Linked by Jordan Spencer Cunningham on Fri 14th Aug 2009 02:29 UTC
Linux It's the end of the world. Again. According to some Linux developers and security researchers, a bug in the Linux kernel has just been uncovered that makes just about every distribution utilizing kernel 2.4 and 2.6 on just about all architectures since May of 2001 vulnerable to a certain kind of attack.
Order by: Score:
At least it is local
by Priest on Fri 14th Aug 2009 04:00 UTC
Priest
Member since:
2006-05-12

It looks like it could be pretty serious, but at least it requires a local account to escalate privileges from in the first place.

Still a big deal, but not the end of the world.

Reply Score: 5

Comment by big_gie
by big_gie on Fri 14th Aug 2009 04:12 UTC
big_gie
Member since:
2006-01-04

These kind of bugs happens often in the Linux kernel. What makes this one special is the fact that virtually _all_ versions since 2.4 are affected.
This means that as long it is not patched, a huge majority of linux machines might be vulnerable, making an attack more likely to succeed...
Its the same reason why so many malware exist on windows: as soon as you right a malware for it, you know you can affect a vast majority of machines.

Reply Score: 1

RE: Comment by big_gie - responce times
by jabbotts on Fri 14th Aug 2009 11:23 UTC in reply to "Comment by big_gie"
jabbotts Member since:
2007-09-06

Windows popularity may relate to the number of attempts against it but the more important thing to consider is number of successful attacks and how long they remain effective. A hundred attacks is not a problem; 90 of those attacks being successful and remaining unpatched while known is a real problem.

The "Windows only has high malware counts because it's popular" myth tends to oversimplify and ignore the fact that success rates for those attacks remain high also.

Reply Score: 3

PlatformAgnostic Member since:
2006-01-02

I don't think actively-exploited vulnerabilities go unpatched for a long time. More often than not, the mass of exploitation occurs a few months after the patch has been released, as malware authors determine what's vulnerable from BinDiffing the patched binary against the original.

Reply Score: 3

jabbotts Member since:
2007-09-06

This also assumes systems are actively being patched and things like UAC flaws are not a "feature" ignored by the vendor. Or that flaws in the network driver are publickly denounced while leaving the customer base wide open for six months then quietly slipping a patch out.

We're still consistently seeing faster patch times on other platforms and more interest in addressing reported vulnerabilities. Attempts are not relevant, success rates and time to live are much more important.

Reply Score: 2

Milo_Hoffman
Member since:
2005-07-06

More recent kernels have a protection against this exploit, if they contain the mmap_min_addr feature is set correctly.


You can check your kernel via this:

# cat /proc/sys/vm mmap_min_addr
65536


While we have not gotten any official word from Redhat, I did some spot checking and it looks like RHEL 4.8, RHEL 5.2, and RHEL 5.3 have this parameter set correctly.

But, beware, any use of SELinux will bypass the protections given by this kernel feature.

Reply Score: 8

PlatformAgnostic Member since:
2006-01-02

Are you being sarcastic about SELinux, or does enabling it somehow disable the mmap-min-address countermeasure?

Reply Score: 3

sakeniwefu Member since:
2008-02-26

No, he isn't.
SELinux does disable that for its own secret reasons.
Anyways what strikes me is that nobody noticed before. Trying to allocate the 0th page sounds like something that would happen often(in buggy code) and that would sound many alarms if successful. Especially as we know it would fail on some systems.
All the exploit is a bit unbelievable but that particular point is amazing.

Reply Score: 3

Bill Shooter of Bul Member since:
2006-07-14

Yeah, its useful for embedded systems somehow. So that's why its not an automatic crash in Linux. I remember this issue coming up a while ago, but not the specific reason why.

Reply Score: 2

WinXP
by J.R. on Fri 14th Aug 2009 05:02 UTC
J.R.
Member since:
2007-07-25

What I find interesting about this is that every linux fanboy usually argument that WinXP is insecure because it run as admin by default. (personally I find that argument bogus since it does not take into account the value of the "to be protected" content, but that is another discussion).

