Fog Creek Software
Discussion Board




Yet another Unix security flaw and exploit


Don't these people test their code? Can they not release a product that isn't rife with security flaws?!

http://www.computerworld.com/securitytopics/security/holes/story/0,10801,95170,00.html?from=homeheads

Your Uncle Bill
Wednesday, August 11, 2004

Don't hide under that bridge, come on out and say what you mean.

Simon Lucy
Wednesday, August 11, 2004

I want to meet the programmer that produces anything on the scale of an operating system that [BOLD]ISN'T 'rife with security flaws'.[/BOLD]

Chance Govar
Wednesday, August 11, 2004

Except that Apache is a Windows program, so what can you expect?

Andres
Wednesday, August 11, 2004

The problem seems to be limited to a specific version of Apache and PHP distributed on HPUX.  The article didn't mention which versions of PHP, Apache, mod_ssl or mod_proxy were affected, which might have been helpful.

No good asking the OP to come out and identify himself though.  His species turns to stone if they're caught by the sunlight.

Clay Dowling
Wednesday, August 11, 2004


" The exploit works on any platform, according to a report by E-matters GmbH researcher Stefan Esser, who said he discovered the problem during a reaudit of memory_limit following a related advisory"

The sun is out, and I haven't turned to stone or anything like that. Because I point out a flaw in Unix, I'm suddenly a member of another species?

http://security.e-matters.de/advisories/122004.html?SID=49ff8f60523b15ba2fce0578767193ea

And it allows injection into Safari browsers too, so you Mac users can't get all high and mighty either.

Your Uncle Bill
Wednesday, August 11, 2004

Lets see this flaw is in Apache, not Unix.  The problem has been fixed and there are not massive numbers of comprimised HP-UX's everywhere.  So what's the problem?  Finding and fixing security flaws before there are big problems is what is suppose to happen right?

Bill Rushmore
Wednesday, August 11, 2004

I suspect the point the original poster was trying to make:

"Lets see this flaw is in Apache, not Unix."
vs.
"The flaw is in IIS, not Windows"

"The problem has been fixed and there are not massive numbers of comprimised HP-UX's everywhere."
vs.
"The patch has been available for over [x] weeks"

"So what's the problem?  Finding and fixing security flaws before there are big problems is what is suppose to happen right?"

I happen to agree completely. Interesting that when it's a Unix or Apache security hole, then it's "Hey, they found it, it's patched, no big deal." But when it's a Windows vulnerability, it's "Oh, that product is swiss cheese and nobody should buy anything they make."

[shrug] Nothing but pure bias. It's cool. ;-)

Philo [Microsoft]

Philo
Wednesday, August 11, 2004

Any proprietary operating system is going to suffer the same drawbacks as Windows.  HP-UX is NOT LINUX.  The entire operating system is not open source.  You are relying on the company to give you patches.

Not to say that Linux doesn't have security holes/problems (it does), it's just that they seem to get patched MUCH faster than commercial operating systems.

saberworks
Wednesday, August 11, 2004

Attempt at misdirection: "The flaw is in IIS, not Windows"

IIS is shipped as and tightly integrated with Windows. In fact, it's the only way to get it. It also runs partly in the kernel now, right? Can 3rd party apps easily do that? (I have no idea.)

Apache is not, though it runs just fine on Windows. (And it probably is included in various linux distros.)

mb
Wednesday, August 11, 2004

"it's just that they seem to get patched MUCH faster than commercial operating systems."

Forrester says you're wrong:
http://www.linuxworld.com.au/index.php/id;554502920;fp;2;fpid;1

And for mb - all I'm saying is that the OS and the web server are different things, both in Unix and in Windows. This is not an attempt at misdirection; it's an attempt to compare apples and apples. As you pointed out, Apache runs on Windows, so IIS is a separate discussion than the operating system, n'est ce-pas?

Philo [Microsoft]

Philo
Wednesday, August 11, 2004

Uncle Bill, what's it like to be perfect?

-
Wednesday, August 11, 2004

"As you pointed out, Apache runs on Windows, so IIS is a separate discussion than the operating system, n'est ce-pas?"

I'll agree that IIS can be separated for many discussions. But Apache's windows version is irrelevant--I can run supercalc, but calc.exe is still part of the operating system according to Microsoft's "ham sandwich" argument at the time of the antitrust trials.

mb
Wednesday, August 11, 2004

The topic or subject of this thread made me laugh...

as if windows was doing any better.
They can't even validate their IE blog's website...
the consortium must not mean a thing...then again just plop open IE....yeah sure we will all wait till 2k7, thats when mozilla / firefox will take us to the moon.

Get with the program!

Jon
Thursday, August 12, 2004

*  Recent Topics

*  Fog Creek Home