A new worm that propagates by exploiting security vulnerabilities in Web server software is attacking Linux systems, antivirus companies warned on Monday.
The worm spreads by exploiting Web servers that host susceptible scripts at specific locations, according to antivirus software maker McAfee, which has named the worm "Lupper."
Lupper blindly attacks Web servers, installing and executing a copy of the worm when a vulnerable server is found, McAfee said in its description of the worm.
A backdoor is installed on infected servers, giving the attacker remote control over the system. The server joins a network of compromised systems, which can be used, for example, in attacks against other computers, according to McAfee.
The worm exploits three vulnerabilities to propagate: the XML-RPC for PHP Remote Code Injection vulnerability; AWStats Rawlog Plugin Logfile Parameter Input Validation vulnerability; and Darryl Burgdorf's Webhints Remote Command Execution Vulnerability, according to Symantec's online description of the worm.
The XML-RPC flaw affects blogging, wiki and content management software and was discovered earlier this year. Patches are available for most systems. AWStats is a log analyzer tool; a fix for the flaw has been available since February. Darryl Burgdorf's Webhints is a hint generation script; no fixes are available for the script, according to Symantec's DeepSight Alert Services.
McAfee rates Lupper as low risk. Symantec, which calls the worm "Plupii," rates it medium risk, but notes that the worm has not been widely distributed. The SANS Internet Storm Center, which tracks network threats, reports some worm sightings.
Symantec and McAfee have updated their products to protect against the worm. If a system has been infected, Symantec recommends complete reinstallation of the system because it will be difficult to determine what else the computer has been exposed to, the company said.
This worm exploits three applications, not the Linux operating system.
The same applications would have been equally exploitable if they would be running on any other opeating system (Including different versions of Windows & even OS/2).
And no, I am not a Linux Zealot! :-). I work on Microsoft technologies.
It is very easy to be zealous about a particular company's products or a particular technology, and believe that everything else is just rubbish.
But this world will be a better place if we accept that each technology has its own advantages (and disadvantages) and has its own role to play in enabling people to do better than they would do without it.
hahahaha!! We're standing back and watching everyone make a huge deal over exploits which have been easily patchable since the begining of this year! It's funny how these news sites only write articles about high risk Windows vulnerabilities, but every low risk Linux vulnerability that comes around. The only thing that doesn't have a patch is the Webhints package which no-one uses anyhow.
I want you to think about something:
These exploits are work on systems where PHP is given elevated privleges on the system. This is not default for any out of the box Linux distro. The administrator of these systems must explicitly grant PHP elevated access to their systems to make these Wiki systems work. The admins know full well the risk they are taking when they do this, and they should know better than to leave the Wiki software unpatched.
I find it totally amazing that we have dozens of HIGH RISK Windows exploits every month that can affect a Windows box without any user intervention. And you're getting all huffy over one low risk PHP exploit that has been patched for months and only affects systems running PHP with elevated privleges?
Give me a break. I don't care what OS you're running... NO OS prevents Admin stupidity. It's nice that you think Linux is that good though, that it can even prevent a super-user from making the system vulnerable. Linux distros come secure out of the box, if an admin decides to open it up for attack, how is that the fault of Linux?
Linux is more secure than Windows. If you had the chance to read carefully, it refers to outdated systems; which unfortunately there are quite a few out there in the core of the internet.
Nice try, but Linux is *not* superior to Windows. There are very few virus writers for Linux, and a ton more for Windows.
The fact that such a serious flaw exists for Linux is just more evidence that Linux is no more secure than Windows Server systems.
Of course, when it happens on Linux, all of the Linux zealots proclaim: "Oh but it's not in the kernel", or "It's an older distribution!", or "but <insert a different distro> doesn't have the flaw so it's not Linux!"
Please. I'm so sick of Linux zealots and their constant BS. Thank god for stories like this one that exposes Linux for what it really is: just another OS that has its share of problems.
