In stark contrast to the long waits typical for Windows users wanting to patch software vulnerabilities, recently discovered security weaknesses in the core of the Linux operating system were addressed by major vendors in a matter of just a few days this week.
Two security vulnerabilities in the Linux kernel’s memory management code reported by security researcher iSEC were addressed and are now fixed in versions 2.4.25 and 2.6.3 of the Linux kernel. Linux vendors and distributors that have released fix updates include Red Hat, Novell’s SuSE Linux and the Debian Project.
Independent security expert Ryan Russell said that regardless of the Windows-Linux debate over which operating system is more secure, there is little doubt that open-source vendors respond more quickly when vulnerabilities emerge.
“One area people can agree on is the open-source vendors do a much quicker job of making patches available,” Russell told LinuxInsider. “Open-source vendors are producing the patches quicker. Even if not, as an open-source user, you have the opportunity to fix the problem yourself.”
iSEC said the vulnerability was identified in the Linux kernel memory management code inside the mremap system call and was caused by a missing function-return value-check. The security firm said the latest issue is not related to another memory-management code vulnerability disclosed earlier this year, which involved incorrect bound checks.
Although security experts downplayed the severity of the Linux holes reported this week, Russell said that because they were kernel-based, they were widespread among all Linux operating systems.
“Being in the kernel makes it a little bit more universal,” he said. “If you’re running Linux, you do have the vulnerability unless you’ve upgraded to an updated version.”
While there is ongoing debate as to the most secure operating system, open-source advocates tout this week’s fast-fix response as an example of the security advantages of Linux and other open-source software, which is freely available to users and developers.
Russell, who likened the latest kernel vulnerability to last year’s effort to place a back-door security breach in the Debian Linux kernel, praised Linux vendors for getting the patch out quickly.
“I continue to be impressed by the turnaround time from Linux vendors,” Russell said.
The security expert added that because the latest Linux security issue did not affect a part of the operating system that would be the basis for much vendor customization, providing a fix was fairly straightforward.
The Linux vendor response to the security issues compares with a lengthier process for Windows, as Microsoft has taken as long as eight months to patch severe holes. Russell, who argued that viruses and worms depend largely upon the popularity of a particular operating system, referred to Microsoft’s need for more than 120 days from vulnerability disclosure to the fix for it.
Gartner research vice president Richard Stiennon, who criticized Microsoft for making protocols irresponsibly without considering security ramifications, indicated the software giant should aim for a turnaround time of a few weeks at most to provide some kind of defense from vulnerabilities that are made public.
“They have to do it faster,” Stiennon told LinuxInsider. “The risk grows astronomically with time.”
Still, Stiennon — who added that Microsoft cannot depend on word of vulnerabilities not getting out — said Microsoft must ensure the patches it does produce are not introducing other security issues or fouling other Windows applications.
“Frankly, I’d like to see them spend more time developing patches so they don’t release buggy patches,” he said.