A programme called ‘evil.c’ has been discovered that uses lines of code written in the C programming language to crash several versions of Linux, thereby locking whole systems. The flaw could allow hackers to bring down Linux machines with just 24 lines of code.
Linux distributor SuSE issued a patch to fix the security hole on 16 June 2004. SuSE rated the hole as “low risk”, since a hacker would need access to the Linux machine in order to launch an attack. Yet in practice, this is not a major challenge: hackers could gain remote access to the Linux code through an Internet port or via the file transfer protocol (FTP), say experts.
The main concern about open source security is that there is currently no central point of co-ordination, which could, in the future, lead to haphazard support – and open it up for more attacks from hackers.
The lack of central coordination “could lead to anarchic support” for Linux, says Graham Titterington, an Ovum analyst.
But he says that Linux is at no more threat from malicious attackers than proprietary operating systems like Windows. “It is not an issue of open source security versus proprietary software security”, he says. Although Linux is available for view and review in the public domain, the security platforms on which it operates are – in essence – the same as their proprietary counterparts.
“In fact,” says Titterington, “if anything, Linux is more equipped to withstand hits from would-be attackers due to its open source nature.”
He added that although the Linux kernel is available for public scrutiny, in practice, it is usually administered within organisations by commercial versions of Linux such as RedHat and SuSE. These programmes offer maintenance and support, just as Windows and other proprietary operating systems do.
Generally, companies that use Linux configure their computer network with Linux-based security tools – some for individual computers and some for servers. Such configurations should, in theory at least, limit damage.
The open source community has been on the receiving end of a number of security holes and malicious attacks this year. Several flaws were discovered in the Concurrent Versions System (CVS), an application used to manage open source software under development. Also, in March and April 2004, online attackers targeted Linux and Solaris systems at many academic high-performance computing systems.
Mike Davis, a senior research analyst at Butler Group, says: “One could take this as an indicator that Linux is getting more popular – it is attacked because it is getting bigger.”