Two Thirds of a Vulnerability Fixed per Day Implies Many Thousands of Vulnerabilities Waiting to be Exploited

Well, another “Patch Tuesday” approaches with 22 serious fixes since the last batch, one month ago. If they are fixing 2/3 of a bug per day, how many are the bad guys finding per day? It could be dozens. “7” has been around for about two years, 24 months. Hundreds of serious bugs have been fixed and many of them were around on Day One just waiting to be found. We could have years more of this bug-fixing and many hundred more exploits to go before “7” is given a decent burial.

In the last month on my Debian systems, 8 packages had “several vulnerabilities” fixed and many of them were on packages unlikely to be used on a desktop system. They are fixed in a couple of minutes by running a simple command and my whole system is tightened up, not just the OS.

Use GNU/Linux and have more peace of mind about your IT system.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

24 Responses to Two Thirds of a Vulnerability Fixed per Day Implies Many Thousands of Vulnerabilities Waiting to be Exploited

  1. oldman says:

    “How typical.”

    Yep just like the SQL injection attacks that took down the linux sites IMHO.

    I also note that the OS was not compromised, but the app was.

    Just like the SQL injection attack.

    But of couorse you will make excuses for the Linux sites with their “free software” and lambaste microsoft.

    Double standard? I think so.

    And the moral of the story Mr. Twitter is….

    No system is truly secure.

  2. oldman says:

    “It’s funny how you shifted the conversation, oldman, to avoid the obvious problems of non free software. Google proved that Microsoft keylogs users and sent the information back to themselves to scrape Google results. We don’t know what other use Microsoft makes of their keylogging, but this is the very definition of being 0wned. Non free software always has this kind of power over users but it is rarely proved this way. Unable to answer this common sense demonstration of insecurity by design, oldman calls it “ideological bushwash” and pretends gnu/linux has the technical weaknesses of Windows.”

    As usual Mr Twitter you are hearing what you want to hear filtered by your ideological blinders. What I actually said is something that anyone who in involved in a large enterprise knows because it has been drummed into them by their security spooks.

    No system is ever truly secure.

    I can appreciate how this may upset you as you have apparently never worked in IT, and certainly not in Enterprise IT. So let me tell you how it works:

    All of our servers are behind multiple firewalls.

    All of our servers are running firewalls.

    All of our systems are monitored by intrusion detection.

    All Line of Business applications are subjected to a security review that includes a Pen test. All Security issues must be mitigated. If the security issue is serious enough the application will not be allowed to go into production, and may even be scuttled> We have done this will applications on both windows and Linux.

    That is the way it is done in the real world. That is the context from which I spoke.

    “Only Windows needs a box running other software between it and the internet. I’ve been serving myself and my neighbors for nearly a decade without ill effects, thank you. The only “firewall” I’ve required is a reasonable choice of packages. ”

    So you are telling me that you do not keep your system up to date and that you are directly attached to the internet and you leave all your ports open, Is this correct Mr. Twitter?

    “Windows needs firewalls because it’s poorly documented and non free”

    Yes windows is indeed proprietary software, but poorly documented?

    Really?

    You may want to check out technet.microsoft.com Mr. Twitter because the presence of this web site with its copious documentation and piles of sample code makes that statement look pretty silly.

    In comparison, I am reviewing the official Red Hat Enterprise Linux 6 documentation. It is about the best there is out there for a linux distro, and it doesnt have a quarter of the information that is available in technet.

    And we pay quite a bit of money for RedHat support.

  3. twitter says:

    A funny thing happened on the way to the Microsoft Security and Safety Center, it started spewing malware and porn. What’s really funny about this is how it came just days after Microsoft was bragging about how smart they were and how dumb users of other software are.

    [John Howie] told Britain’s Computing magazine that unlike RSA or Sony, Microsoft was extremely unlikely to be hacked by an advanced threat. “Sony was brought down because it didn’t patch its servers, it ran out of date software, and it coded badly. These are rookie mistakes,” said Howie. He likewise labeled RSA being exploited by a social engineering attack as a “rookie mistake.

    How typical.

  4. twitter says:

    It’s funny how you shifted the conversation, oldman, to avoid the obvious problems of non free software. Google proved that Microsoft keylogs users and sent the information back to themselves to scrape Google results. We don’t know what other use Microsoft makes of their keylogging, but this is the very definition of being 0wned. Non free software always has this kind of power over users but it is rarely proved this way. Unable to answer this common sense demonstration of insecurity by design, oldman calls it “ideological bushwash” and pretends gnu/linux has the technical weaknesses of Windows.

