Eight Years of Linux Kernel Vulnerable
Linked by Jordan Spencer Cunningham on Fri 14th Aug 2009 02:29 UTC
Linux It's the end of the world. Again. According to some Linux developers and security researchers, a bug in the Linux kernel has just been uncovered that makes just about every distribution utilizing kernel 2.4 and 2.6 on just about all architectures since May of 2001 vulnerable to a certain kind of attack.
E-mail Print r 6   · Read More · 58 Comment(s) http://osne.ws/gyx
Thread beginning with comment 378493
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: WinXP
by gilboa on Fri 14th Aug 2009 09:08 UTC in reply to "WinXP"
gilboa
Member since:
2005-07-06

... All of this was true, it this exploit was a known exploit, and the Linux kernel devs decided to simply ignore it for the past 8 years.

As far as we -know- (and I'll ignore any type of non-educated guess or unfounded speculations), once Linus was aware of this vulnerability, a fix was issued within 2 hours.
So unless anyone has solid evidence that one of the Linux devs was aware of this vulnerability and somehow refused to fix it (why!?!?), the 8 years that passed since the introduction of the code that caused this vulnerability is meaningless. I'd assume that both Linux and Windows have vulnerabilities that date back to Linux 2.0 and Windows NT 3.1...

However, I'd point to you what we know - as in previous known track record:
On one hand, MS refuses to fix the UAC escalation problem and on the other, Linux vulnerabilities are usually patched within a day - if not hours (If you've used RHEL you know what I mean).

... Oh, and unlike Microsoft, a fix will most likely land in all the effected kernel trees (as far as 2.0 if it was required) and not just the latest (2.6) kernel tree.
Would have Microsoft released a similar fix for Windows 2000 - or even Windows NT 4.0, if such a long term vulnerability was found in all NT kernel since 4.0? I somehow doubt it.

- Gilboa

Reply Parent Score: 3

RE[2]: WinXP
by BluenoseJake on Fri 14th Aug 2009 15:23 in reply to "RE: WinXP"
BluenoseJake Member since:
2005-08-11

... Oh, and unlike Microsoft, a fix will most likely land in all the effected kernel trees (as far as 2.0 if it was required) and not just the latest (2.6) kernel tree.
Would have Microsoft released a similar fix for Windows 2000 - or even Windows NT 4.0, if such a long term vulnerability was found in all NT kernel since 4.0? I somehow doubt it.

- Gilboa


I think that you may be wrong.

This has nothing to do with MS, and why should MS fix NT 4.0 in the same situation? It is much older than anything that should be in use in the linux community, seeing as this exploit exists in 2.6 and 2.4, and updates are no longer being applied to the 2.2 kernel, which last saw a change in 2005.

I really doubt that anybody would bother patching such an old kernel, when upgrading to 2.4 would be a better plan anyway. Anybody still running such an old kernel (the same as running NT 4.0) is such a small percentage of their users, that the work runs into a serious amount of effort for no good reason.

Reply Parent Score: 3

RE[3]: WinXP
by gilboa on Sat 15th Aug 2009 13:33 in reply to "RE[2]: WinXP"
gilboa Member since:
2005-07-06

As far as I remember, the 2.2 tree was active up until 2005 when the last maintainer left.
But never the less, given the fact that Linux is open source, if your embedded system depends on Linux 2.2, nothing stops your from taking the code and doing it yourself. (Did it myself)

However, if your embedded system requires Windows NT 4.0 (and you'll be amazed how many system still using NT 4.0), and MS refuses to patch the OS, you are screwed.

- Gilboa

Reply Parent Score: 2

Read more of this thread... >