QuesarVII writes "Tavis Ormandy and Julien Tinnes have discovered a severe security flaw in all 2.4 and 2.6 kernels since 2001 on all architectures. 'Since it leads to the kernel executing code at NULL, the vulnerability is as trivial as it can get to exploit: an attacker can just put code in the first page that will get executed with kernel privileges.'"
In the Linux kernel, each socket has an associated struct of operations called proto_ops which contain pointers to functions implementing various features, such as accept, bind, shutdown, and so on. If an operation on a particular socket is unimplemented, they are expected to point the associated function pointer to predefined stubs, for example if the "accept" operation is undefined it would point to sock_no_accept(). However, we have found that this is not always the case and some of these pointers are left uninitialized. This is not always a security issue, as the kernel validates the pointers at the call site, such as this example from sock_splice_read: [snip] But we have found an example where this is not the case; the sock_sendpage() routine does not validate the function pointer is valid before dereferencing it, and therefore relies on the correct initialization of the proto_ops structure. We have identified several examples where the initialization is incomplete: [snip]
Please, this is a _local_ privilege escalation. It's not like code red infecting your box remotely. A sledgehammer is also a local privilege escalation.
The thing is, local privilege escalations can become remote privilege escalations when combined with buggy services that allow for code injection. This is especially bad for people who are forced to run services that they don't trust and thus place them in jails, only to discover that if the exploit happens at the kernel level then your jail means nothing.
My guess is that rootkits are being updated as we speak, so get your kernels patched people.
But if you have any programs that access the Internet that have a bug that allow running arbitrary code, couldn't a remote cracker could exploit the vulnerability in that program to invoke this bug, and through that gain root access to the machine? It sounds like the program being exploited could even be running as a regular user.
------------------- Mitigation ----------------------- Recent kernels with mmap_min_addr support may prevent exploitation if the sysctl vm.mmap_min_addr is set above zero. However, administrators should be aware that LSM based mandatory access control systems, such as SELinux, may alter this functionality. It should also be noted that all kernels up to 2.6.30.2 are vulnerable to published attacks against mmap_min_addr.
I have checked my default Ubuntu and CentOS/RHEL boxes, and both of them are set well above 0:
Because we fix it instead of hushing it up until it becomes fairly well known and then waiting a month to fix it.
That said, it's nice to see the occasional vuln in Linux. Helps shut up the fanbois and keep everybody sharp. Because while under many eyes, all bugs are shallow, that only works if the eyes are actually looking.
In normal configs, Linux is vulnerable to this kind of problem by design because it runs unsafe programs and then for efficiency the kernel also has direct access to it's memory plus the memory for a process doing a syscall. And it's not just a NULL pointer, and preventing maps for page zero doesn't solve the problem... it just means you need to find a bug where you can corrupt a function pointer to point to mappable space.
What this demonstrates is that the cost of isolating programs from each other by using separate memory spaces has a much higher cost than commonly understood. It either has a ~10%-20% overhead and is insecure by design (kernel map includes calling process memory space) -or- it is far slower than even that, but safe (kernel memory is completely separate from process). Computers are already faster than many users need... maybe it's finally time for an OS with a single memory space, like JavaOS or jxos, or even Singularity.
Well, all Microsoft OS's would fault when trying to execute code at a NULL address, merely because people needed to use something to signify an uninitialized pointer. Most operating systems do this. Apparently (I could be wrong, the article is short on details and I don't play in that part of the kernel), this is due to an optimization and not necessarily the original intention.
About a week ago, I updated to kernel 2.6.30. One of the options that showed up describes itself thus:
CONFIG_DEFAULT_MMAP_MIN_ADDR: This is the portion of low virtual memory which should be protected from userspace allocation. Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs.
Unless I am misunderstanding, or the bug is in this code, the Linux kernel is already protected if properly configured. The kernel already prevents this attack.
