Every day a new exploit, bug, or vulnerability is found and reported on the Internet, in the news and on TV. Although Microsoft seems to get the greatest number of bug reports and alerts, they are not alone. Bugs are found in all of the operating systems, whether it is server software, desktop software or imbedded systems.
Here is a list of bugs and flaws affecting Microsoft products that have been uncovered just in the month of June 2001:
- MS Windows 2000 LDAP SSL Password Modification Vulnerability
- MS IIS Unicode .asp Source Code Disclosure Vulnerability
- MS Visual Studio RAD Support Buffer Overflow Vulnerability
- MS Index Server and Indexing Service ISAPI Extension
- Buffer Overflow Vulnerability
- MS SQL Server Administrator Cached Connection Vulnerability
- MS Windows 2000 Telnet Privilege Escalation Vulnerability
- MS Windows 2000 Telnet Username DoS Vulnerability
- MS Windows 2000 Telnet System Call DoS Vulnerability
- MS Windows 2000 Telnet Multiple Sessions DoS Vulnerability
- MS W2K Telnet Various Domain User Account Access Vulnerability
- MS Windows 2000 Telnet Service DoS Vulnerability
- MS Exchange OWA Embedded Script Execution Vulnerability
- MS Internet Explorer File Contents Disclosure Vulnerability
- MS Outlook Express Address Book Spoofing Vulnerability
The mere frequency and number of bugs that are being found does not bode well for Microsoft and the security of their programming methods. These are just the bugs that have been found and reported, but bugs like the Internet Explorer bug may have been around and exploited for months and hidden from discovery by the underground community.
But it isn't just Microsoft that is plagued with bugs and vulnerabilities. All flavors of Linux have their share of serious bugs also. The vulnerabilities below have also been discovered or reported for the month of June:
- Procfs Stream Redirection to Process Memory Vulnerability
- Samba remote root vulnerability
- Buffer overflow in fetchmail vulnerability
- cfingerd buffer overflow vulnerability
- man/man-db MANPATH bugs exploit
- Oracle 8i SQLNet Header Vulnerability
- Imap Daemon buffer overflow vulnerability
- xinetd logging code buffer overflow vulnerability
- Open SSH cookie file deletion vulnerability
- Solaris libsldap Buffer Overflow Vulnerability
- Solaris Print Protocol buffer overflow vulnerability
These are not all of the bugs and exploits that affect *nix systems, there are at least as many *nix bugs found in the month of June as there are for Microsoft products. Even the Macintosh OS, the operating system that is famous for being almost hacker proof, is also vulnerable. This is especially true with the release of OS X. This is because OS X is built on an OpenBSD Linux core. Many of the Linux/BSD specific vulnerabilities can also affect the Macintosh OS X. As an example the Macintosh OS X is subject to the SUDO buffer overflow vulnerability.
Does all of this mean that you should just throw up your hands and give up? Absolutely not! Taken as a whole the sheer number of bugs and vulnerabilities is massive and almost overwhelming. The point is that if you keep up with the latest patches and fixes, your job of keeping your OS secure is not so daunting.
Keeping up is simple if you just know where to look. Each major OS keeps a section of their Web site that is dedicated to security, fixes and patches. Here is a partial list categorized by operating system:
The Microsoft TechNet section on security contains information on the latest vulnerabilities, bugs, patches and fixes. It also has a searchable database that you can search by product and service pack.
Since there are so many different flavors of Linux I will list some of the most popular ones here.
Alerts and Errata
RedHat lists some of the most recent vulnerabilities here as well as other security links on the RedHat site and security links that can be found elsewhere on the Web.
Security Mailing List Archives
Although not as well organized as the Microsoft or RedHat sites, the mailing list archives contain a wealth of information. The archive is organized by year and then by month.
SuSE Linux Homepage
Included here is an index of alerts and announcements on SuSe security. There is also a link for you to subscribe to the SuSe Security Mailing list.
This is one of the most comprehensive and complete security sites of all of the OSs. If you can't find it here, you won't find it anywhere.
Apple Product Security
Even though the Mac is not as prone to security problems as other OSs, you should still take steps to secure your Mac. With the introduction of OS X, security will be more of a concern.