“In my time as a Security Administrator for a Solaris shop, I
had to give the occasional briefing to my boss: We’re vulnerable. A
new security hole has just been discovered and every major
Unix/Linux is vulnerable, from Solaris to Irix to Red Hat Linux.
After briefing my boss on our risk and my plans to do something
about such, he asks me the same question: “Can you find an
exploit?” Rather often, I’ve had to answer, “nope.”
“Actually, my answer is usually something like: “I’ve found an
exploit against the Linux version, but no one’s releasing it widely
for Solaris yet.” My boss is both partially relieved and partially
bothered. Why?….”
“I may be wrong here. It’s possible that exploits are quickly
coded for every Unix/Linux out there, but that the only ones widely
distributed are for Linux/FreeBSD 1. Well, then, the difference is
chiefly academic! In reality, I don’t have a large number of script
kiddies running exploits against my Solaris boxes, while many of
them are constantly hammering at the Linux boxen.”
“In any case, this is a serious strike against Linux’s
security as a server operating system. Linux seems to have become
the “number 1 target.” The bulk of the new exploit code is
coming out for Linux, even for vulnerabilities present in all
Unices.”