I don't see anything in the article referring to outdated systems. If you meant unpatched systems... duh! EVERY Windows virus in history has only applied to unpatched systems. So if you accept your logic, there were never viruses for current Windows systems! If it was actually about outdated (i.e. non current versions) systems then that also applies to 75% of Windows flaws in the last year or so, since not many affect (or are critical on) Windows XP Service Pack 2 or Windows Server Service Pack 1. Linux zealots would laugh at those arguments if used to defend Windows over a virus outbreak. Why trying them here?
Uh if you actually read the article it mentions the vulnerabilities the worm exploits. None of those vulnerabilities are of Linux but rather 3rd party applications. It just so happens that the applications run on Linux.
any decent sysadmin won't run apache or any linux webserver as a real user, so the worst that could happen would be a lost web page, which can probably be restored fairly quickly.
If you run PHP, you'd better take some measures like : <a class="jive-link-external" href="http://www.hardened-php.net/" target="_newWindow">http://www.hardened-php.net/</a>
It is rather strange that so................ many people around (including Windows and Linux users) the world put their "trust" in the ATMs that they use daily and for once do not consider the "reliable and secure "Old Work-Horse" that is called "OS/2" that undoubtedly would present a better business value and superior Total Cost of Ownership (TCO) scenario than Linux or Windows any day for the desktop environment. Why not stop using your ATMs!
I work for a major leader in the ATM industry. I can safely say that the majority of our ATMs run XENIX, a UNIX variant that was owned bt M$, now owned by SCO Group. I know that my bank actually uses Windows on their ATMs. I don't know of a single ATM in my area that runs OS/2. As far as I know, there were a few viruses out that took advantage of flaws in OS/2 also. Go figure....
Also, IBM stop supporting OS/2 a while back. Since you can't get manufacturer support, the TCO is moot. Companies want support, and even a great OS like OS/2, would fall short of expectations where newer hardware is concerned.
You might as well go back to DOS, Amiga, or any other vintage computing platform.
...just can't come to terms with the death (long ago) of OS/2. I honestly think you post this silliness for comic relief, and it works! I crack up every time I read one of your OS/2 posts. LOL
Having worked on ATMs for a number of years prior to getting into IT (now an MSCE but still enjoy OS/2 [http://since 2.0|http://since 2.0] and Linux more) I can recall Diebold ATMs running OS/2 v2.x and Fujitsu ATMs at Target stores running Microsoft OS/2 1.3! I would agree that OS/2 (now ecomstation 1.2) is reliable and that is confirmed in my opinion having seen banks use Warp server on some of their back end systems. However, I do recall some ATMs were also transitioning off OS/2...probably more due to lack of support by IBM or other pressures. My only practical criticisms of OS/2 are: there is no secure login (boots right into a desktop),the lack of drivers for many newer RAIDIDE/SCSI controllers/Fiber HBAs, and lack of management in an enterprise environment. Each OS has its pros/cons and place in the grand scheme of things; we all should know by now many times the decision to use a particular OS is not always because it makes the best technical sense. I would echo others comments indicating regardless of the OS any software required for the OS to run has to be considered part of the OS and that admins need to know how to keeps their servers/workstations as secure as possible. OS/2 buff that I am I just don't see the "undoubted" TCO justification given the aforementioned criticisms not to mention the relative lack of applications.
There is no such thing as a perfect piece of software.
I see a lot of people commenting that "Linux" is flawed and such. Well, yeah, Linux is flawed. Here's the kicked though: This exploit was written to take advantage of some published webserver exploits, not exploits in the Linux kernel.
Also, as the story notes, it depends on three different exploits to be present. If one or more of those exploits don't exist, it doesn't work. That's why it is good practice to keep a system patched and updated. *nix worms have been around forever, and will probably be around a long while yet. Don't expect a system to be perfectly secure, ever, especially if it's running 3rd party software that opens the system to any network, much less the Internet.
Well most Windows security flaws were also "not in the kernel." In fact, almost all of them revolved around the web server (IIS), or Outlook/Office (client apps.). And out of those, most had to be user initiated.
