Holy Buffer Overflows Batman!

Buffer overflow errors are not just Microsoft's problem. Nor is it just a Windows issue. News.com today reports that IBM's DB2 Database program for Linux has an easy to exploit buffer overflow vulnerability that lets anyone get root access to the entire data store. Yeah, ok the RPC issue in Windows was a big deal but MSBlaster was only a nuisance. Slammer was the same way... it flooded ports and brought databases offline, but the sensitive information inside was not compromised.

I sure hope this gets a lot of press. I'm sick and tired of seeing all the crap about how Linux is bullet-proof, and that Windows is like swiss-cheese. This exploit shoots a pretty big hole right through that argument. At least I KNOW my data is safe in MS SQL Server.

7 Comments

  • I think you should always assume that your data is not safe regardless of what database it is on and act accordingly.

  • Well, of course, but how are you gonna protect yourself from a buffer overflow?

  • Ya know, a year or two back redhats rpc.statd had a buffer overflow that allowed for rooting of the box.

    I saw personally saw more data loss and more people infected by that than I did blaster, although blaster did infect a great deal more than I suspect the entirety of the linux user pool.

    These machines were, instead of being used in DDoS rings, being used as pirated file distribution centers, open proxies, eggdrop bots, launch platforms for additional, more intrusive exploiting and other such things.



    Still...I had to spend a while researching to figure out what was going on, several of the machines were cleaned up before I saw any mention of it in the mass media.

  • You "KNOW" your data is safe in SQL Server. How? Have you personally reviewed every line of code and verified there are no bugs, no security holes?

    Sounds to me like a classic case of burying your head in the sand.

    Taking such an extreme position is as bad as any Microsoft-bashing statements from the Linux community.


  • How is knowing my data is safe an extreme position? I know it's safe in SQL Server based on it's track record. The funny thing about knowledge is that it changes from day to day. What I know today may be different tomorrow. It usually is. But that's ok. It's not extreme.



    And I am the last person on earth you will ever find burying their head in the sand when it comes to technology.

  • Quote: IBM's DB2 Database program for Linux has an easy to exploit buffer overflow vulnerability



    Note: It is not Linux that is vulnerable, it is IBM's program that is vulnerable.



    Quote: MSBlaster was only a nuisance



    Note: If MSBlaster used the exploit to the maximum, it could have erased all the data from a computer.



    Just curious, are you just missing out these facts or are you deliberately trying to spread Fear, Uncertainty and Doubt ?

  • The vulnerability only manifested itself on the Linux version. If you took my statement to read that it was a Linux issue, sorry. My statement meant that buffer overflow issues son't just happen on Windows.



    Blaster could have been worse. It wasn't. It could (possibly) have deleted data if it had fully exploited the vulnerability. It didn't. I was speaking to data store vulnerabilities, not OS vulnerabilities.



    You call it FUD, and that's you're perrogative. I call it awareness. Plain and simple.

Comments have been disabled for this content.