In this post I'm referring to white hats and black hats. It's a pretty widespread set of terms, but for those of you who don't know:
White hats are the good guys. In this case it's people who work toward system security. They include Ubuntu staff, upstream developers and testers, general security organizations like CERT, and well intentioned users who might report a problem.
Black hats are the guys who want to break into systems they don't own or have legal access to for one or more nefarious purposes.
Take a look here:
http://www.ubuntu.com/usn/
This is the list of vulnerabilities in Ubuntu, published on the official Ubuntu web site. Yes, they exist, EVERY operating system has them.
Usually, this list has at least temporary solutions for every item. Which means if you keep your system up to date you're probably pretty safe. But people put way too much faith on this.
What nobody seems to think about is that for every one of these items, there is a period of time between the discovery of the vulnerability BY A WHITE-HAT and the release of a fix. That period of time is sufficient for somebody to validate the problem, think of a solution (at least a temporary one) test it and then release the fix. Could be minutes or weeks. For minor issues or issues they don't believe to be publicly known they might wait to make the announcement until they have a fix.
There's also the period of time BEFORE the white hats learned of the vulnerability, in which time a black-hat hacker could have known about it. They might have an exploit active already, and just because Ubuntu knows about the vulnerability doesn't mean they know about an exploit out "in the wild". Sometimes the way Ubuntu knows about the problem is because somebody is actively exploiting it in a malicious way. In that case it's the time it takes the victim to realize they have a problem, realize they can't do anything about it, decide whether to report it and then have some expert come in and see what happened. The potential time period here is from the time the software was written (could have been a black-hat added an exploit that nobody noticed!) until right now, whenever you read this.
As far as I've ever seen, Ubuntu fixes vulnerabilities, but if you're one of the unlucky ones who have already been exploited, then chances are even if you keep up with your updates you'll still have the malware even after the fix was applied.
Bookmarks