Last week three new vulnerabilities were announced by Polish security firm iSec Security Research in the latest Linux kernel which could allow an attacker to elevate their privileges on the machine and execute programs as the root administrator.
These are just the latest in a series of serious or critical security vulnerabilities discovered in Linux over the past few months. The board room at Microsoft is probably getting some amusement, or at least feeling some relief, from the irony that open source is supposed to be more secure and yet these critical flaws continue to be found.
It misses the mark though in my opinion to claim that open source software is more secure by default. For starters, I believe that the software is only as secure as the user or administrator who configures and maintains it. Although some may argue that Linux is more secure out of the box, a clueless Linux user is just as insecure as a clueless Microsoft Windows user.
The other aspect of it is that the developers are still human. Out of the thousands and millions of line of code that make up an operating system it seems fair to say that something might get missed and eventually a vulnerability will be discovered.
Therein lies the difference between open-source and proprietary. Microsoft was notified by EEye Digital Security about the flaws with their implementation of ASN.1 eight months before they finally announced the vulnerability publicly and released a patch. Those were eight months during which the bad guys could have discovered and exploited the flaw.
Open source on the other hand tends to get patched and updated much faster. There are so many developers with access to the source code that once a flaw or vulnerability is discovered and announced a patch or update is released as quickly as possible. Linux is fallible, but the open source community seems to react much quicker to issues as they arise and respond with the appropriate updates much quicker rather than trying to bury the existence of the vulnerability until they get around to dealing with it.
That said, Linux users should be aware of these new vulnerabilities and make sure they stay informed of the latest patches and updates from their respective Linux vendors. One caveat with these flaws is that they are not exploitable remotely. That means that to attack the system using these vulnerabilities requires the attacker to have physical access to the machine.
Many security experts agree that once an attacker has physical access to a computer the gloves are off and almost any security can be eventually bypassed. It is the remotely exploited vulnerabilities- flaws that can be attacked from systems far away or outside of the local network- that present the most danger.
For more information check out the detailed vulnerability descriptions from iSec Security Research to the right of this article.