Yes, it's called hardware level paging... The problem is from how the exceptional condition (null pointer access) is handled by the kernel, and not the fact that NULL was called.
No, it's not. The problem is that the kernel also has access to the process's memory, so if the process mapped page 0 as r-x then the kernel also has that page. So when the kernel jumps to NULL through a function pointer, it runs whatever code the process put there.
This mapping is done for efficiency because otherwise any system call would flush TLB at least *twice* and it would be slow as hell.
Hardware memory protection is as old as dirt, but it's also a brutish fossil, symbolic of a decayed era, gratefully forgotten.
Sure, it was patched, but it wasn't exactly all over the news. Neither is this one for Linux, but it managed to get mentioned on Slashdot.
Local privilege escalation is hard to guard against with current mainstream operating systems. The attack surface is very large and it is hard to completely verify interfaces. That said, Linux team seems to be doing fairly well overall. We're certainly a long way from the "good" old days when crashme would crash pretty much any Unix system. OpenBSD is doing even better, masturbating monkeys or not.
No. If nobody knew it wasn't a security issue. I'm sure there are bugs on every OS with more than 8 years old yet to discover.
You veered completely off track right about here: "If nobody knew"
Seriously? Really, that's the best you could come up with? That's your apologia? How do you know nobody knew? You think the real blackhats are going publicizing their 'sploits? Blackhats these days aren't script kiddies and honest hackers, they are hard core Russian mafia doing it for cash. Your Linux systems could have been owned twelve ways from Sunday for EIGHT YEARS without you ever knowing it, and you are claiming 'it wasn't a security issue?' WTF? When did Linux get infested with idiot fanboys? Shouldn't you be slobbing all over an Apple or something? I was using Linux before you even knew what Unix was, I despise Microsoft and love open source, but a bug is a bug.
Try this one: 'No. Because it's a freaking LOCAL EXPLOIT and nearly no-one uses Linux for multi-user systems now that everyone can afford their OWN FREAKING COMPUTER.' Good lord, kids these days, gotta teach them everything.
Theoretical nefarious hackers who discovered the flaw before Travis and Julien would have been trying to hide it. Just because something isn't known doesn't mean it doesn't exist.
Security through obscurity does mean the thought that that as long as no one knows about it, it's not an issue. Being open source doesn't make you immune to this. What would make you immune to this would be formal testing and security audits of every component, like is done on things like the space shuttle. This is generally prohibitively expensive for situations where actual life and limb danger isn't a factor, which is why no commonly used operating system implements this strict security level. Sure, having a lot of eyes looking at the Linux kernel helps (and it eventually worked in this case) but just being open source doesn't mean it's secure.
Does this mean that Linux was never more secure than Windows--only more obscure?
It's hardly obscure since they could look and find it, evidenced by the fact they found it.
Go try that with the Windows kernels!
In addition, there is already a patch out for this, which by end of the week will be pushed down from the distro managers. We don't have to wait years after finding it for the fix to be released, as Microsoft historically does.
In fact, why just assume this similar bug is NOT in the windows kernel? Did you check? Did any reputable security company check? I'm not saying it is there, only that you can't easily prove otherwise.
*that* is the security being spoken of.
As far as I know, only one OS claims no exploits, and that is OpenBSD.
The transparent thing works both ways... it's easier for black hats to find holes too, by your own logic. And they can keep it secret and exploit it as long as they can. A similar bug existing in Windows doesn't prove anything and is irrelevant here. After all 'M$ can't code shit'. Linux and FOSS is commonly claimed to be more secure because of it's development model and bug free here in these parts. Any data that runs counter to this is routinely downplayed by commenters and moderators... just like your post got modded up.
It was fixed much faster than MS after it was announced. I guess it is 100000 times faster than your usual MS flaw. So, yeah Linux is more secure.
Also, did you bother reading what this exploit does? It is very bad because it allows user programs to gain administrator privileges. This is insecure because it puts Linux in a category that's as insecure as all pre-vista windows computers and also the UAC-enabled-because-else-it-is-useless vista and 7 computers. That's the problem here, it moves Linux to a windows state...