But wait, since it happened on Windows, it must all be the OS, where if it happened on Linux, it certainly isn't Linux fault since it "didn't happen in the kernel."
*Puleeze*
Stop with the BS and hypocrisy - it's getting real tiring.
People run the OS and the accompanying programs/services - not just the kernel.
The bottom line is: for people running Linux, there are security flaws, and you are at risk - regardless if it is strictly in the kernel or not.
I clicked on the story thinking I would have to update my system or something.
AWSTATS is a rather obscure piece of software. As I understand it, AWSTATS runs is a web-based statitics tool. I imagine if it runs on Windows the same issue would exist?
The flaw is the whole concept of Linux as bolted together pieces of software. Its a nightmare to keep systems updated, and to even be sure if a vulnerability effects you. This is why patching and updating Windows 2003 server based systems is soo much less expensive than Linux. Also of course also that they have far fewer vulnerabilities than Linux, and those that they do have are on average fixed faster.
These virus writers need to get on the ball quicker. If it where a Windows vurnerablity such a worm would have probably been released within a week of patching the flaw.
This worm exploits three applications, not the Linux operating system.
The same applications would have been equally exploitable if they would be running on any other opeating system (Including different versions of Windows & even OS/2).
Authors should select their titles more catiuosly.
It is very easy to be zealous about a particular company's products or a particular technology, and believe that everything else is just rubbish.
But this world will be a better place if we accept that each technology has its own advantages (and disadvantages) and has its own role to play in enabling people to do better than they would do without it.
I guess this mean linux is no more a hobby OS and now has more mainstream and eventually flaws in the OS or the software installed on it or will be exploited.
Ya, Linux is bigger now so people will start to take notice. But the author of this article intentionally named it wrong. This is not a Linux problem, as many of the other comments say. Its an XML problem in that certain thirdparty applications are being exploited. When windows gets a flaw, its on windows software. No one blames Windows for a flaw in another program and we should do the same with Linux.
I can't believe the amount of "I'm right and you guys suck" attitudes there are on the comments here. Windows and linux both have their zealots. I believe both can be secured if kept updated and not run as adminstrator.
Small exploits have been used for years to compromise web servers running linux, freebsd, etc. Same thing said for windows of all flavors.
If you really worry about security then why not run openbsd? Its geared towards security and you could easily pop a nice gui-based adminstration on it to have an easy to administer server.
I am a bit inclined to use a linux server than a windows one though. Linux has alot more adminstrative abilities than windows. Windows has never made it partically easy to find hidden processes. Windows also doesn't provide as much choice as you might one for a dedicated server. You tend to run too many services on a windows server and it takes alot of tweaking to get it perfect. Perhaps Vista will solve this with their custom install options.
Some Linux distributions on the other hand don't assume you want alot of useless apps installed. Just install debian sarge with nothing but a firewall and apache for a web server. You save alot of disk space and time.
Go with what work for you but I do like to save money by not paying for windows or microsoft's web software. Now lets all calm down and understand that there is plenty of opinions out there.
...instead of "See I told you so" we should be more about how to imporve technology overall. While everyone is going to have their favorite OS, application, programming language, etc, the technology community should be focused on widespread improvement, innovation, advancement, and education. All the arguing just show how off track a lot techies have become.
I read your article, and I must say in response that a lot of us here are tired of the Linux zealots constantly bashing MS and Windows.
They have known all along that Linux has plenty of its own security flaws, but were unwilling to admit it.
Now something comes up that took advantage of these flaws, and the Linux zealots come out with "well it's not Linux' fault." or "it's not really Linux since it didn't happen in the kernel."
This is hypocrisy plain and simple.
I for one and tired of the Linux crowd.
Linux itself is subpar; I find it hard to install, lacking hardware support that takes *full* advantage of hardware as Windows does, fairly rough around the edges, horrible fonts, buggy applications, horrible printer, audio and network support, etc.