Now, since this Linux vulnerability pretty much says "assuming that I have local access I can get root for free", won't that in practice mean that every remote exploit in any common user level application (including server applications) is in practice a remote root exploit for the last 8 years? Considering that after you compromised the local user account through an appplication level exploit you can further gain root access on every linux release for the last 8 years...not unlike exploiting a user level application on WinXP and gaining admin privileges?

My point is that this vulnerability may appear to be harmless since it "requires local access", but won't this have a deeper significance since the whole "linux is more secure than winxp because winxp run as admin by default" argument pretty much is dead, considering that this vulnerability existed for the same 8 years as the winxp issue?

Just my 2c.

Edited 2009-08-14 05:04 UTC

Reply Score: 1

RE: WinXP
by Moredhas on Fri 14th Aug 2009 05:15 UTC in reply to "WinXP"
Moredhas Member since:
2008-04-10

True, but now Linux fan boys like me can take a different tack: The Worst Bug Ever in Linux is patched. UAC still has a gaping intentional loophole so Microsoft can let Notepad.exe run as admin. When a security hole is found in Linux, it gets fixed. When one is found in Windows, Microsoft either clam up, blame the users, or issue a patch years late.

Reply Score: 22

RE[2]: WinXP
by UltraZelda64 on Fri 14th Aug 2009 05:35 UTC in reply to "RE: WinXP"
UltraZelda64 Member since:
2006-12-05

True, but now Linux fan boys like me can take a different tack: The Worst Bug Ever in Linux is patched.

LMFAO. Nice wording. ;)

Admitting to being a fanboy while proving a point is always funny. [No real arguments against your point, though.]

Edited 2009-08-14 05:37 UTC

Reply Score: 2

RE[2]: WinXP
by LighthouseJ on Fri 14th Aug 2009 06:18 UTC in reply to "RE: WinXP"
LighthouseJ Member since:
2009-06-18

The problem is you think that *this* is the worst bug ever found.

You don't know what you don't know. There could be plenty more egregious ones out there, ones that can rival Windows ones.

Reply Score: 5

RE[3]: WinXP
by Beta on Fri 14th Aug 2009 08:05 UTC in reply to "RE[2]: WinXP"
Beta Member since:
2005-07-06

The problem is you think that *this* is the worst bug ever found.

It may be the worst bug found so far.

You don't know what you don't know. There could be plenty more egregious ones out there, ones that can rival Windows ones.

And there could be plenty more egregious ones in Windows that haven’t been discovered aswell.
Well done for making a non-point.

Reply Score: 4

RE[4]: WinXP
by Carewolf on Fri 14th Aug 2009 13:45 UTC in reply to "RE[3]: WinXP"
Carewolf Member since:
2005-09-08

No this is not the worst by far. It is a privilege escalation bug, that's pretty common and not that dangerous to the common linux user. It only makes trojans more dangerous, but the virus'es and trojans has to get in first. This is mainly means local users can get more privileges, but local users are usually employees or device owners.

No, the most serious bug in Linux was the big one in ssh, which allowed remote access to most linux server (used in Matrix 2, btw).

Reply Score: 2

RE[5]: WinXP
by Lunitik on Sat 15th Aug 2009 22:45 UTC in reply to "RE[4]: WinXP"
Lunitik Member since:
2005-08-07

That wasn't a kernel bug, and wasn't even a bug that effected upstream - you didn't even realize it was actually SSL, not SSH...

That bug was specific to distros based on Debian, because the maintainer of SSL decided to cut corners to make maintenance easier for himself.

Anyway, when Microsoft finally patches the UAC bug that allows escalated privileges - apparently by design - then Windows users can feel free to point at things like this in Linux.

Since Microsoft has stated the flaw is there on purpose, it'll never get patched... this flaw is already patched, it just needs to be applied to current installations.