Finally, it is easier to find flaws in Linux, this increases the chances blackhats found bugs, but it also increases the chances someone else will find it in paralel, preventing your hypothetical situation...
Ironically, it is because of some artificial obscurity that this bug was present and took so long to find. Most vulnerabilities aren't caused by obscure optimization issues, and are findable in source code, those were a non-issue thanks to the lack of obscurity. So this actually proves obscurity != security.
by Anonymous Coward
on Thursday August 13, @03:42PM (#29057303)
If this were Windows, we'd first hear about it when our machines get owned by some malware, and then it would take months for a patch to be released.
Since this is Linux, expect a fix in a week or less.
Expect a source fix with no regression testing in a week or less. Wait months for the big distribution makers (RedHat, Novell) to release it to the masses.
Expect people manually rebuilding their kernel in panic, having machines rendered unbootable because they decided the 250$ bucks for the iLO Advanced license wasn't worth it since Linux never crashes, etc. pp.
And if any of us would have read the article before posting we would know that a typical one-line fix is right there in the article and has been commited into the kernel mainline yesterday.
If this was Windows we'd never hear the beginning of it. How much local privilege escalation vulnerabilities normal windows users worry about? Are the remote vulnerabilities (and the ones that don't need to escalate, as run as the current user) the ones that get lots of publicity. And you got from time to time a number big enough of remote vulnerabilities there to consider them the only ones that matters.
Of course, if you add a local privilege escalation to a some app remote vulnerability that enables to run code, even if is with low privileges, there you have a potential remote root exploit. Is something to care about, but odds are low that a lot of systems will be affected.
How much local privilege escalation vulnerabilities normal windows users worry about?
They probably don't worry about it at all because the vast majority of Windows users log in and run with an administrative level account in the first place.
It's also worth noting that kernel 2.6 alone contains 186 advisories for 352 vulnerabilities with 6% unpatched. Windows Server 2008 contains 40 advisories for 82 vulnerabilities with 0% unpatched.
Your comparison is very flawed and meaningless. Linux kernel 2.6.0test was released in 2003--IT HAS BEEN AROUND 5 YEARS LONGER THAN SERVER 2008! If you want your math to actually make a real point try integrating the vulnerability rate of each OS over the same time domain. Simply put, you have to look at the combined vulnerabilities reported by Windwos Server 2003 AND 2008 when comparing against Linux 2.6.x kernel based OSes.
More proper numbers for Windows would be 242 advisories for 341 vulnerabilites. Slightly lower vulnerability count but quite a few more advisories. 6% of these vulnerabilities also remain unresolved. These numbers do not show Microsoft having any meaningful advantage in quality over the Linux kernel
And, to be more fair still, you should compare OS to OS as you said, rather than OS to kernal. For RHEL5 OS the stats are 272 advisories for 828 vulnerabilities and zero unresolved (suggests that one advisory and pne patch probably solves many separately counted vulnerabilities--perhaps because Linux-based OSes leverage shared libraries far more than Windows?) Keep in mind, however, that Comparing SLES or RHEL strictly speaking wouldn't be a complete comparison either, because in Linux OS distributions many applications are included where the equivalent in Windows would be separate (possibly extra-cost) add-ons.
Furthermore only counts are considered above, with no factor for intensity. Windows server 2008 has more than double the rate of "highly critical" vulnerabilities (35%) than does RHEL5 (16%) and it is well known that Linux exploits are far less likely to be directly remotely exploitable than is the case for Windows exploits.