Yes, it is free... and I do not like Windows Activation policies... but Windows is worth every penny in frustration saved trying to get things to work in Linux.
However, it needs to be noted that running XP in a limited user mode renders your computer nearly useless. Many programs simply will not run, and to install apps you need admin rights, which in windows is all or none.
Windows permissions are decades behind, perhaps vista will advance it a bit, but will still be a performance and security nightmare because of MS's strange reluctance to dump two of the worst ideas in computing ever: the registry and ActiveX.
... your point for the benefit of those latecomers.
I hope you don't mind if I paraphrase.
Because Windows is so flawed, the Linux Zealots (LZ's from now on) respond to the many reports of exploited vulnerabilities with derision and mocking laughter.
Now that there is a report of a vulnerability in three applications that run on Linux, the LZ's will run and cower as MCSE graduates rightlfully scorn the deluded minority.
>My point was not to get into the debate of Windows v Linux, but the veracity to which Linux lovers jump on stories regarding Windows flaws.
Similar to the veracity to which Windows lovers (apparently like yourself) jump on stories regarding Linux flaws. Windows lovers will even jump on stories that aren't really Linux flaws just to find something to jump on.
A simple read of either the McAfee or Symantec pages shows that the security vulnerability is actually in PHP/CGI scripts that MAY be installed. It might even be on a Windows machine.
When a major Windows flaw in Internet Explorer is announced, it's a major problem. When a minor flaw in a script that might be installed on a Linux machine somewhere is announced, it's not a major problem. Didn't stop you from jumping on it anyway though did it?
The fact of the matter is that a linux install, out of the box is far tighter then you could ever make windows, unless you unplug the wundows box from the internet permanently.
Windows might have something similar to a root/user config, but the majority of windows apps can not run in a limited account. Windows is near unusable in a limited account.
As for this problem it is not a Linux issue. It is also been fixed for quite some time. That is another major difference between windows and open source. Windows vulnerabilities, normally do not even get acknowleged until a problem occurs, and then a half-assed workaround is implemented. Open source vulnerabilities are more often then not found and fixed in days. That is a huge difference.
Another point, the whole "windows gets attacked more because of market share" argument is bogus. IIS servers have the majority share of vulnerabilities, but a small market share. Where are all the massive amounts of live code attacking Apache? MICROSOFT PRODUCTS GET ATTACKED MORE OFTEN BECAUSE IT IS EASIER.
Try to write a virus for any *nix variant, including OSX that will spread itself. When you give up 12 month later, go ahead and spend 15 minutes writing one for windows and then come here and say that windows is more secure.
And I've even tried to keep my web server up to date with security patches. The attacker somehow also gained root privileges and erased my server log files. I'm off to reinstall the entire thing. Damn...
Can you elaborate? I'm not trying to be funny, I really am curious. This specific vulnerability, someone else in the comment said it was 10 months old. And someone else said it require 3 different exploits to be used together.
I don't know if any of that is true. I went to php.net and checked the changelogs to try and see which version has an exploit vulnerability, but it's all greek to me.
The gaining of root priviledges is worrying. Were you running the server as root? Was your password strength good? Come on, be honest, or was is bunnylove123. And that's not my password! Don't try it ;)
Most of the news stories lay an emphasiz on whether the virus or the wrorm affects open source (Linux) or Windows or even Mozilla. It is no longer a question of the brand name of the software whether it concerns a browser or an operating engine or a router. Cisco recently fired its star researcher when talked about the flaw contained in the software powering its highend routers. Probably the wireless adapters have a flaw in the software powering the adapters whether they are manufactured by sprint, linksys or the one I use and like D-Link.
The reason for not making so much fuss about the brand name or the product name is that the flaw or the virus has nothing to do with the product name or the brand name. It has to do with the internet infrastrure in place. If it remains in place the doom an gloom is in the future or in the karma of the internet.
