On Tue, 15 Nov 2005, Garrett Goebel wrote:

No. The worm that is mentioned, luppi, exploits vulnerabilities in PHP...

Yes, the XML-RPC vulnerability in PHP, awstats, and WebHints, which I am not familar with.

While you are correct that these holes aren't in Linux itself, they are holes in programs that are distributed with and run on linux. Since all of these holes have been patched and a simple upgrade will fix them, I think that people running apache on linux should be aware of the worm's existence.

This looks like an excellent time to bring up a central point of Microsoft's "Linux is less secure than Windows" argument, which goes like this: "Linux is less secure than Windows because there were only 4,765 security alerts issued for Windows last year, but there were 7,325 alerts for unix & linux systems." Feel free to insert bogus statistics of your choice.

The problem with this argument is that Linux distributions take responsibility for 3rd party code that they package to run on their dist. Windows only counts security alerts for code that they author/maintain.

Nobody's blaming Windows for the Sony "rootkit", for example, yet any advisories about (sometimes trivially minor) security holes in code that runs on Linux get counted as a "Linux Security Threat."

Regards,

-Don