketed them out of the business by sheer volume of advertisments and marketing blitzes.


----------



## gcutler (Mar 23, 2002)

Actually Novell may have used their own quality against them. I used to work for a Training company that did MS and Novell classes. And when we would talk to Novell people using 3.x or 4.x, their answer to upgrades as "Why bother, my system is working perfectly. I reboot once a month just to be safe." Y2K was probably their only required upgrades many had applied in months (at that point). While most MS users always want the next version because there is always something they need in it, or it will fix 20 problems in one shot.

I sometimes shake my head at the logic of this, but having lived thru it I know much of it is true


----------



## lee635 (Apr 17, 2002)

Yeah, I have a freind in the industry who joked that Novell should have a commercial where it's maybe 5 years ago and some engineer is installing a novell server and he tapes a note over the off button that says "Do not turn off", then show the server getting dusty, and show all the new equipment coming in to run the latest MS whatever. Then show the novell server get knocked on its side and pushed into the corner. Then show that 5 years have passed and have a bunch of techies run into the server room and try to figure out why the network is down, and the MS engineer comes in and says it's this or that, and someone notices that file and print sharing is still up. Then the big boss walks in and asks what's going on and the MS guy says "I've got file and print sharing up" but it could be sometime before anything else works.


----------