This has been thoroughly discussed at <a class="jive-link-external" href="http://www.newerawisp.blogspot.com/" target="_newWindow">http://www.newerawisp.blogspot.com/</a>
What makes the need for the new Infrastrure so urgent is that even the security softwares of most popular security systems like Symantac are not immune from the virus attacks.
Even the IT people have admitted that they are completely frustrated.
People need to hear about the new flaws. But let not these stories appear like they were first time appearances.
Now, whether you like it or not, lupper targets systems running linux (not windows systems, not OSX, not FreeBSD, etc.) Just like an IIS worms target windows systems.
(And yes, I'm well aware of the fact that this is not something in the OS)
Here's the thing, it's safe to say windows isn't too secure (has everybody forgotten sasser and..whatever the dcom worm was called.) But it's safer to say Microsoft software is insecure, that way you not only get windows in there, but you also get the benefit of all the iis worms and holes and the office/outlook holes.
Apple, Google, Microsoft, Amazon--all are targets for Mozilla's plan to use Web apps to free people from ecosystem lock-in. Also: new Firefox features aplenty.
The rise of Apple's stores is one of the past decade's great retail stories. So, why then does the company continue to creep back into the big-box outlets and will this hurt the brand?
The company helps small businesses with little tech savvy build apps easily, and now its partner Constant Contact will email-blast prospective users, too.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
Web giant is spending $120 million to beef up its Mountain View, Calif., headquarters, according to filings with the city reviewed by the San Jose Mercury News.
This worm exploits three applications, not the Linux operating system.
The same applications would have been equally exploitable if they would be running on any other opeating system (Including different versions of Windows & even OS/2).
And no, I am not a Linux Zealot! :-). I work on Microsoft technologies.
It is very easy to be zealous about a particular company's products or a particular technology, and believe that everything else is just rubbish.
But this world will be a better place if we accept that each technology has its own advantages (and disadvantages) and has its own role to play in enabling people to do better than they would do without it.
Thanks & regards,
Neel.
Symantec Software.
<A HREF="http://www.geocities.com/nerdyneel">My Site</A>
I want you to think about something:
These exploits are work on systems where PHP is given elevated privleges on the system. This is not default for any out of the box Linux distro. The administrator of these systems must explicitly grant PHP elevated access to their systems to make these Wiki systems work. The admins know full well the risk they are taking when they do this, and they should know better than to leave the Wiki software unpatched.
I find it totally amazing that we have dozens of HIGH RISK Windows exploits every month that can affect a Windows box without any user intervention. And you're getting all huffy over one low risk PHP exploit that has been patched for months and only affects systems running PHP with elevated privleges?
Give me a break. I don't care what OS you're running... NO OS prevents Admin stupidity. It's nice that you think Linux is that good though, that it can even prevent a super-user from making the system vulnerable. Linux distros come secure out of the box, if an admin decides to open it up for attack, how is that the fault of Linux?
The fact that such a serious flaw exists for Linux is just more evidence that Linux is no more secure than Windows Server systems.
Of course, when it happens on Linux, all of the Linux zealots proclaim: "Oh but it's not in the kernel", or "It's an older distribution!", or "but <insert a different distro> doesn't have the flaw so it's not Linux!"
Please. I'm so sick of Linux zealots and their constant BS. Thank god for stories like this one that exposes Linux for what it really is: just another OS that has its share of problems.
EVERY Windows virus in history has only applied to unpatched systems. So if you accept your logic, there were never viruses for current Windows systems!
If it was actually about outdated (i.e. non current versions) systems then that also applies to 75% of Windows flaws in the last year or so, since not many affect (or are critical on) Windows XP Service Pack 2 or Windows Server Service Pack 1.
Linux zealots would laugh at those arguments if used to defend Windows over a virus outbreak. Why trying them here?
IMHO
There is a trend to say that if it impacts Linux, it is an application problem, and if it impacts Windows, is a Windows problem.
In my opinion this is astroturfing.
I understand Linux is just a kernel, but several tools are considered part of Windows that are outside the kernel as well.
