Magnitude of glibc Vulnerability Coming To Light (threatpost.com) 139
msm1267 writes: The glibc vulnerability disclosed this week has some experts on edge because of how DNS can leveraged in exploits. Dan Kaminsky said that while man-in-the-middle attacks are one vector, it would appear that it's also possible to exploit the bug and attack most Linux servers via DNS caching-only servers. 'This would be substantially worse if it went through the caching ecosystem; 99 percent of attack vectors go through that system,' Kaminsky said. Glibc, or the GNU C library, is used by most flavors of Linux and also a number of popular web services and frameworks, giving attacks potentially massive horizontal scale. The major Linux distros have patched and pushed updates to servers; source code is also available for homegrown Linux builds.
Re: (Score:1)
It's a shame most companies employ shitty, incompetent programmers who can't write software that doesn't contain buffer overflows.
Re: (Score:3)
Those programmers are 'shitty, incompetent programmers' if they can't be bothered to learn about the problems their tools have. All tools have problems. It's their job to understand their tools.
Re: (Score:3)
In the real world, getting work done means knowing the well understood problems with your tools. It's not like buffer overflows where not mentioned in everybody's introduction to C (course/competent self study). Explain to your boss that sanitizing inputs took to long, so all the tables in production got dropped...I hope you're 12 or at least don't code for living...seriously.
Thanks for volunteering to speak up for all the other shitty, incompetent programmers out there BTW. Way to jump on that grenade.
Re: Too bad (Score:1)
I would like to see your source code tracked through all its versions; and if you have one exploit or bad piece of code, off with your head.
Seriously people, it's not easy finding bugs,
If it was we'd have none. All software has bugs, it's just a matter of are they exploitable or not. It happens when you program in C and sometimes C++. Deal with it.
Re: Too bad (Score:2)
In a perfect world where there are only super amazing developers such as yourself who never make any mistakes this is true. In the real world it's better to have a language that prevents dangerous errors like buffer overflows because most of us aren't a programming God like you clearly are.
Re: (Score:3)
Automate catching a simple bug like buffer overflows and you leave developers too retarded to find the more serious memory map related exploits.
See also: Every Java only programmer you ever met.
Re: (Score:2)
You're right sir super genius. We shouldn't use computers for automation, that would be insanity. We should be programming them using two wires like God intended.
Re: (Score:2)
There are many programming languages, perhaps C and assembler just aren't for you. Stick with LOGO.
Re: (Score:2)
Don't worry, I'll work on the latter later. Right now I'm busy... uh... compiling. Yeah. I'm uh recompiling everything because of the glibc vulnerability. Yeah, I'll check in a progress report later.
This is the only employee you have left when you expect programmers to magically know about problems in other people's code just because they used that software as a tool.
Imagine expecting a factory worker, even an engineer working in a factory, to know the inner workings of the pick-and-place machine and predic
Re: (Score:3)
Nobody is arguing about glibc. That's well understood to be a giant 'ball of mud', so nobody can know all it's problems.
We are arguing about the C language. To some extent the C++ language. AC in particular thinks knowing that unchecked buffer overflows exist as a class of exploits is too much to ask of C programmers.
Re: (Score:2)
I'm not sure you're going to get very far in your communications by insisting that the context is only idiotic off-topic language wars and not the actual context of the discussion.
You fail so hard, you don't even comment on what I said, you comment on what you said already, and yet you offer no clarification or correction.
Just presume I understand the context, and chose my words knowingly. You'll have a chance to understand my comments. What you're basically saying is that you can't understand my words, bec
Re: (Score:2)
You are trying to change the subject in the middle.
Nobody can be expected to find all the bugs in a library they didn't have anything to do with writing. I won't defend a position you try to put on me and called you on the goalpost move.
Start a new thread if you want to start a new discussion.
Re: (Score:2)
Sorry wannabe bully, you're not going to chase nerds off slashdot by just signing up late and then telling us what to talk about.
If you can't figure out what story you're commenting on, that is not my problem; why would it lead me to change my subject?
You're off-topic, and complaining because my insights have a different focus than whatever you were saying. Get over it. I'm talking about the subject in the story, the same as almost everybody here. If you're talking about something else, that is on you. Don'
Re: (Score:1)
The problem with your theory is that essentially EVERY project of complexity more than "hello world" written in C has been shown to be a security nightmare.
Even the best programmers are unable to keep such minutia in their heads for a huge complex project. It is not a reasonable approach to expect a fallible human being to do by hand what the tool should do automatically.
Your opinion sounds just like the pilots in the 1940's who said, "The crashes due to pilot error are just due to bad pilots not rememberi
Re: (Score:1)
The "insecure" C functions that don't have the buffer overflow problems were replaced in C99, Anyone still developing against pre-C99 needs their faces slapped. Yes those _s functions have been around for ever, and Microsoft (despite pleading with users to switch to c++) have been warning against using insecure versions for a decade.
C++ isn't any better, and is in fact much worse for security since "secure" programming is about 100x slower (put and get functions) than just accessing the member variables wit
Re: (Score:3)
You might have an off-by-times-negative-one error in there, oops!
How can you preach about not making known C-language mistakes when you still make known English-language mistakes? Is it presumed that programmers have an easier time writing perfect C than writing perfect English?
If they stopped thrashing the code and put the new features in a new product, the existing product would reliably improve over time, regardless of what types of idiot mistakes they started out with. As long as the code is being frequ
Re: (Score:2)
Speaking as someone who actually uses C++, and who does understand object orientation....