Yes, MSFT has made great strides in closing the quality and security gaps in ther server OSes (quality is still sorely lacking in their desktop offerings), but even if Windows was perfect I'd still prefer a Linux OS or OpenBSD:
* can't afford Ballmer'$ ga$ * Windows is closed--I don't trust what nobody but the vendoar/author can see. Secunia et al can only report what they can observe from behaviour. As in this reported Linux exploit, third-parties can perform extremely detailed analysis with source code at hand, often releasing the patch to plug the exploit right along with the exploit itself. * licensing and actrivation take a lot of time and resources that serve no practical purpose than to enforce an increasingly questionable business model--Activation is pure bulls**t. I've wasted FAR too much time on clients issues where the root cause of functional deficiencies was improperly activated/licensed closed software (be it Windows or others). I've HAD it with closed crippleware. * I like to tinker. I like to build. The playing field is for more flat in Free software land than in Windows land. I can reconfigure kernel modules, choose which web server, DNS server, email server I want to use and evaluate them truly on their merits. In Windows, if you think IIS or Exchange or MS DNS Stinks, you can try the alternatives but they always seem hobbled by comparison. MSFT never lets third parties play by the same rules, especially when server apps are considered "windows componenets" like with IIS and DNS. They get to leap MSFT's long-professed "chinese wall" to get total access to OS internals info others do not have. ANYONE who wants to write server apps on a Free platform has the same access to info.
Replying to myself, with additional information for the OP: And how long have we heard about this [microsoft.com]? We're already so used to Windows exploits that we don't even care much about them...
SELinux makes the problem worse. Without SELinux, there's a variable that specifies the lowest page in memory that a process can map. If you can't put anything at address 0, jumping through a NULL function pointer isn't as big a deal.
With SELinux on, that variable is ignored, and you can map at address 0 to your heart's content.
Ahh... (Score:5, Funny)
So that's what the NULL pointers were for.
It's from April? Really? (Score:5, Informative)
Then why did Linus check in a patch today to fix it?
http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html [neohapsis.com]
Parent
Re:It's from April? Really? (Score:5, Funny)
Parent
I'm safe! (Score:5, Funny)
I use Windows!
Re:I'm safe! (Score:5, Funny)
Once again, my 2.0 Linux kernel is safe!
Parent
I don't get it... (Score:5, Interesting)
Why the bloody hell isn't page 0 hard-wired to panic the kernel / SIGSEGV the userland when accessed?
Summary's Useless link (Score:4, Informative)
Here's the real one- linked from (mostly) useless article.
http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html [neohapsis.com]
I can hear the OpenBSD users laughing already... (Score:5, Funny)
Re:I can hear the OpenBSD users laughing already.. (Score:5, Funny)
Sure there are. And they are both laughing.
Parent
Re:I can hear the OpenBSD users laughing already.. (Score:4, Insightful)
There's a theme of comments that occur every time another Windows vulnerability happens. It goes something like this:
Windows FanboiIt doesn't matter. Marketshare marketshare marketshare blah blah business drivel Linux has no marketshare!
It's ironic to now see the Linux 31337 in this meme; trying to redirect from security vulnerability to lack of marketshare by a competing OS.
But I guess maybe it goes along with the whole tired 'BSD is dying' theme.
Parent
(from the blog) (Score:5, Informative)
In the Linux kernel, each socket has an associated struct of operations
called proto_ops which contain pointers to functions implementing various
features, such as accept, bind, shutdown, and so on.
If an operation on a particular socket is unimplemented, they are expected
to point the associated function pointer to predefined stubs, for example if
the "accept" operation is undefined it would point to sock_no_accept(). However,
we have found that this is not always the case and some of these pointers are
left uninitialized.
This is not always a security issue, as the kernel validates the pointers at
the call site, such as this example from sock_splice_read:
[snip]
But we have found an example where this is not the case; the sock_sendpage()
routine does not validate the function pointer is valid before dereferencing
it, and therefore relies on the correct initialization of the proto_ops
structure.
We have identified several examples where the initialization is incomplete:
[snip]
Local Privilege Escalation On All Linux Kernels (Score:5, Insightful)
sudo
Please, this is a _local_ privilege escalation. It's not like code red infecting your box remotely. A sledgehammer is also a local privilege escalation.