We can't fairly compare all vulns in the entire Windows platform to only the vulns in the Linux kernel.
For sake of trying to use a similar metric, I use this rule.
If it shipped with the distribution, it can be considered a vuln with GNU/Linux.
If it was not shipped with Windows or GNU/Linux, it is an application vuln.
There are obviously some gray areas with this, but in general it is a good way to stay on the same page.
<a class="jive-link-external" href="http://www.hardened-php.net/" target="_newWindow">http://www.hardened-php.net/</a>
Also, IBM stop supporting OS/2 a while back. Since you can't get manufacturer support, the TCO is moot. Companies want support, and even a great OS like OS/2, would fall short of expectations where newer hardware is concerned.
You might as well go back to DOS, Amiga, or any other vintage computing platform.
I see a lot of people commenting that "Linux" is flawed and such. Well, yeah, Linux is flawed. Here's the kicked though: This exploit was written to take advantage of some published webserver exploits, not exploits in the Linux kernel.
Also, as the story notes, it depends on three different exploits to be present. If one or more of those exploits don't exist, it doesn't work. That's why it is good practice to keep a system patched and updated. *nix worms have been around forever, and will probably be around a long while yet. Don't expect a system to be perfectly secure, ever, especially if it's running 3rd party software that opens the system to any network, much less the Internet.
Well most Windows security flaws were also "not in the kernel." In fact, almost all of them revolved around the web server (IIS), or Outlook/Office (client apps.). And out of those, most had to be user initiated.
But wait, since it happened on Windows, it must all be the OS, where if it happened on Linux, it certainly isn't Linux fault since it "didn't happen in the kernel."
*Puleeze*
Stop with the BS and hypocrisy - it's getting real tiring.
People run the OS and the accompanying programs/services - not just the kernel.
The bottom line is: for people running Linux, there are security flaws, and you are at risk - regardless if it is strictly in the kernel or not.
I clicked on the story thinking I would
have to update my system or something.
AWSTATS is a rather obscure piece of software.
As I understand it, AWSTATS runs is a web-based
statitics tool. I imagine if it runs on Windows
the same issue would exist?
Correct me if I'm wrong. Thanks.
This is why patching and updating Windows 2003 server based systems is soo much less expensive than Linux. Also of course also that they have far fewer vulnerabilities than Linux, and those that they do have are on average fixed faster.
The same applications would have been equally exploitable if they would be running on any other opeating system (Including different versions of Windows & even OS/2).
Authors should select their titles more catiuosly.
It is very easy to be zealous about a particular company's products or a particular technology, and believe that everything else is just rubbish.
But this world will be a better place if we accept that each technology has its own advantages (and disadvantages) and has its own role to play in enabling people to do better than they would do without it.
Thanks & regards,
Neel.
<A HREF="http://www.geocities.com/nerdyneel">My Site</A>
guys suck" attitudes there are on the comments
here. Windows and linux both have their
zealots. I believe both can be secured if kept
updated and not run as adminstrator.
Small exploits have been used for years to
compromise web servers running linux, freebsd,
etc. Same thing said for windows of all
flavors.
If you really worry about security then why not
run openbsd? Its geared towards security and
you could easily pop a nice gui-based
adminstration on it to have an easy to
administer server.
I am a bit inclined to use a linux server than a
windows one though. Linux has alot more
adminstrative abilities than windows. Windows
has never made it partically easy to find hidden
processes. Windows also doesn't provide as much
choice as you might one for a dedicated server.
You tend to run too many services on a windows
server and it takes alot of tweaking to get it
perfect. Perhaps Vista will solve this with
their custom install options.
Some Linux distributions on the other hand don't
assume you want alot of useless apps installed.
Just install debian sarge with nothing but a
firewall and apache for a web server. You save
alot of disk space and time.
Go with what work for you but I do like to save
money by not paying for windows or microsoft's
web software. Now lets all calm down and
understand that there is plenty of opinions out
there.