Reply Score: 2

RE[6]: WinXP
by Carewolf on Sun 16th Aug 2009 16:25 UTC in reply to "RE[5]: WinXP"
Carewolf Member since:
2005-09-08

No I am talking about another much older vulnerbility. Note I said the bug was featured in Matrix 2 as a way of hacking? It was discovered in 2001 or 2002, and compromised ssh upstream, making not only linux but even openbsd vulnerable.

Edited 2009-08-16 16:32 UTC

Reply Score: 1

RE[6]: WinXP
by brandonlive on Sun 16th Aug 2009 22:22 UTC in reply to "RE[5]: WinXP"
brandonlive Member since:
2008-05-31

Your FUD / lies about Windows aren't appreciated.

There are no known bugs that allow privilege escalation across security boundaries on Windows. A standard user account cannot attain admin privileges without admin credentials. And there are no known vectors for going from Low IL to Medium/High IL without user consent in the default configuration (there are medium -> high vectors on Win7, but they're by design - an option exists to disable them in the UAC control panel. But for most users that is a non-issue. Running High IL apps on the same desktop is risky to begin with since ILs are not a security boundary).

Reply Score: 0

v RE[2]: WinXP
by brandonlive on Sun 16th Aug 2009 22:15 UTC in reply to "RE: WinXP"
RE: WinXP
by juvenile4909 on Fri 14th Aug 2009 05:32 UTC in reply to "WinXP"
juvenile4909 Member since:
2007-08-04

How is XP relevant to the Linux bug kernel being patched? Why go into snippets of opinions on a ongoing debate? All that matters is, it got fixed/patched. Even though this was Linux, it's still an eye opener for the industry in hole.

Reply Score: 4

RE: WinXP
by Jokel on Fri 14th Aug 2009 06:58 UTC in reply to "WinXP"
Jokel Member since:
2006-06-01

Hmm.. You would be right if it was a bug that was KNOWN for 8 years. Fact is - this bug is only discovered a short while ago and is already being taken care of...

I am sure there are a LOT of yet undiscovered bugs in EVERY OS now at this moment! If you are using Windows, OSX, Beos, BSD or whatever there WILL be undiscovered bugs in it - waiting to be exploited. No OS will escape that.

The problem is - you cannot use undiscovered vulnerability because - its undiscovered. Simple. So saying Linux was vulnerable for 8 years is simply not true, because to use this as a exploit you have to know it exists. And nobody know about it until very recently.

To put it differently - if you are saying Linux was vulnerable for 8 years, I can safely claim ever OS on this planet is absolutely 100% unsafe because there are bugs in it that have been not discovered yet. Nobody knows about them or how they will work, but they are there, so they can be exploited right at this moment!

I am not saying Linux is more safe because it is perfect. No - Linux is safe because the moment something like this is discovered it is published and everybody is going to work on it to solve the problem as soon as possible.

Sorry - I had to react to this...

Reply Score: 12

RE[2]: WinXP
by J.R. on Fri 14th Aug 2009 08:15 UTC in reply to "RE: WinXP"
J.R. Member since:
2007-07-25

Hmm.. You would be right if it was a bug that was KNOWN for 8 years. Fact is - this bug is only discovered a short while ago and is already being taken care of...


That is a valid point, however, the fact that it was just published does not mean that no one else have known about it for years.

But I do see your point.

Reply Score: 4

RE[2]: WinXP
by _xmv on Fri 14th Aug 2009 09:43 UTC in reply to "RE: WinXP"
_xmv Member since:
2008-12-09

That's not quite true. Bugs that are not *public* might and are often already discovered and exploited by a few individuals only. It can stay like this for years.
There's not much you can do against it.
You can scratch your design and make one less bug-prone, or invent something no one else thought about that's 100% secure (good luck with that)
Meanwhile we patch and do our best to make things as secure as possible


edit: note that this is 100% true with Windows, MacOSX and what-not as well

Edited 2009-08-14 09:44 UTC

Reply Score: 1

RE[3]: WinXP
by Lunitik on Sat 15th Aug 2009 22:47 UTC in reply to "RE[2]: WinXP"
Lunitik Member since:
2005-08-07

Since this flaw required local user access to exploit, I'm not sure it would have been very effective even before the patch?

