Local Privilege Escalation On All Linux Kernels 595
QuesarVII writes "Tavis Ormandy and Julien Tinnes have discovered a severe security flaw in all 2.4 and 2.6 kernels since 2001 on all architectures. 'Since it leads to the kernel executing code at NULL, the vulnerability is as trivial as it can get to exploit: an attacker can just put code in the first page that will get executed with kernel privileges.'"
Ahh... (Score:5, Funny)
So that's what the NULL pointers were for.
I'm safe! (Score:5, Funny)
I use Windows!
I can hear the OpenBSD users laughing already... (Score:5, Funny)
Re:I'm safe! (Score:5, Funny)
Once again, my 2.0 Linux kernel is safe!
Re:Guest accounts (Score:1, Funny)
Seems to work just fine on your box . . .
Re:I can hear the OpenBSD users laughing already.. (Score:5, Funny)
Sure there are. And they are both laughing.
QUICK (Score:1, Funny)
Re:I'm safe! (Score:3, Funny)
Excellent. My old 2.2-based Slack 8 boxes should be fine, too.
Can't trust that new-fangled 2.4 stuff. USB support? Who needs it!
Re:Local Privilege Escalation On All Linux Kernels (Score:4, Funny)
Re:I can hear the OpenBSD users laughing already.. (Score:2, Funny)
Re:pwned (Score:5, Funny)
Well by that logic 99% of windows users haven't used a real windows machine either.
Re:Security through Obscurity? (Score:5, Funny)
Your post got modded up, too.
Re:pwned (Score:3, Funny)
Yeah, I know, I nearly cancelled the post after I wrote it.
Desktop Windows /is/ Windows, but Windows Servers are far more inherently secure than Windows Desktops, simply by the way that they're operated. It was a bad comment.
Re:pwned (Score:5, Funny)
Aw, cheer up little guy. I thought it was a very nice comment.
"Many eyes", but all of them nearsighted? (Score:5, Funny)
Re:It's from April? Really? (Score:5, Funny)
Re:The REAL impact here (Score:3, Funny)
Probably don't need to install the patch then. Or keep the machine powered on, for that matter...
Re:pwned (Score:3, Funny)
Well - I'm searching for Linux botnets that have been created by this exploit. Searching . . . searching . . . searching . . .
Dang, I'm not finding any.
How about Windows botnets? WOW, will you just look at all of them? http://www.secureworks.com/research/threats/topbotnets/ [secureworks.com]
I sure wish Linux would get off their dead arses and patch this problem. Sure would be nice if they can get it done in less than a month or six, like Windows!! Oh - wait - what? Linus committed a patch correcting this issue on 13th August 2009.
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98 [kernel.org]
I guess I'll hold off on pushing the panic button. I see no need to "upgrade" to Windoze, LMAO
Re:pwned (Score:2, Funny)
This is the windows newbs one chance to stick it to the Unix guys, don't fuck this day up for them!
Re:The REAL impact here (Score:2, Funny)
You must be mistaken. rjstanford is the computer.
Re:pwned (Score:4, Funny)
Thats what I get for sending you to do the math. Im still too lazy to go check it out and look at methods, years and the rest.
||sarcasm|| I take your analysis as true and hereby declare that windows has been exploited lesser than linux, has less malware against and is inherently less prone to attack than linux or turning into a braindead spamzombie than linux. ||end sarcasm||
Happy?
Re:pwned (Score:5, Funny)
Windows Servers are far more inherently secure than Windows Desktops, simply by the way that they're operated.
Wait, what?
If Windows is your metric (Score:3, Funny)
Linux is ready for the desktop!
Re:pwned (Score:5, Funny)
See? All that testing is worth it after all!
Re:Eyes Wide Shut (Score:1, Funny)
Because we fix it when someone finally notices it after eight years and then hush up so no one will know we didn't notice it for eight years and then when someone notices that we didn't notice it for eight years and makes everyone aware of that we then try to minimize the impact by saying "We fix it instead of hushing it up until it becomes fairly well known and then waiting a month to fix it" instead of hushing it up until it becomes fairly well known and then waiting a month to fix it.
FTFY
And... He is also a politician! (Score:1, Funny)
nobody (the apache account) is a local user.
That nobody guy is really smart.
I often tell people that nobody is smarter than me.
Vote for Nobody!
Nobody tells the truth!
(http://thecynicaleconomist.com/wp-content/uploads/2009/07/vote_nobody.jpg [thecynicaleconomist.com])
Re:pwned (Score:4, Funny)
But it wasn't a real "no true scotsman" fallacy. After all, it didn't involve a scotsman. :-)
Re:local... remote... (Score:3, Funny)
I broke into nobody's account and took a peek at their files. Look what I found:
$ ls -l
-rwx------ 1 nobody nobody 12542 1000-07-24 12:45 predict_spanish_inquisition