    Attach your linux box directly to the internet drop your firewall and stop patching then see how long you last before you are pwned.

    Only Windows needs a box running other software between it and the internet. I’ve been serving myself and my neighbors for nearly a decade without ill effects, thank you. The only “firewall” I’ve required is a reasonable choice of packages. Windows needs firewalls because it’s poorly documented and non free, so users must affirmatively try to stop software from answering network requests by closing ports that may or may not be listening. That’s a cluster of ignorance, greed and malice gnu/linux users don’t have a problem with. I keep up with security updates, thanks, it’s really easy with free software because my distribution handles everything. Every now and then, I run an apt-get update and apt-get upgrade. This never causes me the heartache or system breakage that I see people suffer in the Windows world.

  5. oiaohm says:

    oldman
    “Nope. It shows that I understand that the firewall and continuous patching are requirements defense in depth of for ANY system.”

    No its your lack of understanding. Windows default firewall and other secuirty settings are still weak.

    Issue here I would prefer the reverse. A system out box bolted down extremely that you have to reduce settings. This leads to a more secure network.

    Reason you don’t have a secuirty hole just because you forgot to do something.

    “The requirements of your environment and your applications will dictate the OS that you get to support, and you WILL support it whether you like it or not.”

    I know this and its false for Linux. Now we are debating secuirty of the OS. That you are forced shows a secuirty weakness in itself.

    Even so Applications dictate OS is a sign of lack of competition in the market that equals weaker secuirty.

    There are very few Linux applications that cannot be run under freebsd or solaris. Even to the point with debian that I can boot between the freebsd and linux kernels. Mostly these days the only OS that I am forced to use is Windows. I am not forced to use Linux.

    I choose to use Linux from freebsd, solaris, aix and other unix’s that can run Linux binaries. To be a modern officially UNIX since 2002 you have to have Linux syscall support for a particular list of syscalls that covers over 90 percent of all Linux applications in existence. The 10 under percent are direct kernel control applications that are not client facing and hardware drivers control software.

    Only thing that can dictate use of Linux over the others is not applications but the hardware the server is made from or is controlling.

    So even if Linux did develop a major secuirty gitch in kernel I do have other kernels to use in some cases not related in any way shape or form.

    Linux and the Posix world is many times ahead of the windows world.

    Lack of viable competition is a major problem with Windows. So Microsoft is not required to take secuirty seriously. Closet thing I have to a true windows competitor is http://www.reactos.org that is major-ally under funded. I guess oldman for a heavy windows user you have not invested any money in making competition so that secuirty on Windows has to be taken serously.

  6. oldman says:

    “Yes, “service” I believe is the correct word.”

    Snark doesn’t constitute debate Mr. Chapman, but I guess that childishness is all you are capable of.

  7. Richard Chapman says:

    Yes, “service” I believe is the correct word.

  8. oldman says:

    One the many services that I offer mr chapman.

  9. oe says:

    It’s really very simple, I have found in my own experiences with workstations and (admittedly small scale) servers that Linux has proven time and time again, even though it was picked up as the “fallback” solution until the last 5 or so years, to be easier to setup, easier to maintain and keep secure, and yet comes with admittedly unpolished but nonetheless powerful and high quality apps (under the hood). About 75-80% (if not more like 90%) of the folks who have brought hardware to me for the no-cost fix and whom are willing to try have roughly the same opinions after some months of use of it.

  10. Richard Chapman says:

    Thank you “oldman” for being yourself.

  11. oldman says:

    “Every system has flaws, every system needs to be patched and every system needs to be protected does not equal every system is as atrocious as Microsoft’s.”

    This cuts both ways Mr. Chapman. As a user of BOTH environments it is my assessment that And no amount of security inconvenience real or imagined, can make up for the atrociousness of the linux desktop and the medoicrity of FOSS.

    “I’ll believe what the past six years using GNU/Linux have given me to what all the previous years using Windows have taught me: Only a fool asks for more of the same hardship.”

    I actually would agree Mr. Chapman, had I actually HAD hardship. Mr. Chapman. In comparison I could site you examples of how working with Windows based commercial tools have move

    “My helpers didn’t fail me on this last workday of the week. They came to my aid and proved my points with their individual brands of Microsoft proprietary zealotry, arrogance, blind obedience and disdain for anything Free.”

    As usual Mr. Chapman, when faced with having a real debate, you wimp out declare victory and run home. Not that this is surprising, you have always played games with us – I especially like the “don’t put words in my mouth gambit” that you regularly resport to when people do for you what you appear to be too weasily to do – say it straight.