Reply Score: 2

RE: WinXP
by gilboa on Fri 14th Aug 2009 09:08 UTC in reply to "WinXP"
gilboa Member since:
2005-07-06

... All of this was true, it this exploit was a known exploit, and the Linux kernel devs decided to simply ignore it for the past 8 years.

As far as we -know- (and I'll ignore any type of non-educated guess or unfounded speculations), once Linus was aware of this vulnerability, a fix was issued within 2 hours.
So unless anyone has solid evidence that one of the Linux devs was aware of this vulnerability and somehow refused to fix it (why!?!?), the 8 years that passed since the introduction of the code that caused this vulnerability is meaningless. I'd assume that both Linux and Windows have vulnerabilities that date back to Linux 2.0 and Windows NT 3.1...

However, I'd point to you what we know - as in previous known track record:
On one hand, MS refuses to fix the UAC escalation problem and on the other, Linux vulnerabilities are usually patched within a day - if not hours (If you've used RHEL you know what I mean).

... Oh, and unlike Microsoft, a fix will most likely land in all the effected kernel trees (as far as 2.0 if it was required) and not just the latest (2.6) kernel tree.
Would have Microsoft released a similar fix for Windows 2000 - or even Windows NT 4.0, if such a long term vulnerability was found in all NT kernel since 4.0? I somehow doubt it.

- Gilboa

Reply Score: 3

RE[2]: WinXP
by BluenoseJake on Fri 14th Aug 2009 15:23 UTC in reply to "RE: WinXP"
BluenoseJake Member since:
2005-08-11

... Oh, and unlike Microsoft, a fix will most likely land in all the effected kernel trees (as far as 2.0 if it was required) and not just the latest (2.6) kernel tree.
Would have Microsoft released a similar fix for Windows 2000 - or even Windows NT 4.0, if such a long term vulnerability was found in all NT kernel since 4.0? I somehow doubt it.

- Gilboa


I think that you may be wrong.

This has nothing to do with MS, and why should MS fix NT 4.0 in the same situation? It is much older than anything that should be in use in the linux community, seeing as this exploit exists in 2.6 and 2.4, and updates are no longer being applied to the 2.2 kernel, which last saw a change in 2005.

I really doubt that anybody would bother patching such an old kernel, when upgrading to 2.4 would be a better plan anyway. Anybody still running such an old kernel (the same as running NT 4.0) is such a small percentage of their users, that the work runs into a serious amount of effort for no good reason.

Reply Score: 3

RE[3]: WinXP
by gilboa on Sat 15th Aug 2009 13:33 UTC in reply to "RE[2]: WinXP"
gilboa Member since:
2005-07-06

As far as I remember, the 2.2 tree was active up until 2005 when the last maintainer left.
But never the less, given the fact that Linux is open source, if your embedded system depends on Linux 2.2, nothing stops your from taking the code and doing it yourself. (Did it myself)

However, if your embedded system requires Windows NT 4.0 (and you'll be amazed how many system still using NT 4.0), and MS refuses to patch the OS, you are screwed.

- Gilboa

Reply Score: 2

RE[4]: WinXP
by strcpy on Sat 15th Aug 2009 13:55 UTC in reply to "RE[3]: WinXP"
strcpy Member since:
2009-05-20

A good point. But then again the reality hits you.

As a wild idea, imagine yourself and few co-workers maintaining the 2.6 branch even for a year. That is one reason why Linux is increasingly a no-no where I work.

Nevertheless, I applaud all who still work with the 2.4.

I take this opportunity to also note that the talk below (in all its infancy) about the Linux kernel has a tiny drop of truth in it, too. There is a reason why hardcore security people like Solar Designer stick with the 2.4 kernels.

