Fishnet Armour

Where I worked previously, the default configuration of the Sophos software was to block anything MediaPlayer did. I deleted it entirely from our images and installed VLC in its place. Now we read that there is once again a simple remote code execution exploit in MediaPlayer. Of course, when we switched to Debian GNU/Linux, I had no more sleepless nights worrying about bad guys taking over our PCs.

How many more examples do we need before we all quit using that other OS and its monstrous design?

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

27 Responses to Fishnet Armour

  1. You need to look at numbers. If the usage-base of GNU/Linux is too small to bother it is reasonable not to produce software for it. Similarly if the usage-base of some particular software package on GNU/Linux is too small, why bother. On the other hand if only 2% of users of PCs use some particular software, it is scarcely in the interests of a developer to produce a competitive work. That still leaves huge percentages of users quite happy with what GNU/Linux provides.

    I once did a class demonstrating and giving assignments to students about using five different word-processors in GNU/Linux and that other OS. At the end of the series, I asked them “Which is the best word-processor?”. The consensus was that they were all about the same and certainly not inferior to Word. They could do anything they needed to do with any of the software.

    In studies about migration to GNU/Linux this comes up all the time. Depending on the business, many businesses and organizations can migrate 80-90% of their users with no loss of functionality and no angst about applications. Unless a business is about CAD etc. they have many roles that can be satisfied with a GNU/Linux desktop with the usual applications.

  2. Richard Chapman says:

    “I thought the army of coderz would take care of this.”

    They do. Just because “Anon Delivers” say they don’t in some Blog doesn’t make it so, especially when he can’t even spell.

  3. Anon Delivers says:

    “There is a distinction between vulnerabilities which allow code to be executed as a regular user and exploitations which can take control of the system. ”

    The example Pogson gave was as harmless as the VLC one. Point being the Loonix ones sit and stagnate for years whereas the Windows fixes are prompt. 7 years. 7 years for a bug fix in Loonix land.

    I thought the army of coderz would take care of this.

  4. Ray says:

    “Or, like Disney/Pixar, will pay codeweavers money to fix it for them so they can run a pure GNU/Linux environment, get more performance out of their machines at less cost AND without malware.”

    No, I don’t think people would go through the hassle of using WINE, or using codeweavers.

  5. I can tell you that schools don’t have that problem. Governments don’t either. It makes no sense to keep huge fleets of PCs running that other OS if a few need a particular application not available in GNU/Linux. Do you drive a 12 cylinder car because you might want more than 4 occasionally? I have read that the average need for that other OS/particular app is about 20%. In my school it was less than 10%. One teacher needed DVD playing software.

  6. saulgoode says:

    There is a distinction between vulnerabilities which allow code to be executed as a regular user and exploitations which can take control of the system.

    My reading on the VLC vulnerabilities, while they should not be lightly dismissed, is that there was no danger of privilege escalation — a particular user’s files may have been at risk, but the integrity of the system itself was not threatened.

    Contrast that with the reporting in the article:

    ‘An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.’

    and

    ‘For businesses using the Microsoft Groove workspace sharing product, … “An attacker who successfully exploited this vulnerability could take complete control of an affected system,” Microsoft warned.’

    A userspace program should never be able to corrupt the operating system regardless the manner exploit. GNU/Linux has on occasion experienced such vulnerabilities, however, bugs such as the VLC ones mentioned are, from a system administrator’s standpoint, not nearly as critical as those which would permit taking complete control of the system.

  7. D-G says:

    “Fortunately a vast majority of users of PCs don’t use those.”

    Oh, yes. The classic Linux excuse: “YOU DON’T NEED THAT!”

    Unfortunately one of the most asked questions on the German Ubuntu/Debian forum I frequent is:

    “I have program X on Windows, what’s the alternative Y on Linux?”

    The possible answers can be easily classified:

    – It runs with the help of Wine. (Somehow possible for age-old software, but not desirable.)
    – An alternative Y exists, but it is clearly inferior to X. (Very possible. Stop whining. STFU and RTFM. It’s free software after all! Send Patches! Blah, blah, blah …)
    – No direct alternative exists. (Very possible. Stop whining. YOU DON’T NEED THAT! LINUX IS NOT WINDOWS! Blah, blah, blah …)

    At this point the sane people will say: “**** Linux!” While the others are lost (freed from the shackles of productivity) forever.

  8. Dann says:

    “Until that happens, people using them will stick with their OSes.”

