Every now and then on IRC you here a conversation about security. It usually starts off with someone from the Linux camp griping about Windows security. This is often followed by someone from the FreeBSD camp stating that Linux isn't much better, statistically speaking. The Linux camp then retorts that there may be bugs, but they're nowhere as severe as Windows, etc, etc.
The recent CVS hack (you *have* upgraded to 1.11.16, right?) reminds me of something - your system is only as secure as your weakest 3rd party app.
(This is the standard complaint about Windows - outside of well-administered [usually business] environments, virtually every Windows user has Admin capability.)
Re:suid app
Dom2 on 2004-06-01T20:33:09
You might think that, but a weakness in a non-root app usually just slows a dedicated attacker, not stops them. Most people pay a lot less attention to "local" vulnerabilities such as/tmp file mishandling, but when you've got an attacker in your system who wants to be root, they suddenly take on a much greater role. Don't be underrating security problems.
:) -Dom
Re:suid app
jmm on 2004-06-01T22:35:42
Slowing them, and possibly stopping them, is better than letting them go full speed.A non-suid app exploit can be a step towards a breakin, but a suid-app exploit is an accomplished breakin.
Don't be underrating one facet of a security defense strategy because it is not the entire solution.
:-)