Edited 2009-08-15 13:57 UTC

Reply Score: 1

RE[4]: WinXP
by BluenoseJake on Sat 15th Aug 2009 15:19 UTC in reply to "RE[3]: WinXP"
BluenoseJake Member since:
2005-08-11

As far as I remember, the 2.2 tree was active up until 2005 when the last maintainer left.
But never the less, given the fact that Linux is open source, if your embedded system depends on Linux 2.2, nothing stops your from taking the code and doing it yourself. (Did it myself)

However, if your embedded system requires Windows NT 4.0 (and you'll be amazed how many system still using NT 4.0), and MS refuses to patch the OS, you are screwed.

- Gilboa


The last update for NT 4 came in 2003, Kernel 2.2 for Linux in 2005. MS didn't stop updating critical bugs all that long before the kernel devs stopped updating 2.2

I also mentioned the 2.2 kernel was updated in 2005, but really, how likely that most organizations have a kernel hacker on staff to patch old crap like that?

Not that likely, in most small or medium organizations.
The fact that a person or organization can patch the kernel does not mean that they have the capabilities.

Reply Score: 2

RE: WinXP - WinXP still runs as admin
by jabbotts on Fri 14th Aug 2009 11:37 UTC in reply to "WinXP"
jabbotts Member since:
2007-09-06

Not really, WinXP still runs the user as admin unless you have an AD server. Nothing has changed. A flaw in the kernel of a different platform doesn't magically make this design fault in Windows go away.

In this case, Linux will be patched very quickly now that the fault is known. This very news article comes out after the bug patch is available. Now it's a matter of how fast the distributions can include the new kernel update.

Nothing fanboyish about it. I can still easily get admin on a windows box through known exploits where this exploit in a different platform will be addressed instead of called a "feature".

Reply Score: 4

RE: WinXP
by jabjoe on Fri 14th Aug 2009 12:43 UTC in reply to "WinXP"
jabjoe Member since:
2009-05-06

If running as admin wasn't a problem why, as of Vista, has Windows itself move away from this. You do understand that if you are running as admin, EVERYTHING that runs is running as admin. On any OS, that should scare you. Especially one where things are installed from random locations (i.e. not trusted repositories only). This Linux bug will be closed, and no doubt there will be others and they will also be closed, but no OS should just hand out admin without even trying to defend it.

Reply Score: 2

RE: WinXP
by Bill Shooter of Bul on Fri 14th Aug 2009 15:28 UTC in reply to "WinXP"
Bill Shooter of Bul Member since:
2006-07-14

There is a difference between trying to do the right thing and failing occasionally, and never trying at all.

Who do you want to design the next nuclear power plan in your back yard, a guy with years of experience in nuclear design and operation who, like many people occasionally make mistakes, or someone with an associates degree in marketing who doesn't believe radiation is a problem ?

If the expert screws up and kills everyone, your just as dead as if the marketing guy had done it. But, given the choice, I'd still rather go with the expert. Cleaver mistakes are always more interesting than obvious ones. It will make the investigation into the accident more interesting for the survivors. It will give them something to focus on, to dull the radiation induced pain.

Reply Score: 3

exploit in ipx?
by reduz on Fri 14th Aug 2009 05:09 UTC
reduz
Member since:
2006-02-25

i mean, why even bother fixing? just remove ipx, no one uses it nowadays (and by no one i mean likely 99.999% users)

Reply Score: 3

RE: exploit in ipx?
by steogede2 on Fri 14th Aug 2009 10:39 UTC in reply to "exploit in ipx?"
steogede2 Member since:
2007-08-17

i mean, why even bother fixing? just remove ipx, no one uses it nowadays (and by no one i mean likely 99.999% users)


99.999% is a lot more than 'no one' - wouldn't 0.001% be closer?

Reply Score: 2

RE[2]: exploit in ipx?
by Lunitik on Sat 15th Aug 2009 22:49 UTC in reply to "RE: exploit in ipx?"
Lunitik Member since:
2005-08-07

I think he means 99.999999% do not use it...

Use some logic before posting.

