Corel hurries to fix another Linux Security hole

Corel hurries to fix another Linux Security hole

Post by Truckasauru » Sun, 31 Dec 1899 09:00:00





Quote:> have you been rooted today?

> http://news.cnet.com/news/0-1003-200-1533081.html?

tag=st.ne.ron.lthd.1003-20

Quote:> 0-1533081

Yeah, if you're concerned with security, you should upgrade to
Wirus^H^H^H ndows 2000:
http://www.fsecure.com/news/2000/20000112.html
http://securityportal.com/direct.cgi?/cover/coverstory20000117.html

--
"Dear someone you've never heard of,
how is so-and-so. Blah blah.
Yours truly, some bozo." - Homer Simpson
Martin A. Boegelund.

Sent via Deja.com http://www.deja.com/
Before you buy.

 
 
 

Corel hurries to fix another Linux Security hole

Post by Drestin Blac » Sun, 31 Dec 1899 09:00:00





> > have you been rooted today?

> > http://news.cnet.com/news/0-1003-200-1533081.html?
> tag=st.ne.ron.lthd.1003-20
> > 0-1533081

> Yeah, if you're concerned with security, you should upgrade to
> Wirus^H^H^H ndows 2000:
> http://www.fsecure.com/news/2000/20000112.html
> http://securityportal.com/direct.cgi?/cover/coverstory20000117.html

battle of the URLs

http://www.cnn.com/2000/TECH/computing/01/17/win2k.virus.idg/index.html

Why would I worry about a virus that never existed outside of the authors
machine and e-mail inbox of a anti-virus company hawking it's brandnew W2K
compatible AV engine? Why would I worry about a virus that was detectable
and repairable by NAV BEFORE it was even created (think about it)!

So, let's compare. We have an exploit that gets you root over your entire OS
vs a virus, intentionally downgraded to only attack W2K signature OSes, that
has no dangerous payload and never existed in the wild. Hmm....

 
 
 

Corel hurries to fix another Linux Security hole

Post by Truckasauru » Sun, 31 Dec 1899 09:00:00








> > > have you been rooted today?

> > > http://news.cnet.com/news/0-1003-200-1533081.html?
> > tag=st.ne.ron.lthd.1003-20
> > > 0-1533081

> > Yeah, if you're concerned with security, you should upgrade to
> > Wirus^H^H^H ndows 2000:
> > http://www.fsecure.com/news/2000/20000112.html
> > http://securityportal.com/direct.cgi?/cover/coverstory20000117.html

> battle of the URLs

http://www.cnn.com/2000/TECH/computing/01/17/win2k.virus.idg/index.html

Quote:

> Why would I worry about a virus that never existed outside of the
authors
> machine and e-mail inbox of a anti-virus company hawking it's
brandnew W2K
> compatible AV engine?

Yeah, why worry about the 4000+(?) viruses that have been released for
the Windows platform, when you can simply run a virus scanner?
I'd say "because it gives you a hint about the security thoughts that
have (haven't) been made during the construction of that OS".

Quote:> Why would I worry about a virus that was detectable
> and repairable by NAV BEFORE it was even created (think about it)!

Well, show me a user that has suffered due to the security problem of
Corel Linux. Corel has already told about the problem, and I'm certain
that you can uninstall 'Corel update', if you don't want to run the
risk.

Quote:> So, let's compare. We have an exploit that gets you root over your
entire OS
> vs a virus, intentionally downgraded to only attack W2K signature
OSes, that
> has no dangerous payload and never existed in the wild. Hmm....

http://www.fsecure.com/news/2000/20000112.html:
'The most important feature of the virus is its capability to spread
under the new operating system. "Now we can expect virus writers to
include Windows 2000 compatibility as a standard feature in new
viruses", comments Mikko Hypponen, Manager of Anti-Virus Research at F-
Secure.'

The W2K virus is not interesting in itself, that is true. What is
interesting, is that the whole virus for Windows circus rolls on and on
and on... for all eternity, it seems.
Once Corel has made a patch, then that problem is done for, whereas
Windows users can add byte after byte after byte to their 'virus-
definitions' - a truly sad state.

By the way, you might want to have a look at:
http://securityportal.com/direct.cgi?/cover/coverstory20000117.html:
'How did our contestants fair? Red Hat had the best score, with 348
recess days on 31 advisories, for an average of 11.23 days from bug to
patch. Microsoft had 982 recess days on 61 advisories, averaging 16.10
days from bug to patch.'

- so it doesn't really matter where you _want_ to go today, 'cause
you'll propably have to wait for 16 days before it's secure ;-)

Neither Win* or Linux is secure out of the box - 'Corel update' is just
another example of that. If you want the best security around, you'll
probably do best with FreeBSD.

So where's your point?

--
"Dear someone you've never heard of,
how is so-and-so. Blah blah.
Yours truly, some bozo." - Homer Simpson
Martin A. Boegelund.

Sent via Deja.com http://www.deja.com/
Before you buy.