Re:Local Privilege Escalation On All Linux Kernels (Score:5, Insightful)
My guess is that rootkits are being updated as we speak, so get your kernels patched people.
Parent
Re:Local Privilege Escalation On All Linux Kernels (Score:4, Insightful)
But if you have any programs that access the Internet that have a bug that allow running arbitrary code, couldn't a remote cracker could exploit the vulnerability in that program to invoke this bug, and through that gain root access to the machine? It sounds like the program being exploited could even be running as a regular user.
Parent
Re:Local Privilege Escalation On All Linux Kernels (Score:4, Funny)
Parent
Guys? (Score:4, Interesting)
Some distros less vulnerable by default (Score:5, Informative)
From http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0174.html [neohapsis.com]:
-------------------
Mitigation
-----------------------
Recent kernels with mmap_min_addr support may prevent exploitation if
the sysctl vm.mmap_min_addr is set above zero. However, administrators
should be aware that LSM based mandatory access control systems, such
as SELinux, may alter this functionality.
It should also be noted that all kernels up to 2.6.30.2 are vulnerable to
published attacks against mmap_min_addr.
I have checked my default Ubuntu and CentOS/RHEL boxes, and both of them are set well above 0:
root@Ubuntu:/proc/sys/vm# cat mmap_min_addr
65536
[root@CentOS /proc/sys/vm] cat mmap_min_addr
65536
[root@RHEL /proc/sys/vm] cat mmap_min_addr
65536
Re:Some distros less vulnerable by default (Score:5, Informative)
Looks like the only reason to set this to 0 would have been to run wine. For support of 16bit windows apps.
Correct me if I'm wrong.
http://www.linuxplanet.org/blogs/?cat=408 [linuxplanet.org]
http://lkml.indiana.edu/hypermail/linux/kernel/0907.2/01466.html [indiana.edu]
http://lkml.indiana.edu/hypermail/linux/kernel/0907.2/00715.html [indiana.edu]
http://linux.derkeiler.com/Mailing-Lists/Kernel/2009-07/msg08106.html [derkeiler.com]
Parent
This reminds me of why I use linux... (Score:4, Insightful)
Because we fix it instead of hushing it up until it becomes fairly well known and then waiting a month to fix it.
That said, it's nice to see the occasional vuln in Linux. Helps shut up the fanbois and keep everybody sharp. Because while under many eyes, all bugs are shallow, that only works if the eyes are actually looking.
"Many eyes", but all of them nearsighted? (Score:5, Funny)
Vulnerable by design (Score:5, Interesting)
In normal configs, Linux is vulnerable to this kind of problem by design because it runs unsafe programs and then for efficiency the kernel also has direct access to it's memory plus the memory for a process doing a syscall. And it's not just a NULL pointer, and preventing maps for page zero doesn't solve the problem... it just means you need to find a bug where you can corrupt a function pointer to point to mappable space.
What this demonstrates is that the cost of isolating programs from each other by using separate memory spaces has a much higher cost than commonly understood. It either has a ~10%-20% overhead and is insecure by design (kernel map includes calling process memory space) -or- it is far slower than even that, but safe (kernel memory is completely separate from process). Computers are already faster than many users need... maybe it's finally time for an OS with a single memory space, like JavaOS or jxos, or even Singularity.
Re:Security through Obscurity? (Score:4, Interesting)
Parent
Re:Security through Obscurity? (Score:5, Interesting)
CONFIG_DEFAULT_MMAP_MIN_ADDR: This is the portion of low virtual memory which should be protected from userspace allocation. Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs.
Unless I am misunderstanding, or the bug is in this code, the Linux kernel is already protected if properly configured. The kernel already prevents this attack.
Parent
Re:Security through Obscurity? (Score:5, Informative)
Yes, it's called hardware level paging ... The problem is from how the exceptional condition (null pointer access) is handled by the kernel, and not the fact that NULL was called.