Reply Score: 2

In perspective
by 3rdalbum on Fri 14th Aug 2009 06:07 UTC
3rdalbum
Member since:
2008-05-26

Let's put this into perspective.

Mac OS X had an easy local root vulnerability from 2000 to 2008. Apple was warned about it by their own staff member in 2004, and it was discovered outside Apple in 2006 or 2007 (I forget which year).

Apple patched it in August 2008.

The Linux kernel had an easy local root vulnerability from 2001 to 2009. The kernel team was warned about it recently and they fixed it before word got out to the public.

Apple's vulnerability could be exploited by a non-programmer and a single line of Applescript, the Linux vulnerability can be exploited by a programmer and some lines of C.

In short, Linux is not flawless, but it's in MUCH better shape than the proprietary desktop competition.

I am rather intruiged by the exploit code - I wonder if I could somehow use it to hack my embedded Linux devices?

Reply Score: 6

RE: In perspective
by steogede2 on Fri 14th Aug 2009 10:44 UTC in reply to "In perspective"
steogede2 Member since:
2007-08-17

Apple's vulnerability could be exploited by a non-programmer and a single line of Applescript, the Linux vulnerability can be exploited by a programmer and some lines of C.


What difference does that make? Whether the tool that makes use of the exploit is written C or Applescript - once it has been created added to some sort of toolset or worm, any skiddie can use it.

Reply Score: 2

RE[2]: In perspective
by 3rdalbum on Fri 14th Aug 2009 10:50 UTC in reply to "RE: In perspective"
3rdalbum Member since:
2008-05-26

"Apple's vulnerability could be exploited by a non-programmer and a single line of Applescript, the Linux vulnerability can be exploited by a programmer and some lines of C.


What difference does that make? Whether the tool that makes use of the exploit is written C or Applescript - once it has been created added to some sort of toolset or worm, any skiddie can use it.
"

It's not a lot of difference. Even I can exploit the former, but I can't exploit the latter.

Reply Score: 2

callinyouin Member since:
2008-12-15

Show me how the Linux kernel is a mess. Do you even know what the hell you're talking about?

Reply Score: 1

Kebabbert Member since:
2007-07-27

Instead of listening to him, how about listening to the real Linux kernel developers?




How about Andrew Morton?
http://lwn.net/Articles/285088/

Q: Is it your opinion that the quality of the kernel is in decline? Most developers seem to be pretty sanguine about the overall quality problem...

A: I used to think it was in decline, and I think that I might think that it still is. I see so many regressions which we never fix.




Or Dave Jones?
http://www.kroah.com/log/linux/ols_2006_keynote.html
"Last year Dave Jones told everyone that the kernel was going to pieces, with loads of bugs being found and no end in sight."




Maybe you have missed the discussion where Alan Cox quits as a developer because Alan argues that the Linux regressions should be fixed correctly, which may break user applications? And Linus says that if user applications breaks, then you should not fix that Kernel issue correctly. Instead you should preserve the old behavior so user apps doesnt break. Alan complains on the Linux bugs, Linus says he shouldnt mind them.
http://lkml.org/lkml/2009/7/24/182

http://lkml.org/lkml/2009/7/28/375

"Quite frankly, I don't understand why I should even have to bring these issues up. You should have tried to fix the problem immediately, without arguing against fixing the kernel. Without blaming user space. Without making idiotic excuses for bad kernel behavior.

The fact is, breaking regular user applications is simply not acceptable. Trying to blame kernel breakage on the app being "buggy" is not ok. And arguing for almost a week against fixing it - that's just crazy.
Linus"




Couple this with Linux constantly evolving API/ABIs and you have stability problems. Whenever Linus rewrites big part of the code (which he does frequently, "Linux has no design, it evolves constantly like biology") you introduce new bugs. Some say that it takes Service Pack 1 to iron out the most pressing bugs in Windows. What would happen if Windows were rewritten all the time? The bugs would never be squashed. You debug some code, and suddenly it is rewritten and you have new bugs, etc, ad naseum. So you have problems with Linux being buggy and scaling bad on Big Iron. Admittedly, a stripped down Linux with no luggage, scales well on large clusters, which is basically a bunch of computers on a network - like those on top500. But Big Iron is another thing, there Linux scales bad.

