Other Vulnerabilities - Security

Now let’s look briefly at several other common weaknesses that computer users need to remain aware of.

Every operating system has vulnerabilities that are constantly being discovered. Some of these may be very old, having propagated in legacy code through numerous versions of an operating system before their security implications ever become known. The only practical defense is to remain aware of newly discovered vulnerabilities and to patch systems promptly. There are several e-mail lists, such as the Focus-MS and Focus-Linux lists from SecurityFocus.com, the ISN (InfoSec News) list from Attrition.org, and The Register’s daily newsletter, to which users can subscribe for up-to-date security news. (See Appendix C.)

Remaining informed of new system vulnerabilities is one thing; acting on them is another, and users often neglect this important chore. Fortunately, Windows and the major packaged Linux distributions offer online update features that make patching easier. However, bad patches do occasionally get released, so there is some risk in relying on automatic updates. They are absolutely inappropriate for mission-critical systems, but for home users, the benefits of prompt patching may outweigh the risks. Still, manual online updating is better, so long as one remembers to check for new patches regularly. It is never a good idea to permit a software vendor to decide what code should be installed on your machine, and when.

When we compare security vulnerabilities affecting Windows systems and Linux systems overall, they run basically neck and neck. However, when we look more narrowly at vulnerabilities that require patching the Windows or Linux operating system kernels, we find that Linux is immensely cleaner. It’s rare for a patch affecting the Linux kernel to be released, though it’s common for Windows due to the interdependent nature of the system. In other words, with Windows, the majority of vulnerabilities affect the kernel, whereas with Linux, they rarely do. As we noted in the Introduction, kernel-level patches stand a greater chance of breaking things than application-level patches. Furthermore, Linux system vulnerabilities tend to affect services that can be disabled to achieve a temporary workaround, whereas Windows services often cannot be disabled without negative consequences. Security-minded users should give careful thought to installing Linux in place of Windows. In Chapter 6, we will look in depth at the advantages and disadvantages of migrating to Linux.

All software applications contain significant vulnerabilities that must be dealt with in addition to operating system vulnerabilities. Microsoft packages a number of useful applications with Windows, but many other applications must be obtained either from Redmond or from secondary sources, called independent software vendors (ISVs). Windows is essentially an à la carte computer system. Your office suite, your graphics and image-manipulation programs, many of your multimedia applications, PC games, third-party clients, and utilities are distributed separately and must be patched with software provided by the individual vendors. These applications will not be patched when the Windows online update is run, so users must remain aware of security alerts and the availability of new patches for all of their third-party software. Microsoft is not responsible for third-party applications and utilities. It can be difficult to keep up with all the vulnerabilities as they emerge, but again, subscribing to a security news e-mail list like ISN or The Register’s daily newsletter is a good way to stay on top of them.

Because of the licensing advantages in open source software, the major Linux distributors like SuSE and Mandrake can package virtually every application a computer user might need, and these will be patched during online updates. Linux users enjoy morecomprehensive updates from their vendors than Windows users. However, software packages not included in the distribution and installed separately will not be updated, so these must be monitored for new vulnerabilities and patched as needed. Still, Linux users who stay with the packages shipped in their distribution can be confident that the online update feature will keep their systems patched with a minimum of bother.

A service is a background process running on a system that supports other processes and applications as needed. Generally, the user doesn’t access or invoke a service directly; rather, an application or a utility will do so. In addition, one machine can offer services to other machines across a LAN or the Internet. For example, Samba and SMB are services that provide file and print sharing over a network. Kerberos is a service that provides network authentication. Bind is a service that enables an Internet server to translate domain names, such as TheRegister.co.uk, into an IP address, such as 123.1.2.3. (Machines use IP addresses to communicate, but of course people have a far easier time remembering domain names.) SSH (secure shell) is a service that allows a computer to connect to a remote machine via an encrypted link over the Internet. The actual code that provides a service is called a daemon in UNIX parlance and a system agent in Windows parlance, and the feature or capability that it provides is called a service or a daemon process.

All of the services I’ve just mentioned, and many others not listed, have contained vulnerabilities that have in turn led to system compromises. Therefore, an important bit of security housekeeping involves identifying the services your computer is offering and disabling those you don’t need. For example, your PC should not be offering to accept SSH connections from other machines on the Internet unless you actually use this service and know how to set it up properly. For another example, the RPC (remote procedure call) service, which enables one computer to execute code on another, is a useful feature for networked machines sharing expensive hardware, such as a printer over a LAN, say. But it’s very risky when the computer offering RPC is connected to the Internet. (The MSBlaster worm that struck in the summer of 2003 leveraged insecurities in RPC through another service called DCOM.) Unfortunately, Microsoft has made a number of crucial Windows services dependent on RPC, so it can’t be disabled. In that case, prompt patching and firewalling are the only practical solutions. On the other hand, Linux users can shut off RPC without penalty. Later in this chapter, we’ll walk through the various services provided by Windows and Linux, and eliminate those that pose the greatest security risks.