Hole In Linux Kernel Provides Root Rights 274
oztiks writes with this excerpt from The H:
"A vulnerability in the 32-bit compatibility mode of the current Linux kernel (and previous versions) for 64-bit systems can be exploited to escalate privileges. For instance, attackers can break into a system and exploit a hole in the web server to get complete root (also known as superuser) rights or permissions for a victim's system. According to a report, the problem occurs because the 32-bit call emulation layer does not check whether the call is truly in the Syscall table. Ben Hawkes, who discovered the problem, says the vulnerability can be exploited to execute arbitrary code with kernel rights. ... Hawkes says the vulnerability was discovered and remedied back in 2007, but at some point in 2008 kernel developers apparently removed the patch, reintroducing the vulnerability. The older exploit apparently only needed slight modifications to work with the new hole."
Perhap the kernel's size is becoming too unweildy (Score:3, Interesting)
I mean this is what, the third 'reverted' security patch we've heard about in the recent past that needed replacement?
Maybe it's time to seperate out core kernel code and the arch specific stuff into seperate modules with seperate administration. Git would make this easy, so why aren't we seeing it done?
Re:Serve them right (Score:3, Interesting)
Re:Patch (Score:2, Interesting)
The C standard doesn't specify sizes but requires that
sizeof(long) >= sizeof(int) >= sizeof(short) >= sizeof(char)
so if a char is 32-bit, a short must be 32-bit (or more) as well. C-99's <stdint.h>, requires typedefs (eg, uint8_t, int8_t) for 8, 16, and 32-bit signed and unsigned integers.
Re:Why is there anything 32 bit on a 64 bit server (Score:3, Interesting)
Around 15% to 25% of revenues going to customer acquisition and retention (marketing, sales calls, rebates, incentives, whatever) is a pretty common budgetary decision in US businesses. So yeah, after payroll, facilities, and other operating costs marketing and sales are a major expense. The most common advice I get as a small-business owner both online and in person from other business owners is 20%.
I've heard as low as 10%, but that's still a big chunk of the budget. I've also heard of people spending as high as 40% of revenues for a short period when entering a new market segment.
It's informative to stick "how much to spend on marketing" into a search engine and see what the different magazines, forums, and blogs say. Different industries of course have slightly different needs, but at least 10% and not more than 30% under normal circumstances should be a decent starting place for considering what to spend.
Re:Serve them right (Score:4, Interesting)
While OpenBSD doesn't have a perfect record for security
OpenBSD has got a *terrible* record for security. The illusion of security is only maintained because every time someone discovers a gaping exploit in OpenBSD, Theo moves the goalposts on what he considers a security hole. Just look at all the descriptions of "errata" for OpenBSD - bugfixes for security holes!
Theo is like that kid who, no matter what game you were playing, would always start making up bullshit rules whenever he started losing. Like, "Tag! You're it!" "No I'm not it, that tag didn't count because I'm uh... I'm near this rock".
Don't be that kid. That kid is a dick.
Re:In Soviet Russia! (Score:2, Interesting)
And yes, I actually was a B3700 guy. Now get off my lawn.