Linux' Bug Problem: Getting the Fixes Out
By Alex Salkever
Ramen, the noodle dish that's cheap sustenance for college students, is bad news for Linux users. The virus called Ramen, that is. This strain surfaced last September and, in recent months, has burrowed its way into hundreds, if not thousands, of machines running Red Hat's version of the open-source Linux operating system. Like the Love Bug malaise that crippled companies around the globe last spring, Ramen is a worm virus. It digs into e-mail address books and sends out massive quantities of self-replicating messages, crashing computer networks under a flood of traffic.
Targeted at an older version of Red Hat, Ramen hasn't caused any significant damage. And according to the federally funded Computer Emergency Response Team, fewer than 20 incidents of Ramen infection have been reported -- a minuscule number compared to the tens of thousands of reports CERT logged when the Melissa virus and Love Bug were epidemic. Furthermore, Linux security experts speculate that Ramen arose as a demonstration project without specific malicious intent.
Still, the continuing spread of Ramen raises some serious questions about the ability of the open-source community to live up to its security boasts. Linux supporters have long claimed the transparent nature of open-source development produces more secure software and fixes bugs faster than proprietary companies such as Microsoft and Oracle do.
Even if that's true, Linux will need to prove it can deliver this security to the growing mass of open-source converts who are not particularly tech-savvy and are accustomed to Microsoft-style one-click upgrades. Red Hat hustled out patches for the Ramen worm within weeks, but too many Red Hat users remain unprotected. "I think the community's response to the Ramen virus has been to the credit of open source. Where it breaks down is the last mile of getting that fix to the customer," says Ned Lilly, vice-president for hacker relations at open-source database concern Great Bridge.
The numbers definitely bear out a need for better transmission of fixes by companies selling operating systems and software designed to be exposed to the public Internet. According to CERT, 99% of the serious breaches it investigates arise from known vulnerabilities for which patches have long existed. That includes breaches on Microsoft NT and Windows 2000 operating systems, on the various flavors of Linux, and on other Unix operating systems from Sun Microsystems, Hewlett-Packard, and IBM.
"DOZENS OF VULNERABILITIES."
But as Linux' popularity grows, more attacks have popped up on the radar. That's an ominous sign for the small-business and home-office users who are some of Linux' biggest fans and fastest adopters of the technology. These operations lack full-time network administrators to keep updates running smoothly. "In the hands of a guru, it's great. In the hands of someone who is not a programmer, open-source programs are very dangerous. An out-of-the-box Red Hat Linux installation is open to dozens of vulnerabilities," says Chris Rouland, the director of the X-Force research team at Internet Security Systems.
Despite the rise in open-source incursions, Linux supporters still say they've built a better mousetrap. Call it the law of ten thousand eyeballs. Linux advocates argue that the huge network of programmers who view the source code act as a de facto, round-the-clock global debugging squad. Fewer security vulnerabilities survive due to the sheer number of people poring over the code at every minute of the day. "We can fix them [bugs] more quickly because we don't need to wait until it's daytime in California, or until the developer gets back from vacation, because everybody has the source code," explains Bruce Perens, a Linux pioneer and president of Linux Capital Group, a venture-capital firm that invests in open-source startups.
As evidence, open-source supporters point to unofficial online-assault counts, such as one published at the hacker site Attrition.org. That tally fingered Microsoft NT and Windows 2000 as the operating systems computer criminals target the most. But such claims remain hotly debated. Open source also could work just as easily in reverse, giving computer criminals free rein to pore over code in search of complex vulnerabilities they can later exploit, says Scott Hissam of the Software Engineering Institute at Carnegie Mellon University. And critics question how many of those programmers are really accustomed to detecting security flaws rather than building nifty new features.
In fact, ISS's Rouland contends that open-source programs are more likely to harbor "remote escalation of privileges" vulnerabilities. These types of weaknesses essentially allow an unauthorized person to take control of a computer system from afar, typically the ultimate nightmare for companies protecting credit cards or other key personal information. Why? There's no accountability in open-source software. "It's more like a hobby, like ham radio. No one's job is on the line," Rouland says.
This somewhat esoteric debate hardly matters if Linux adherents can't figure out a way to distribute the top-level security they trumpet so loudly. It's one thing to have high-level computer users constantly tuned in to e-mail lists and security updates watching over Linux systems. It's quite another to have harried small-business owners whose system administrator is also the bookkeeper, chief marketer, and bottle-washer. "The fix is generally distributed in source-code format. That means you have to be a programmer with the ability to compile the code to put it into your box," Rouland says.
For their part, many in the Linux batallion say they're doing a fine job getting the fixes out there, thank you. Perens claims that the Debian development group, which distributes Linux and other open-source programs, long ago orchestrated an automatic fix-delivery system. Red Hat has responded, too. In a similar move, the company launched the Red Hat Network last fall.
"The idea is people could automatically receive security patches, and they can be installed on their machine without compiling source code," says Michael Tiemann, Red Hat's chief technology officer. He adds: "The maintenance required and security risk with Linux on a standard PC are less than running an equivalent Windows system."
Perhaps. But with so many versions of Linux out there and the number rising all the time, the largely self-organizing open-source community will have to work hard to make sure nongeeks stay in the loop. Otherwise, the open-source movement may find it slow going to convince middle-tier users to follow the open-source road.
Salkever covers computer security issues twice a month in his Security Net column, only on BW Online
Edited by Douglas Harbrecht