    Or, like Disney/Pixar, will pay codeweavers money to fix it for them so they can run a pure GNU/Linux environment, get more performance out of their machines at less cost AND without malware. It’s only a hack until those software vendors see the Sinking Windows Ship and the Small Expensive Apple community to know where they should be targeting. And who would put Maya on a smartphone…

  9. Fortunately a vast majority of users of PCs don’t use those.

  10. Ray says:

    No, I meant application that some people need and want, like Adobe Indesign, Good games, Cad-type software, vector drawing programs, accounting software, stuff you can buy at major retailers that works on Linux. Until that happens, people using them will stick with their OSes.

  11. If you define mainstream applications not to be applications available on GNU/Linux you are chasing your tail. OpenOffice.org, FireFox, Chrome, Android and all its apps, Apache, MySQL are mainstream and work on GNU/Linux.

  12. Ray says:

    In case you’re wondering, we don’t need any examples. We need mainstream applications that work on Linux.

  13. Anon Delivers says:

    “I guess the bad guys were unsuccessful in seven years and gave up. That vulnerability is a lot smaller than one that says “expect attacks withing 30 days” (paraphrasing).”

    I could say the same about the Windows ones too. Your move.

  14. I was not writing about the buffer overflow…

  15. “If successful, a malicious third party could crash the player instance or perhaps execute arbitrary code within the context of VLC media player.”

    I guess the bad guys were unsuccessful in seven years and gave up. That vulnerability is a lot smaller than one that says “expect attacks withing 30 days” (paraphrasing).

  16. I have lost sleep over that other OS. I have run hundreds of GNU/Linux systems and never been hacked.

  17. Anon Delivers says:

    “The VLC vulnerability was in code added recently to handle WebM.”

    Dude, it was there for 7 years.

  18. They have so many holes and their code is so difficult to manage that they cannot fix the holes in a reasonable length of time so we should not use their code.

  19. Anon Delivers says:

    “Who are you going to trust with your IT? Oh, and the kicker? That vulnerability affected 2008 Server! Don’t you love an OS that full of holes running servers?”

    Certainly not Linux if that’s what you’re suggesting.

  20. The VLC vulnerability was in code added recently to handle WebM.

  21. Anon Delivers says:

    Oh dear, another buffer overflow in open sauce VLC:

    http://www.videolan.org/security/sa1003.html

    And it’s been around for … 7 years? Whoa. I thought the many eyes on the codez would take care of this? Again, you’re going to get hacked Robert.

  22. “DSA-2159-1 vlc — missing input sanitising

    Date Reported:
    10 Feb 2011”

    “For the stable distribution (squeeze), this problem has been fixed in version 1.1.3-1squeeze3”

    Well, what do you know? It was fixed by
    libvlc-dev_1.1.3-1squeeze3_i386.deb 10-Feb-2011 22:41 62K

    see http://security.debian.org/pool/updates/main/v/vlc/

    Notice the date. The CVE entry is for 2011-1-20 and the fix was pushed out to Debian GNU/Linux installations three weeks later.

    How long did M$ take to fix theirs? CVE-2011-0042 was reported to M$ 2010-12-10, months ago. So, the world of M$ was running around naked in a shit-storm of malware, M$ knew about it but did nothing that helped folks for months. Who are you going to trust with your IT? Oh, and the kicker? That vulnerability affected 2008 Server! Don’t you love an OS that full of holes running servers?

  23. Anon Delivers says:

    Oh dear:

    [10 Feb 2011] DSA-2159 vlc – missing input sanitising

    Any “more sleepless nights worrying about bad guys taking over [your] PCs” Robert?

    Better get a patch going or they’ll hack your box man!

  24. Ivan says:

    You aren’t making sense here, Bobby, Microsoft patches a flaw so we shouldn’t use their operating system?

    Please explain exactly what you meant.

  25. Loonix fighter says:

    Oh and those VLC vulnerabilities were around in versions that spanned almost 7 years and used the same vector as the WMP exploit you posted. But hey, it’s nothing that those security exploits in your pet FOSS product existed for 7 years versus that WMP exploit, right?

  26. Loonix fighter says:

    http://www.videolan.org/security/sa1003.html

    And that’s not the only security vulnerabilities one can find for VLC.

  27. D-G says:

    Yes, your outrage is SO believable. Especially since VLC had SEVEN critical flaws in its last five minor versions up to 1.1.7 that needed fixing. ROFL.

    Does it then also hold true that GNU/Linux as a whole sucks when one finds a critical security flaw in a package installed by default? Because that NEVER happens!

    Oh, look, what’s that?

    http://www.debian.org/security/index.en.html

Leave a Reply