No, it's not. The problem is that the kernel also has access to the process's memory, so if the process mapped page 0 as r-x then the kernel also has that page. So when the kernel jumps to NULL through a function pointer, it runs whatever code the process put there.
This mapping is done for efficiency because otherwise any system call would flush TLB at least *twice* and it would be slow as hell.
Hardware memory protection is as old as dirt, but it's also a brutish fossil, symbolic of a decayed era, gratefully forgotten.
Parent
Re:Security through Obscurity? (Score:5, Informative)
Generally people don't care about local privilege escalation on Windows. Like this vulnerability [microsoft.com].
Parent
Re:Security through Obscurity? (Score:4, Insightful)
Sure, it was patched, but it wasn't exactly all over the news. Neither is this one for Linux, but it managed to get mentioned on Slashdot.
Local privilege escalation is hard to guard against with current mainstream operating systems. The attack surface is very large and it is hard to completely verify interfaces. That said, Linux team seems to be doing fairly well overall. We're certainly a long way from the "good" old days when crashme would crash pretty much any Unix system. OpenBSD is doing even better, masturbating monkeys or not.
Parent
Re:Security through Obscurity? (Score:5, Insightful)
uh huh..and the 8 years it took to discover don't matter, eh?
Parent
Re:Security through Obscurity? (Score:5, Interesting)
No. If nobody knew it wasn't a security issue. I'm sure there are bugs on every OS with more than 8 years old yet to discover.
You veered completely off track right about here: "If nobody knew"
Seriously? Really, that's the best you could come up with? That's your apologia? How do you know nobody knew? You think the real blackhats are going publicizing their 'sploits? Blackhats these days aren't script kiddies and honest hackers, they are hard core Russian mafia doing it for cash. Your Linux systems could have been owned twelve ways from Sunday for EIGHT YEARS without you ever knowing it, and you are claiming 'it wasn't a security issue?' WTF? When did Linux get infested with idiot fanboys? Shouldn't you be slobbing all over an Apple or something? I was using Linux before you even knew what Unix was, I despise Microsoft and love open source, but a bug is a bug.
Try this one: 'No. Because it's a freaking LOCAL EXPLOIT and nearly no-one uses Linux for multi-user systems now that everyone can afford their OWN FREAKING COMPUTER.' Good lord, kids these days, gotta teach them everything.
Parent
Re:Security through Obscurity? (Score:5, Interesting)
Yes, but generally exploits get discovered by others if they are used.
At some point, someone curious will get hacked, and wonder how the hell that happened, and track down the exploit.
And that's not even including discovery on the cracker's side. (People he works with, etc.)
The only way to keep an exploit a secret is to (almost) never use it. It's going to be made public within a few months of even low usage.
Parent
Re:Security through Obscurity? (Score:5, Insightful)
Security through obscurity does mean the thought that that as long as no one knows about it, it's not an issue. Being open source doesn't make you immune to this. What would make you immune to this would be formal testing and security audits of every component, like is done on things like the space shuttle. This is generally prohibitively expensive for situations where actual life and limb danger isn't a factor, which is why no commonly used operating system implements this strict security level. Sure, having a lot of eyes looking at the Linux kernel helps (and it eventually worked in this case) but just being open source doesn't mean it's secure.
Parent
Re:Security through Obscurity? (Score:5, Informative)
Little faster than that:
-
Solution
-
Linus committed a patch correcting this issue on 13th August 2009.
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98 [kernel.org]
-
Credit
-
This bug was discovered by Tavis Ormandy and Julien Tinnes of the Google
Security Team.
Parent
Re:Security through Obscurity? (Score:5, Insightful)
Does this mean that Linux was never more secure than Windows--only more obscure?
It's hardly obscure since they could look and find it, evidenced by the fact they found it.
Go try that with the Windows kernels!
In addition, there is already a patch out for this, which by end of the week will be pushed down from the distro managers. We don't have to wait years after finding it for the fix to be released, as Microsoft historically does.
