The honest answer is any version of Linux you use is going to have significant security vulnerabilities right out of the box as well. LWN.NET is a website for Linux users that maintains vulnerability lists for many common Linux distros, and there are literally hundreds of holes listed for most versions of Linux (
http://lwn.net/Alerts/). And while Linux distros have a large number of unplugged holes to begin with, you will also find the method of patching Linux is in most cases more difficult than applying patches for Windows or OSX. Rather than just simply "pointing and clicking", you will often find yourself at the command line typing obsure commands. As an example, here are the procedures for a patch for Suse dated December 4 (
http://lwn.net/Alerts/61612/): **** Step 1: Determine the needed kernel type
Please use the following command to find the kernel type that is
installed on your system:
rpm -qf /boot/vmlinuz
The following options are possible (disregarding the version and build
number following the name, separated by the "-" character):
k_deflt # default kernel, good for most systems.
k_i386 # kernel for older processors and chipsets
k_athlon # kernel made specifically for AMD Athlon(tm) family processors
k_psmp # kernel for Pentium-I dual processor systems
k_smp # kernel for SMP systems (Pentium-II and above)
**** Step 2: Download the package for your system
Please download the kernel RPM package for your distribution with the
name starting as indicated by Step 1. The list of all kernel rpm
packages is appended below. Note: The kernel-source package does not
contain any binary kernel in bootable form. Instead, it contains the
sources that the binary kernel rpm packages are made from. It can be
used by administrators who have decided to build their own kernel.
Since the kernel-source.rpm is an installable (compiled) package that
contains sources for the linux kernel, it is not the source RPM for
the kernel RPM binary packages.
The kernel RPM binary packages for the distributions can be found at these
locations below
ftp://ftp.suse.com/pub/suse/i386/update/. 7.3/kernel/2.4.18-20031204
8.0/kernel/2.4.18-20031204
8.1/rpm/i586
8.2/rpm/i586
9.0/rpm/i586
After downloading the kernel RPM package for your system, you should
verify the authenticity of the kernel rpm package using the methods as
listed in section 3) of each SUSE Security Announcement.
**** Step 3: Installing your kernel rpm package
Install the rpm package that you have downloaded in Steps 3 or 4 with
the command
rpm -Uhv --nodeps --force
whereis the name of the rpm package that you downloaded.
Warning: After performing this step, your system will likely not be
able to boot if the following steps have not been fully
applied.
If you run SUSE LINUX 8.1 and haven't applied the previous
kernel update (SUSE-SA:2003:034), AND use the freeswan package,
you also need to update the freeswan rpm as a dependency as offered
by YOU (Yast Online Update). The package can be downloaded from
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/ **** Step 4: configuring and creating the initrd
The initrd is a ramdisk that is being loaded into the memory of your
system together with the kernel boot image by the bootloader. The
kernel uses the content of this ramdisk to execute commands that must
be run before the kernel can mount its actual root filesystem. It is
usually used to initialize scsi drivers or NIC drivers for diskless
operation.
The variable INITRD_MODULES (set in the files /etc/rc.config up to
7.3) or /etc/sysconfig/kernel (after and including 8.0)) determines
which kernel modules will be loaded in the initrd before the kernel
has mounted its actual root filesystem. The variable should contain
your scsi adapter (if any) or filesystem driver modules.
With the installation of the new kernel, the initrd has to be
re-packed with the update kernel modules. Please run the command
mk_initrd
as root to create a new init rmadisk (initrd) for your system.
On SuSE Linux 8.1 and later, this is done automatically when the
RPM is installed.
**** Step 5: bootloader
If you have a 7.x system, you must now run the command
lilo
as root to initialize the lilo bootloader for your system. Then
proceed to the next step.
If you run a SUSE LINUX 8.x or a SLES8 system, there are two options:
Depending on your software configuration, you have the lilo bootloader
or the grub bootloader installed and initialized on your system.
The grub bootloader does not require any further actions to be
performed after the new kernel images have been moved in place by the
rpm Update command.
If you have a lilo bootloader installed and initialized, then the lilo
program must be run as root. Use the command
grep LOADER_TYPE /etc/sysconfig/bootloader
to find out which boot loader is configured. If it is lilo, then you
must run the lilo command as root. If grub is listed, then your system
does not require any bootloader initialization.
Warning: An improperly installed bootloader may render your system
unbootable.
**** Step 6: reboot
If all of the steps above have been successfully applied to your
system, then the new kernel including the kernel modules and the
initrd should be ready to boot. The system needs to be rebooted for
the changes to become active. Please make sure that all steps are
complete, then reboot using the command
shutdown -r now
or
init 6
Your system should now shut down and reboot with the new kernel.
(end excerpt)
That may be easy for you and you may even look forward to it. But the bottom line remains there are many default holes in Linux, and they are typically harder to patch, no matter what the Linux crowd may want you to believe.
Oh, come on. SuSe is a tweak's Linux, not for beginners, and generally more popular in Europe than the USA. Nobody running Red Hat, Debian, or Mandrake (which is a modified Red Hat, made even easier for beginners) ever has to deal with that stuff.
By the way, that patch you cite the complicated installation for would not let a net user onto his machine -- it would let a LOCAL user, someone who sits at the keyboard and HAS HIS OWN LOGIN, get root access (which is bad. Root access, is superuser access, which means that you can modify any file -- kind of like any user on a Windows box).
What concerns Dennis, I think, is not that his housemaid is a secret hacker able to get root on his finance box, but more likely malware coming over the net -- the technical term for this is a "remote exploit." If you are not concerned about in-house abuse of your system, you can only patch "remote exploits" forever, and you'll never have a problem.
Also, one thing worth noting, Dennis's plan seems to be to have his financial stuff on on box with *n*x and his regular surfing, FReeping, and email on another -- this makes odds of a remote exploit MUCH lower. (Still best policy is to stay up to date).
d.o.l.
Criminal Number 18F