They have known all along that Linux has plenty of its own security flaws, but were unwilling to admit it.
Now something comes up that took advantage of these flaws, and the Linux zealots come out with "well it's not Linux' fault." or "it's not really Linux since it didn't happen in the kernel."
This is hypocrisy plain and simple.
I for one and tired of the Linux crowd.
Linux itself is subpar; I find it hard to install, lacking hardware support that takes *full* advantage of hardware as Windows does, fairly rough around the edges, horrible fonts, buggy applications, horrible printer, audio and network support, etc.
Yes, it is free... and I do not like Windows Activation policies... but Windows is worth every penny in frustration saved trying to get things to work in Linux.
Windows permissions are decades behind, perhaps vista will advance it a bit, but will still be a performance and security nightmare because of MS's strange reluctance to dump two of the worst ideas in computing ever: the registry and ActiveX.
I hope you don't mind if I paraphrase.
Because Windows is so flawed, the Linux Zealots (LZ's from now on) respond to the many reports of exploited vulnerabilities with derision and mocking laughter.
Now that there is a report of a vulnerability in three applications that run on Linux, the LZ's will run and cower as MCSE graduates rightlfully scorn the deluded minority.
Bout right?
Similar to the veracity to which Windows lovers (apparently like yourself) jump on stories regarding Linux flaws. Windows lovers will even jump on stories that aren't really Linux flaws just to find something to jump on.
A simple read of either the McAfee or Symantec pages shows that the security vulnerability is actually in PHP/CGI scripts that MAY be installed. It might even be on a Windows machine.
When a major Windows flaw in Internet Explorer is announced, it's a major problem. When a minor flaw in a script that might be installed on a Linux machine somewhere is announced, it's not a major problem. Didn't stop you from jumping on it anyway though did it?
Nice try though.
Windows might have something similar to a root/user config, but the majority of windows apps can not run in a limited account. Windows is near unusable in a limited account.
As for this problem it is not a Linux issue. It is also been fixed for quite some time. That is another major difference between windows and open source. Windows vulnerabilities, normally do not even get acknowleged until a problem occurs, and then a half-assed workaround is implemented. Open source vulnerabilities are more often then not found and fixed in days. That is a huge difference.
Another point, the whole "windows gets attacked more because of market share" argument is bogus. IIS servers have the majority share of vulnerabilities, but a small market share. Where are all the massive amounts of live code attacking Apache? MICROSOFT PRODUCTS GET ATTACKED MORE OFTEN BECAUSE IT IS EASIER.
Try to write a virus for any *nix variant, including OSX that will spread itself. When you give up 12 month later, go ahead and spend 15 minutes writing one for windows and then come here and say that windows is more secure.
I don't know if any of that is true. I went to php.net and checked the changelogs to try and see which version has an exploit vulnerability, but it's all greek to me.
The gaining of root priviledges is worrying. Were you running the server as root? Was your password strength good? Come on, be honest, or was is bunnylove123. And that's not my password! Don't try it ;)
The reason for not making so much fuss about the brand name or the product name is that the flaw or the virus has nothing to do with the product name or the brand name. It has to do with the internet infrastrure in place. If it remains in place the doom an gloom is in the future or in the karma of the internet.
This has been thoroughly discussed at
<a class="jive-link-external" href="http://www.newerawisp.blogspot.com/" target="_newWindow">http://www.newerawisp.blogspot.com/</a>
What makes the need for the new Infrastrure so urgent is that even the security softwares of most popular security systems like Symantac are not immune from the virus attacks.
Even the IT people have admitted that they are completely frustrated.
People need to hear about the new flaws. But let not these stories appear like they were first time appearances.
(And yes, I'm well aware of the fact that this is not something in the OS)
Here's the thing, it's safe to say windows isn't too secure (has everybody forgotten sasser and..whatever the dcom worm was called.) But it's safer to say Microsoft software is insecure, that way you not only get windows in there, but you also get the benefit of all the iis worms and holes and the office/outlook holes.