 
 
 

Corel hurries to fix another Linux Security hole

Post by Drestin Blac » Sun, 31 Dec 1899 09:00:00









> > > > have you been rooted today?

> > > > http://news.cnet.com/news/0-1003-200-1533081.html?
> > > tag=st.ne.ron.lthd.1003-20
> > > > 0-1533081

> > > Yeah, if you're concerned with security, you should upgrade to
> > > Wirus^H^H^H ndows 2000:
> > > http://www.fsecure.com/news/2000/20000112.html
> > > http://securityportal.com/direct.cgi?/cover/coverstory20000117.html

> > battle of the URLs

> http://www.cnn.com/2000/TECH/computing/01/17/win2k.virus.idg/index.html

> > Why would I worry about a virus that never existed outside of the
> authors
> > machine and e-mail inbox of a anti-virus company hawking it's
> brandnew W2K
> > compatible AV engine?

> Yeah, why worry about the 4000+(?) viruses that have been released for
> the Windows platform, when you can simply run a virus scanner?
> I'd say "because it gives you a hint about the security thoughts that
> have (haven't) been made during the construction of that OS".

Why worry? I don't. Would you worry about the 100s of exploits that have
been released for the linux platform? No, because 99.9% of them have been
fixed already. Same thing applies for any platform. I don't worry about
something that is fixed.

Quote:

> > Why would I worry about a virus that was detectable
> > and repairable by NAV BEFORE it was even created (think about it)!

> Well, show me a user that has suffered due to the security problem of
> Corel Linux. Corel has already told about the problem, and I'm certain
> that you can uninstall 'Corel update', if you don't want to run the
> risk.

Show me a user that suffered due to the virus you sent the URL for? I KNOW
you cant' cause the virus doesn't exist except in the mailbox of someone at
an anti-virus company and the virus authors system.

Quote:

> > So, let's compare. We have an exploit that gets you root over your
> entire OS
> > vs a virus, intentionally downgraded to only attack W2K signature
> OSes, that
> > has no dangerous payload and never existed in the wild. Hmm....

> http://www.fsecure.com/news/2000/20000112.html:
> 'The most important feature of the virus is its capability to spread
> under the new operating system. "Now we can expect virus writers to
> include Windows 2000 compatibility as a standard feature in new
> viruses", comments Mikko Hypponen, Manager of Anti-Virus Research at F-
> Secure.'

WOW! And this comes from mr. Hypponen (I like that, sounds like Mr. Hype! to
me). He is writing a press-release for a company that just released it's
Windows 2000 upgrade for it's anti-virus software! DOH! Can't you see
through the marketing crap?

Quote:

> The W2K virus is not interesting in itself, that is true. What is
> interesting, is that the whole virus for Windows circus rolls on and on
> and on... for all eternity, it seems.
> Once Corel has made a patch, then that problem is done for, whereas
> Windows users can add byte after byte after byte to their 'virus-
> definitions' - a truly sad state.

Gosh, once a virus is dead, it's dead too. Once Corel has made a patch, THAT
specific problem is done - but what if there is another exploit just a few
bytes of code away? Again and again, for all eternity, it seems.

Quote:

> By the way, you might want to have a look at:
> http://securityportal.com/direct.cgi?/cover/coverstory20000117.html:
> 'How did our contestants fair? Red Hat had the best score, with 348
> recess days on 31 advisories, for an average of 11.23 days from bug to
> patch. Microsoft had 982 recess days on 61 advisories, averaging 16.10
> days from bug to patch.'

> - so it doesn't really matter where you _want_ to go today, 'cause
> you'll propably have to wait for 16 days before it's secure ;-)

And how will you feel if someone exploits that security weakness during the
first 11 days? Won't matter if you have Linux or Windows - you'll be rooted.
So, for (on average) another <5 days you'll be exposed? This is what we're
really talking about, an average of less than 5 days more exposure? (mind
you, I am not 100% sold on the claims of securityportal.com)

Quote:

> Neither Win* or Linux is secure out of the box - 'Corel update' is just
> another example of that. If you want the best security around, you'll
> probably do best with FreeBSD.

perhaps...

Quote:

> So where's your point?

I made mine and neatly refuted yours. Thank you.
 
 
 

1. security fix for Linux color_xterm hole?

isd there any more elegant fix to the security hole in Linux's color_xterm
than chmod -s?
BTW, is color_xterm on other platforms affected as well? (I'm not refering
to the just recently surfaced xterm holes)
--

Institut fr Theoretische Physik  +49 30 314-24254   FAX -21130  IRC kuroi
Technische Universit?t Berlin            http://home.pages.de/~schwarz/

2. HELP: socket buffer overflow ?

3. pwdauthd pwdauth() - Source Wanted in order to fix security hole.

4. Netscape HELP!

5. Security Hole Fix?

6. csh script command line args

7. fix for HUGE SECURITY HOLE in syslog?

8. Quota Question w/Slackware96

9. Tools to fix security holes

10. Security hole fix

11. runpipe v1.2 with security hole fix

12. X security hole- how to fix?

13. Fix for /bin/login security hole.