In fact, why just assume this similar bug is NOT in the windows kernel? Did you check? Did any reputable security company check?
I'm not saying it is there, only that you can't easily prove otherwise.
*that* is the security being spoken of.
As far as I know, only one OS claims no exploits, and that is OpenBSD.
The transparent thing works both ways... it's easier for black hats to find holes too, by your own logic. And they can keep it secret and exploit it as long as they can. A similar bug existing in Windows doesn't prove anything and is irrelevant here. After all 'M$ can't code shit'. Linux and FOSS is commonly claimed to be more secure because of it's development model and bug free here in these parts. Any data that runs counter to this is routinely downplayed by commenters and moderators... just like your post got modded up.
Parent
Re:Security through Obscurity? (Score:5, Funny)
Your post got modded up, too.
Parent
Re:Security through Obscurity? (Score:5, Insightful)
Also, did you bother reading what this exploit does? It is very bad because it allows user programs to gain administrator privileges. This is insecure because it puts Linux in a category that's as insecure as all pre-vista windows computers and also the UAC-enabled-because-else-it-is-useless vista and 7 computers. That's the problem here, it moves Linux to a windows state...
Finally, it is easier to find flaws in Linux, this increases the chances blackhats found bugs, but it also increases the chances someone else will find it in paralel, preventing your hypothetical situation...
Ironically, it is because of some artificial obscurity that this bug was present and took so long to find. Most vulnerabilities aren't caused by obscure optimization issues, and are findable in source code, those were a non-issue thanks to the lack of obscurity. So this actually proves obscurity != security.
Parent
Re:pwned (Score:5, Insightful)
Parent
Re:pwned (Score:4, Insightful)
Expect a source fix with no regression testing in a week or less. Wait months for the big distribution makers (RedHat, Novell) to release it to the masses.
Expect people manually rebuilding their kernel in panic, having machines rendered unbootable because they decided the 250$ bucks for the iLO Advanced license wasn't worth it since Linux never crashes, etc. pp.
Face it: IT sucks. The OS matters little.
Parent
Re:pwned (Score:5, Informative)
And if any of us would have read the article before posting we would know that a typical one-line fix is right there in the article and has been commited into the kernel mainline yesterday.
Parent
Re:pwned (Score:5, Funny)
See? All that testing is worth it after all!
Parent
Re:pwned (Score:5, Informative)
In a week or less?
Linus already patched it.
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98 [kernel.org]
He wrote it at 8:28AM and committed it at 10:57AM this morning. Expect to see it in your repositories tomorrow, if not sooner.
Parent
Re:pwned (Score:5, Interesting)
Of course, if you add a local privilege escalation to a some app remote vulnerability that enables to run code, even if is with low privileges, there you have a potential remote root exploit. Is something to care about, but odds are low that a lot of systems will be affected.
Parent
Re:pwned (Score:5, Insightful)
How much local privilege escalation vulnerabilities normal windows users worry about?
They probably don't worry about it at all because the vast majority of Windows users log in and run with an administrative level account in the first place.
Parent
Re:pwned (Score:5, Funny)
Well by that logic 99% of windows users haven't used a real windows machine either.
Parent
Re:pwned (Score:5, Funny)
Aw, cheer up little guy. I thought it was a very nice comment.
Parent
Re:pwned (Score:5, Funny)
Windows Servers are far more inherently secure than Windows Desktops, simply by the way that they're operated.
Wait, what?
Parent
Re:pwned (Score:5, Informative)
That's right. It's a trivial local exploit. Those aren't mutually exclusive.
Parent
Your new math is very flawed. (Score:5, Informative)
It's also worth noting that kernel 2.6 alone contains 186 advisories for 352 vulnerabilities with 6% unpatched. Windows Server 2008 contains 40 advisories for 82 vulnerabilities with 0% unpatched.