Reply Score: 13

mat69 Member since:
2006-03-29

IIR that issue correctly you got it the wrong way around. It was Cox who broke it and Torvalds that was against breaking it!

Additionally some random quotes are not a prove of anything, especially in this case as that bug is there for a long time.

Reply Score: 2

Kebabbert Member since:
2007-07-27

As I understood it, Cox submitted a patch that corrected a strange behavior in the Linux kernel. Linus rejected the patch as it broke apps. Cox argued that the kernel should be corrected, as it behaved strangely. Linus didnt agree, the patch should be modified.

Reply Score: 2

Soulbender Member since:
2005-08-18

And what OS are your other machines running?

Reply Score: 1

marcp Member since:
2007-11-23

I didn't intend to sound offensive. I just pointed out some simple facts that come from my own experience.
I also don't think it's that much important what kind of OSs I choose to run my other machines, but if you're really interrested: mostly OpenBSD, FreeBSD and Haiku [it's in a very early stage of development and it SERIOUSLY lacks good security mechanisms for now, but I run it succesfully on one of my desktop machines, with couple of tricks of course and it's pretty stable, fast, cohesive and well written]. I used to run other OSs in the past, but I don't actually make any use of them anymore.

Regards

Reply Score: 1

Comment by diego
by diegoviola on Fri 14th Aug 2009 07:57 UTC
diegoviola
Member since:
2006-08-15

When it comes to Linux and vulnerabilities I'm just not worried because I know the kernel hackers will fix it very fast as they have always been doing it.

The kernel and the developers always have impressed me with their work and fast fixes, I know this wont be a different case, and in the end we have a stronger kernel ;) .

Reply Score: 4

RE: Comment by diego
by phoenix on Fri 14th Aug 2009 18:40 UTC in reply to "Comment by diego"
phoenix Member since:
2005-07-11

When it comes to Linux and vulnerabilities I'm just not worried because I know the kernel hackers will fix it very fast as they have always been doing it.


Yes, once they (kernel devs) know about issues, they (the issues) tend to get fixed right away.

Unfortunately, in this case, it took 8 years, including two major kernel releases, and umpteen minor kernel releases, to find the issue. ;)

On the bright side, it doesn't look like this was exploited too much in the wild.

I would have to say that, on this one, everyone was *extremely* lucky. This could have been a lot worse.

Edited 2009-08-14 18:40 UTC

Reply Score: 2

In related news
by Soulbender on Fri 14th Aug 2009 08:13 UTC
Soulbender
Member since:
2005-08-18

Software has bugs.

Reply Score: 3

no foolproof exploit
by Nagilum on Fri 14th Aug 2009 10:48 UTC
Nagilum
Member since:
2009-07-01

The exploits I've seen so far rely on pulseaudio being present which isn't the case for many distro's. (especially in server installs)
And even it is present it doesn't automatically work as a quick test on a Ubuntu9.04 showed.
More elaborate exploits with less dependencies will surely be published but for now it still requires some luck to be on a Linux where the published exploits work as advertised.

Reply Score: 1

Apologists
by ecruz on Fri 14th Aug 2009 15:43 UTC
ecruz
Member since:
2007-06-16

Even before reading the article I knew what the take of the Linux apologists would be.
Instead of sticking to the subject, and be glad that a patch was done for the issue, they, like always, have to go back and blame Windows for something.

People, get your own life and grow up!

Reply Score: 0

RE: Apologists
by rub3nmv on Fri 14th Aug 2009 20:12 UTC in reply to "Apologists"
rub3nmv Member since:
2009-07-27

Take a look at the parent comments and tell me who started to blame who.

Reply Score: 2

RE: Apologists
by strcpy on Sat 15th Aug 2009 13:29 UTC in reply to "Apologists"
strcpy Member since:
2009-05-20

Linux advocacy is funny that way.

