By Robert Lemos, 17 December 2004 09:45
NEWS Students of iconoclastic computer scientist Daniel Bernstein have found some 44 security flaws in various Unix applications, according to a list of advisories posted online.
The flaws, which range from minor slip-ups in rarely used applications to more serious vulnerabilities in software that ships with most versions of the Linux operating system, were found as part of Bernstein's graduate-level course at the University of Illinois at Chicago.
The advisories regarding the flaws were dated Wednesday and can be found on the website of student James Longstreet. Bernstein, a professor of computer science at the university, did not immediately respond to inquiries about the vulnerabilities.
The latest crop of security flaws comes two days after a software-testing company announced that it had found 985 flaws in the latest Linux kernel during the past four years using the company's analysis software. While the number seems high, the company said it is far lower than the number associated with most commercial software.
Each person in the class during the autumn semester had to find 10 flaws, a task that counted toward 60 percent of their grade for the class, according to class notes posted on Bernstein's website. With only 44 flaws discovered among a reported 25 students, the students better hope for a generous curve.
Robert Lemos writes for CNET News.com.
Comments
There are 8 comments. Join the discussion
1. Phil Laszkowicz (Opetec Ltd)
Is this comment about Unix or Linux? There seems to be a slip up near the beginning of the article where Unix and Linux are deemed the same OS. Where were the flaws actually found?
The fact that so many flaws have been found prove nothing against Unix / Linux as all real-world software contain flaws.
2. anonymous
i like beans
3. Hid S
Hey, there i was thinking that only MS products had security flaws...
Duh.
Maybe if Linux/Unix was on 90% of desktops, they MIGHT find a few more.
Nooo, that would never happen.....
4. anonymous
Yep, beans are cool.
5. Peter Risdon
I'm on the relevant security mailing list so received these reports last week and have looked at most of them in some detail. Almost all concern buffer overflows - based on a known issue with programming technique that these students were looking for. DJB has strong and well known views on this widespread but easily avoided/corrected type of programming error.
Most of the software affected is niche, to say the least, and does not form part of any mainstream unix base system. To call these Unix errors is like calling a flaw in some little-used Windows application a "Windows Security Flaw".
The open source paradigm includes the distribution of source code in order that issues like this can be spotted and fixed (some of the affected software has already been corrected). This is an example of this paradigm working - none of these problems were the basis of real-world exploits and now they won't be because they can be put right first. Many of them were only capable of being exploited under very specific circumstances.
No comparable security auditing process happens in the world of closed-source software. An alternative headline could have been: Unix security tightened even further.
In fact, while we're quoting Bernstein, it's worth noting that he knows his security onions - qmail and djbdns, his two big software packages, both still have unclaimed $500 rewards for finding ANY security issues in them. He teaches a course in computer security, as readers of your article will have gathered. But he refuses to discuss Windows on this course, on the grounds that he believes it can't be made secure, period.
6. Lukasz Ruminski
Article subject is not true. The subject states 44 Unix flaws which is simply wrong. The flaws are in applications which could be compiled under Unix/Linux. If you take OpenBSD (http://openbsd.org) it's only had "one remote hole in the default install, in more than 8 years!" which is 44 times less than the article subject states.
Also.. most, if not all the applications that were found to have security holes where installed as ports in FreeBSD. FreeBSD clearly states during the installation of a port that it makes "no guarantee about the security of ports included in the Ports Collection"
7. MikeW
I didn't know Unix(TM) apps were included in Linux distros ...
8. Dave
>>>Maybe if Linux/Unix was on 90% of desktops...they MIGHT find a few more (security flaws) - Hid S
Sorta like a few years ago when we had all those internet web-server attacks? Apache Web Server was on 60% of all web servers, yet Microsoft's Internet Information Services (IIS) was on 25% of all web-servers....Guess who was effected most by the worms and trojan horses? IIS! Yep. Microsoft's web-server! Not Apache.
Apache was used on more than twice the amount of servers than IIS, yet MS IIS was effected the most. Not Apache.
So, your theory that if Linux/Unix was on 90% of desktops there would be more "security flaws" doesn't pan out. In fact, the more that Linux is used the more secure it becomes (more eyes to scrutinize the code).
Face it. Unix/Linux is just inherently more secure than Windows. This allows Unix/Linux admins to isolate and control any attacks that do occur. With Windows, infections usually go out of control before the admins can do anything about it.