    Nice.

    Now that we have that out of the way….

    – You have yet to answer how your free zealotry is any better that my so called proprietary zealotry.

    – You have yet to substantiate that I am obeying anyone but my own master( actually I do but she hates computers 😉 )

    – And you have yet to substantiate how I have disdain for anything free. Actually Mr Chapman also know what the four freedoms are. You may wish to check them out.

    http://en.wikipedia.org/wiki/Four_Freedoms

    You see Mr. Chapman, these are the TRUE four freedoms, the ones that I grew up with and truly respect. These are the ones that count for me. Perhaps this is unfair of me, but in this context I view Mr. Stallmans “four freedoms” with probably even more disdain than you have for Microsoft.

    “There, I foisted some labels on them. And I even borrowed some of their words to do it.”

    Ah, Chappie, you ARE funny!

  12. Richard Chapman says:

    “Freankly, ,Mr, Chapman, its hardly worth the effort. You have more than proven that your hatred of microsoft has blinded you to the realities of staying secure on the internet regardless of what system you running. Believe what you want. reality says otherwise.”

    I’ll believe what the past six years using GNU/Linux have given me to what all the previous years using Windows have taught me: Only a fool asks for more of the same hardship.

    Every system has flaws, every system needs to be patched and every system needs to be protected does not equal every system is as atrocious as Microsoft’s.

    Contrarian, you can toss “paranoid” in with “hatred”‘s coffin for a double funeral. Those are just some of the common words the Shills, Astroturfers, and TEs throw around hoping they will stick. If you don’t like the label, then don’t wear it. By the way, transparency is one my goals. Since you seem to be using the word disparagingly suggests you have something to hide. Just saying.

    Joseph Goebbels would have gone weak kneed and slack jawed and the whole of the present day Western World’s marketing machine. Although he would have been particularly intrigued at Microsoft’s ability to sell the same junk to the masses over and over again.

    My helpers didn’t fail me on this last workday of the week. They came to my aid and proved my points with their individual brands of Microsoft proprietary zealotry, arrogance, blind obedience and disdain for anything Free. There, I foisted some labels on them. And I even borrowed some of their words to do it.

  13. oldman says:

    “If the only way you can beat linux is weaken it defaults really shows a major issue with windows. oldman.”

    Nope. It shows that I understand that the firewall and continuous patching are requirements defense in depth of for ANY system.

    You can argue from how until doomsday about the relative security postures of OS’s, but in the end its all bushwah. The requirements of your environment and your applications will dictate the OS that you get to support, and you WILL support it whether you like it or not.

    IN my personal case, my application requirements dictate the OS that I use. If I wish to use the applications, I accept the maintetance requirements of the OS that supports them. In either the requirements of defense in depth security then follow from the OS. Software must be updated, firewalls maintained in addition to sitting behind a NAT forewall router. They are not so onerous as to make me question using the application.

    Even if they were, they are part of the cost of doing business.

  14. oiaohm says:

    oldman Lets forget the stop patching bit. Why drop firewall.

    This is the thing most Linux Distributions come out box with half decent secuirty settings. Notice I said half decent.

    There is an more important question how simple is it to keep system up to date. Linux in a lot of cases is way simpler due to the central repo system.

    Most major windows secuirty breaches trace back to the fact that third party software like adobe reader, flash and so on is not upto date.

    Linux has got many things for secuirty critically right.

    If the only way you can beat linux is weaken it defaults really shows a major issue with windows. oldman.

    Microsoft has the default security bar too low.

    Yes one of Linux weakness for third party software is not neat system for them to integrate into the great model most distributions have.

  15. oldman wrote, “Attach your linux box directly to the internet drop your firewall and stop patching then see how long you last before you are pwned.”

    I’ve actually done that. Most of the GNU/Linux PCs at my previous employer had no firewall running except they were behind a router that did. PCs running that other OS would catch fire in minutes that way.

    see From honeypot to bot in minutes

    “During the experiment’s run, both the PC running XP SP1 and the Mac saw about 340 attacks per hour. However, none of the attacks against the Mac amounted to anything, while the PC was successfully compromised nine times during the two-week experiment. The PC running SBS was hit 61 times per hour, and was ultimately hijacked. The machines with firewalls and the Linspire box saw fewer than four attacks per hour, none of which were successful. There’s nothing like going for the low-hanging fruit.”

  16. oldman says:

    “The biggest bug in Windows it a lack of software freedom which allows Microsoft to spy on users themselves instead of allowing the community to tidy things up.”

