Re: Of mice and men
- From: "Richard" <riplin@xxxxxxxxxxxx>
- Date: 10 May 2005 13:25:39 -0700
> With Windows there is a small finite number of configurations.
> You have either a very strange idea about combinatorics, or a very
> strange definition of "small".
The reason that it is relatively small is that Windows software cannot
be recompiled by the user. Thus for a particular module the exact byte
layout will be as Microsoft issued it, either an original issue, or a
later patched version.
> *not* "especially true of buffer overruns".
The reason that buffer overruns work is that the data sent overlays
areas outside the buffer. Random bytes written to random variables will
most likely just crash the system. Geting specific values into
particular places may allow code to run which will be malicious.
With Windows there is a small finite number of variations of each
module so a particular set of data when overruning a buffer has a good
chance of working by finding it is in a module that has the correct
layout.
With Linux it is likely that many different distros or versions are
different enough even if it hasn't been recompiled. Just one byte
difference in an address can prevent the overrun working. This means
that a particular buffer overrun is more likely to be in the 'crash the
program' case rather than the 'malicious code' case.
Both cases show up as 'exploits', and probably as dozens of reports,
but the impact on _security_ is rather different for the two cases.
> What distribution was immune to CAN-2004-1137 ?
""" ... to cause a denial of service or execute arbitrary code ..."""
> those apply to all the machines running that kernel version
No. That is not true:
"""- the IGMP/IP networking module responsible for network level
operation,
that is only compiled into the kernel if configured for multicasting,
"""
"""You can check if your configuration is vulnerable by looking at
these
files:
/proc/net/igmp
/proc/net/mcfilter
if both exist and are non-empty you are vulnerable!
"""
All mine are not vulnerable. You will also note that it is primarily a
problem if _local_ programs are run to exploit this. Remote attacks
will only cause DoS by using up CPU time.
Buffer overruns on Windows have been exploited to load malicious code
remotely via, say IIS.
The security impact of loading malicious code is much more significant,
and is much more likely to be successful with Windows because there are
only a small number of possible alignments: maximum of one for each
version issued by Microsoft, and these can be determined.
> Security by obscurity is not a defense.
That is what OSS say about closed source ;-)
But, in fact, it is how vaccinating a population works. If a large
part of the population is vaccinated then this also protects most of
the unvaccinated part. In a self-replicating virus those machines that
merely suffer a DoS will not be passing it on to others.
> Linux has security advantages over Windows, but they are not
> inherent; they're a matter of security posture.
It also helps by not being a monoculture.
.
- Follow-Ups:
- Re: Of mice and men
- From: Michael Wojcik
- Re: Of mice and men
- References:
- Of mice and men
- From: Pete Dashwood
- Re: Of mice and men
- From: Donald Tees
- Re: Of mice and men
- From: jce
- Re: Of mice and men
- From: Donald Tees
- Re: Of mice and men
- From: jce
- Re: Of mice and men
- From: Richard
- Re: Of mice and men
- From: jce
- Re: Of mice and men
- From: Richard
- Re: Of mice and men
- From: Michael Wojcik
- Re: Of mice and men
- From: Richard
- Re: Of mice and men
- From: Michael Wojcik
- Of mice and men
- Prev by Date: Open UNIX Command Line From Within MF Server Express
- Next by Date: Re: Of mice and men
- Previous by thread: Re: Of mice and men
- Next by thread: Re: Of mice and men
- Index(es):
Relevant Pages
|
Loading