When you've seen enough of it, you either grow a talent of seeing through it and skipping the idiotism, get overly depressed, or go with the crowd; when something critical is said or discovered about your beloved one, shut your eyes, and just Microsoft yada Groklaw yada BSD bad yada yada Ubuntu yada yada yada.

Reply Score: 1

RE: Apologists - a bug isn't a problem
by jabbotts on Sat 15th Aug 2009 15:03 UTC in reply to "Apologists"
jabbotts Member since:
2007-09-06

What is there to be critical of? A bit of software had a bug discovered. The important thing is how long that bug remained known before the update became available. Simply counting bugs is the pastime of people with little true security and design understanding.

Bug reported in morning news along with patch (0730 EST). Debian kernel update available and applied (16:30 EST).

That's not all distributions but patch times is how one measures the quality of a general use distribution.

So, where is the grievous apologist back peddling? Where is the straying off topic and undue griefing?

Reply Score: 2

strcpy Member since:
2009-05-20

Did you actually read the parent post?

He wondered why a news with Linux kernel vulnerability in its title attains comments related to Windows XP.

A legitimate question to which I sarcastically replied that it seems to be the common way things are handled by the Linux advocacy camp in the public internet forums. (I have no idea what was the question you answered.)

Reply Score: 1

jabbotts Member since:
2007-09-06

You inspired me to go back and check that I had not missread.

http://www.osnews.com/comments/21993?view=flat&sort=&threshold=0

2009/08/14 16:12 - Big Gie - this is the first mention of Windows in a platform neutral comparison intending to illistrate how serious a vulnerability exploitable across the major kernel versions in use today could be. It simply makes the example accessible to those more familiar with Windows without suggesting some kind of deficiency in the reader.

2009/08/14 17:02 - JR - Title is "WinXP" and fires the first shots of hostility from the Windows fan camp with accusations that this bug somehow negates the "more secure by design" benefit to most Unix like platforms.

JR's post starting this thread suggests that it would be Linux "Apoligists" who fire the first shot and can't focus on anything outside of blaming Windows unrelated to the actual article.

I was not originally replying to your comment but since you bring it up, you then further support this prejudgment by suggesting that only/all Linux folk close there eyes and ignore any faults in there preferred platform in favor of slamming other platforms. The point of value is your suggestion that many people learn to filter out the tripe and focus on more valuable points.

Most of the comments where actually about the implications of this bug, how long it will take for updated kernels to become generally available and ways to mitigate the risk of exploitation through it. Discussions about windows where more often in response to someone fanboy accusations or limited understanding of platform design.

Reply Score: 2

Says nothing about Linux security
by kaiwai on Mon 17th Aug 2009 09:53 UTC
kaiwai
Member since:
2005-07-06

I find it funny that both sides are attempting to make milage out of something that says very little as to whether something is more or less secure.

What this does show, however, is the idea of 'many eyes' is a myth; the best parallel to the 'many eyes' myth is equal to that of the 'mythical man month' (where people assume that more programmers equal getting to a destination faster when in reality it can slow it down).

Linux isn't the first though; there are many other projects that have had the same sort of thing occur - end of the day, software is written by fallible humans and mistakes will happen.

Reply Score: 2

Grsec/PaX
by abraxas on Mon 17th Aug 2009 16:19 UTC
abraxas
Member since:
2005-07-07

The exploit dies on my system. This is the reason I use Grsecurity/PaX. Who knows how many times this vulnerability has been exploited in past. I don't care if you use Windows, OSX, or Linux, layered security is a necessary component of any general purpose system.

Reply Score: 2

I got hit
by Boldie on Wed 19th Aug 2009 20:39 UTC
Boldie
Member since:
2007-03-26

I have a few sites with the web-hotel Servage. The whole cluster got hit and defaced all my sites. my friends business site got defaced too.

None of my sites were affected by sql-injections. the attacker somehow managed to get to the hypervisor (or?)

Can't recommend Servage to anyone.

Reply Score: 2