[Linux-aus] Gafar Lawal, director of architecture, demonstrates his ignorance of architecture

[Leon Brooks]

Quoting http://www.techweb.com/wire/story/TWB20030603S0012
> "It's Microsoft's fault and it's our fault also," said Gafar Lawal,
> director of architecture at Merrill Lynch. "We were vulnerable
> [because] our process did not handle the number of patches. We
> also took very seriously that our partner [Microsoft] had such a
> flaw in their code." 

> But Lawal and others said Microsoft is not unique in its
> vulnerabilities. "We have a Linux server that has three times
> the critical updates as our Windows server," he said.

Gafar, your MS-Windows server arrived with maybe half a dozen services 
available and probably had all of them running until you shut them off. 
If you add a big service, say MS-SQL-Server, you might have the 
equivalent of 20 or 30 Linux packages installed on your machine.

I use Mandrake Linux 9.1, which arrives with over 800 packages, zero of 
which will be accessible from the Internet after a "kitchen-sink" 
install and without the installer switching anything off.

The "critical updates" you speak of cover all 800+ packages on Linux but 
only the equivalent of about 20 or 30 on MS-Windows, so in a parity 
situation you would expect to see roughly thirty to forty times as many 
updates listed. Blow for blow, the Linux server you speak of is ten 
time less buggy than your MS-Windows server already.

But the situation is not even blow-for-blow. Microsoft's idea of a 
"critical update" is for something like CodeRed, Nimda or Slammer.

At http://www.mandrakesecure.net/en/advisories/updates.php?dis=9.1 (and 
look for red padlocks) we see that Mandrake 9.1 has had 45 total patche 
releases to date. 5 of them are duplicates because the packages went 
out without an encrypted signature, another is a dupe because the 
original fix included things that didn't need fixing, leaving 39. 27 of 
those are listed as "critical".

Many of those are for such things as (MDKSA-2003:036) fixing maths 
errors in image handling. Of the remainder, the vast majority of 
vulnerabilities are _potential_ vulnerabilities; that is, they have no 
known working exploit, and in many cases have no theoretical exploit 
either.

Leaving that aside, many of the remaining vulnerabilities do not involve 
any "privilege escalation" - or as CERT Advisory CA-96.13 puts it, the 
case where "Non-privileged primitive users can cause the total
destruction of your entire invasion fleet and gain unauthorized
access to files." Most of Microsoft's do.

We're not finished yet. Consider MDKSA-2003:048, which fixes a 
vulnerability in EOG. Eye Of Gnome is an image viewer. Would you ever, 
let alone regularly, use it on a server? I have seven image viewers 
installed (I like to experiment), not counting potential viewers like 
graphics editors, scanner/camera managers, the previewers in file 
managers, office suites and so on. Odds are therefore 1/7 that I would 
use the impacted application even if I did run it on a server. As it 
happens, I don't, I prefer Kuickshow in a GUI, or from the command line 
the ImageMagick "display" command.

Counting through all of the listed vulnerabilities and picking out the 
ones that would impact a default installation to do secure web-enabled 
database activities plus email transport, remote administration and a 
GUI interface - the equivalent of MS-Windows, IIS, MS SQL Server and 
MS-Exchange rolled into one, there are eight. One of them (a kernel 
update) requires a reboot after installation.

So... eight actual critical updates, one of them in the OS and one of 
them in the webserver. Since the release of Mandrake 9.1 in March, 
MS-Windows 2000 and IIS alone have logged patches for three "invasion 
fleet" severity patch bundles beyond Service Pack 4, which in itself 
rolled in a large number (difficult to assess) of patches.

Over the last year (well, 14 months), Mandrake Linux (from 8.2) has 
recorded 2 OS (kernel 2.4) patches (one of which had a simple and 
instant no-reboot workaround) and 3 Apache (webserver) patches and zero 
PHP (ASP-equivalent) patches. Total "critical updates" potentially 
impacting our hypothetical server, about 25.

MS-SQL-Server 2000 Service Pack 3a was also released, but the 
description makes it difficult to decide exactly how many patches that 
involves - and if you're using the "Desktop Engine (MSDE 2000)" version 
there's more bad news confronting you in the form of a pageful of 
directions on finding out what to patch and how before you even start. 
Each vulnerability that I can find specifies arbitrary code execution 
or worse. Compare this with a total of two (related) vulnerabilities in 
the last year for PostgreSQL.

The MS-Exchange 2000 "March 2003 Post-SP3 rollup" contains over 70 new 
or patched files and requires you to uninstall (yes!) the previous set 
of patches before applying it. All the while your email server is down. 
Any of the very rare updates for PostFix (a good example of a Linux 
MTA; no patches at all in well over a year) typically involves under 
half a second of email outage and no reboots.

I don't even understand how to account for the number and complexity of 
the Microsoft patches involved here, so I agree that this is a problem, 
but to pluck a figure out of the air? Call it 120 individual patches a 
year, one every three days on average.

Each of these Microsoft "patches" may roll together work on multiple 
vulnerabilities in multiple systems, whereas the Linux patches 
typically fix a single vulnerability and by definition do it in a 
single system.

How about response time? The KDE developers once took a vulnerability 
from bug report to tested deliverable in 95 minutes.

Accountability? You were reportedly "impressed with Microsoft's response 
to the [Slammer] problems" but what about their response to the 
"Shatter Attacks?" Microsoft may find a way to fix that ongoing 
vulnerability in Longhorn, five years down the track, but probably not. 
It is a design insecurity right at the core of MS-Windows and there is 
no simple way around it. The corresponding insecurity in Linux doesn't 
exist, can't exist, because a completely different mechanism occupies 
that spot on the flow diagram.

Then we consider the server population. Even for a relatively light 
load, Microsoft would recommend that you have a separate server for 
MS-Exchange and another for MS-SQL-Server. That's three servers to 
maintain and pay for instead of one. And they'd probably also ask you 
to add an expensive Cisco router to the collection to firewall it.

There are also a number of features which make individual services much 
easier to lock down under Linux than under Windows. Capabilities, 
chrooting, chattr and so on within a single OS image. User Mode Linux 
for completely partitioned services - it's a simple matter to run any 
service under its own specialised UML kernel that has a no-op (or 
scream-the-house-down) response to certain OS functions for managing 
ownership of files or opening network sockets other than in prescribed 
ways. This means that even if an attacker gains total and complete 
control of a service, all it does is call attention to his actions and 
replace his victim with a fresh, clean copy a few microseconds later.

The final clincher for me is that I have never had an update break a 
server. I could have left all of my Linux servers on auto-update for 
about the last five years without a care in the world, were I not 
naturally suspicious. On the other side of the fence, Microsoft's 
updates are reknowned for breaking things.

Back your statement up with specifics, Gafar, or retract it. As it 
stands it is at best irresponsible, and certainly looks clumsy and 
ill-informed for a "director of architecture" at a world-reknowned 
firm.

Cheers; Leon

-- 
http://cyberknights.com.au/     Modern tools; traditional dedication
http://plug.linux.org.au/       Committee Member, Perth Linux User Group
http://slpwa.asn.au/            Committee Member, Linux Professionals WA
http://linux.org.au/            Committee Member, Linux Australia