Your comparison is very flawed and meaningless. Linux kernel 2.6.0test was released in 2003--IT HAS BEEN AROUND 5 YEARS LONGER THAN SERVER 2008! If you want your math to actually make a real point try integrating the vulnerability rate of each OS over the same time domain. Simply put, you have to look at the combined vulnerabilities reported by Windwos Server 2003 AND 2008 when comparing against Linux 2.6.x kernel based OSes.
More proper numbers for Windows would be 242 advisories for 341 vulnerabilites. Slightly lower vulnerability count but quite a few more advisories. 6% of these vulnerabilities also remain unresolved. These numbers do not show Microsoft having any meaningful advantage in quality over the Linux kernel
And, to be more fair still, you should compare OS to OS as you said, rather than OS to kernal. For RHEL5 OS the stats are 272 advisories for 828 vulnerabilities and zero unresolved (suggests that one advisory and pne patch probably solves many separately counted vulnerabilities--perhaps because Linux-based OSes leverage shared libraries far more than Windows?) Keep in mind, however, that Comparing SLES or RHEL strictly speaking wouldn't be a complete comparison either, because in Linux OS distributions many applications are included where the equivalent in Windows would be separate (possibly extra-cost) add-ons.
Furthermore only counts are considered above, with no factor for intensity. Windows server 2008 has more than double the rate of "highly critical" vulnerabilities (35%) than does RHEL5 (16%) and it is well known that Linux exploits are far less likely to be directly remotely exploitable than is the case for Windows exploits.
Yes, MSFT has made great strides in closing the quality and security gaps in ther server OSes (quality is still sorely lacking in their desktop offerings), but even if Windows was perfect I'd still prefer a Linux OS or OpenBSD:
* can't afford Ballmer'$ ga$
* Windows is closed--I don't trust what nobody but the vendoar/author can see. Secunia et al can only report what they can observe from behaviour. As in this reported Linux exploit, third-parties can perform extremely detailed analysis with source code at hand, often releasing the patch to plug the exploit right along with the exploit itself.
* licensing and actrivation take a lot of time and resources that serve no practical purpose than to enforce an increasingly questionable business model--Activation is pure bulls**t. I've wasted FAR too much time on clients issues where the root cause of functional deficiencies was improperly activated/licensed closed software (be it Windows or others). I've HAD it with closed crippleware.
* I like to tinker. I like to build. The playing field is for more flat in Free software land than in Windows land. I can reconfigure kernel modules, choose which web server, DNS server, email server I want to use and evaluate them truly on their merits. In Windows, if you think IIS or Exchange or MS DNS Stinks, you can try the alternatives but they always seem hobbled by comparison. MSFT never lets third parties play by the same rules, especially when server apps are considered "windows componenets" like with IIS and DNS. They get to leap MSFT's long-professed "chinese wall" to get total access to OS internals info others do not have. ANYONE who wants to write server apps on a Free platform has the same access to info.
Parent
Re:pwned (Score:5, Informative)
Replying to myself, with additional information for the OP: And how long have we heard about this [microsoft.com]? We're already so used to Windows exploits that we don't even care much about them...
Parent
Re:The REAL impact here (Score:4, Informative)
Within a few days, patches will be released to all the OSS vendors. Admins will be inconvenienced by a reboot.
Even that last bit is avoidable, if you have Ksplice [ksplice.com] installed :D
Parent
Re:The REAL impact here (Score:5, Insightful)
How can you trust that a user hasn't used a privilege escalation to install a rootkit already? You can't trust apt-get, or yum, or anything.
Fresh install time, surely? Back to the bare metal.
Parent
Re:SELinux? (Score:5, Informative)
SELinux makes the problem worse. Without SELinux, there's a variable that specifies the lowest page in memory that a process can map. If you can't put anything at address 0, jumping through a NULL function pointer isn't as big a deal.
With SELinux on, that variable is ignored, and you can map at address 0 to your heart's content.
Parent