    Typical idealogical bushwah. I’m sure that it took a lot of thought on your part to come up with this one.

    Tell you what Mr. twitter. Attach your linux box directly to the internet drop your firewall and stop patching then see how long you last before you are pwned. Perhaps you will last a small bit longer, but you will be pwned in the end.

    “People who use non free software will never have real security.”

    And people who are on the internet whop think that using one particular OS gives them real security will never have it either.

  17. twitter says:

    The biggest bug in Windows it a lack of software freedom which allows Microsoft to spy on users themselves instead of allowing the community to tidy things up. Google’s Bing Sting shows us that Microsoft is watching the keystrokes of ordinary users, so everyone who uses that system is at Microsoft’s mercy. Microsoft’s shining, and gnu/linux using partner, Facebook’s owner famously called his early Harvard student users, “dumb fucks” for trusting him. We can be sure that Bill Gates thinks the same things about his users, especially the ones who think the parade of bugs and exploits will ever end. Microsoft has always made meaningless security promises, with the most absurd on being the claim that Vista was the most secure OS ever. People who use non free software will never have real security.

  18. Yonah says:

    “Joseph Goebbels would have been humbled”

    Wow. Really nice Godwin, Richard. Way to “raise the bar” on the quality of the debate and discussion around here. We need more like you to lead the way.

  19. oiaohm says:

    oldman
    “Actually I have more piece of mind having a defense in depth that combines multiple layers of security. Running Linux does you no good if your web site gets pwned by a SQL injection attack.”

    True and False. Linux provides you with more options to reduce the damage from a SQL injection attack. Of course those who don’t use them are no better off.

    http://wiki.postgresql.org/wiki/SEPostgreSQL_SELinux_Overview Just because a section of website can be SQL injected does not mean it will work of the secuirty on the system was setup right. Postgresql 9.1 has this feature as a mainline feature on Linux. Yes using this can restrict what calls can do what.

    Combined with http://code.google.com/p/sepgsql/wiki/Apache_SELinux_plus . You have security tracking right from when the user enters the site. So this way you can setup that if a user is not logged in they cannot alter records. Even better that the user unless assigned admin cannot alter all records only the ones that user created. Even better selinux can even restrict locations that admin users can login from. So password cracking can be out.

    Yes person might be able to sql inject but what good does it do them if they can only alter the data they provided. Of course that is only true if you are taking advantage of what Linux offers.

    Yes there are reasons why Java and PHP sites don’t need sandboxing code like .net on Linux. If system is setup right they are ready sandboxed. Of course they are proto ways to send messages to the selinux from Java and PHP websites to provide stricter controls. Ie set context adding records inject attempts to delete its not going anywhere.

    Notice the protection starts from the kernel up.

  20. Contrarian says:

    ““Hatred” is your word “oldman”, not mine”

    Really, #chapman, don’t try to be coy. You are transparent in that regard. “Joseph Goebbels” indeed!

    And there you go again with your paranoid suggestions that those who find any good in Microsoft are paid toadies.

  21. Richard Chapman says:

    “Hatred” is your word “oldman”, not mine. Please take ownership of it and give it a decent burial.

  22. oldman says:

    “Use GNU/Linux and have more peace of mind about your IT system.”

    Actually I have more piece of mind having a defense in depth that combines multiple layers of security. Running Linux does you no good if your web site gets pwned by a SQL injection attack.

  23. oldman says:

    “And now some people who I’ve been working with in the past will post some comments here on Robert’s Blog which will add support to my statements in the first paragraph.”

    Freankly, ,Mr, Chapman, its hardly worth the effort. You have more than proven that your hatred of microsoft has blinded you to the realities of staying secure on the internet regardless of what system you running. Believe what you want. reality says otherwise.

  24. Richard Chapman says:

    Microsoft has a simple solution to their deplorable security and service record on their operating systems; lower the bar on what is acceptable. Out come the hoards of Astroturfers declaring that other OSs are worse (in some way or another). Then come the “analysts”. The only thing differing them from journalists are a couple of zeros in the check they receive for their work and they write their own copy rather than cut and paste. Finally, we get the bloggers pounding away on their new Acer Ferrari laptops given to them by Microsoft because… well, just because.

    If Microsoft cannot perform to what is acceptable in a given system, it simply changes what is acceptable in that system. Their effort will go as far as changing the definition of words. That is the might of their Marketing. Joseph Goebbels would have been humbled at Microsoft’s command of the public mind.

    And now some people who I’ve been working with in the past will post some comments here on Robert’s Blog which will add support to my statements in the first paragraph.

Leave a Reply