C++ is far better. You can avoid buffer overflows by never using C-style arrays except in interfaces. Use std::string and std::vector and the other container classes, and use .at() instead of [] if your compiler doesn't offer checked [] (.at() is required to be range-checked, while [] may or may not be). Since these are templates, they're very fast. std::sort is normally faster than C's qsort().
C++ has far bett
Re: (Score:2)
If code-thrash continues to be common, and "bug-fixes" for non-security-related bugs are mixed together with security fixes and even new features, with a mono-culture system of a single "latest" version that contains all types of changes, then these bugs will never end. They will continue forever in that scenario. Luckily, eventually computers will not seem new, and so code thrash will not continue to be interesting or profitable.
Give it a few hundred years, things will settle out.
Re:Too bad (Score:4, Funny)
Re: (Score:1)
I operate the same way. I have a horrid time remembering proper nouns (e.g. people's names) but I remember functions, systems, relationships quite well. I use similar techniques where I rely on my analytical skills (which are quite strong) to get me through. I very frequently end up dancing around words I can't remember, substituting synonyms, descriptions ("your friend who we recently had dinner with", "the person in the red shirt"), and often use fillers like "thing", "stuff", "you know", or expletives. I
Re: (Score:1)
Ummm...hello, Ada?
Re: (Score:1)
Where it gets really funny is... rust uses libc's dns resolver. Which is usually (always?) the buggy version from glibc.
Remember that when people ask why "we" don't rewrite all of libc in rust. I mean, if you want to, that's great. But maybe you should start in your own house. Meanwhile, musl and freebsd have much nicer libc implementations.
Personally, I'm not interested in rust. Not because of the language but because of the developers. I'm not sure if it's a programming language or an experiment i
Re: (Score:1)
It should be obvious that "compiles" and "doesn't crash" isn't the same thing as "works as intended"
It should also be obvious that the important data on a system isn't the operating system or anything else that can be re-installed. It is the user files, the things that are unique. Those are typically something that every program can access and delete at will.
This means that no high level language or no root/user separation will ever protect the things we care about the most.
If someone claims that a problem
Re: (Score:3)
It should be obvious that "compiles" and "doesn't crash" isn't the same thing as "works as intended"
True. In fact, even rust can crash under certain circumstances. For example, when the stack gets too large, or when a heap allocation fails. But all crashes of rust are "safe", meaning that they usually don't allow for data modification. And yes, rust doesn't guarantee freedom from bugs. But it does eliminate whole classes of bugs. On the path to more secure programs we do need languages with more additional safety, not less.
What programmers need to learn is good programming habits and discipline.
And the rust compiler enforces precisely those. Without enforcement (or warnings) y
Re: (Score:1)
Yeah, I've found the Rust community to be very... odd.
I don't mean this in an insulting way, but I suspect that autism and/or Asperger syndrome runs rampant throughout the Rust community, to a degree far more severe than we see even within the wider IT and software community.
For example, they are extremely focused on achieving "correctness". This is something that's highly subjective, yet they try to come up with a one-size-fits-all objective definition. That's a common trait among those suffering from auti
Re: (Score:2)
Where it gets really funny is... rust uses libc's dns resolver. Which is usually (always?) the buggy version from glibc.
Remember that when people ask why "we" don't rewrite all of libc in rust. I mean, if you want to, that's great. But maybe you should start in your own house. Meanwhile, musl and freebsd have much nicer libc implementations.
Personally, I'm not interested in rust. Not because of the language but because of the developers. I'm not sure if it's a programming language or an experiment in social justice gone wrong.
IOW: you are crazy.
Re: (Score:3)
We know its syntax is a step backward from C, C++, Java, C#, and even PHP.
Rust has many improvements over C/C++ syntax wise:
* syntactic macros, not "string replacement" macros
* scoped macros -- you don't pollute macro space
* scoped imports
* Nested comments -- no #if 0 trick needed to comment out code that contains block comments
* Blocks {} can have a return value, the ; sign is a separator, not a terminator
* If the compiler can find out the type of something, it is implied, otherwise you have to provide it. Only in recent C++ this is possible with the auto keyword.
Where is the "s
Re: (Score:2)
I say that it is a young language that still has to get maturity and trustability. Right now its a perfectly fine base to build something upon, but with less than one year of stability, I _do_ admit that probably you shouldn't invest millions of dollars into writing programs with it.
Re: (Score:2)
So the claim is that Rust isn't a systems programming language? Or is the claim that rust doesn't protect you from bugs like this? I'd say both claims are wrong.
That's what they get (Score:5, Funny)
For being glib about it. (ba dump)
Re: (Score:2, Funny)
I c what you did there.
Re: (Score:2)
I was just getting exited over a vacation to the glib sea, but then I saw on the news that it is being invaded by pirate hackers, and everybody says they're really vulnerable so I guess that means nobody has confidence in the local security.
I think I'm going to change my plans and just stay with the hurd until the danger passes.
CVSS score was medium of 6.1 (Score:1)
The CVSS score is a medium of 6.1 for the CVE. So this isn't as bad as Heartbleed since it requires more environmental factors to be a successful exploit.
Most likely organizations have much worse and easier exploitable vulnerabilities than this.
CVSS is not always accurate (Score:2)
The CVSS score is a medium of 6.1 for the CVE. So this isn't as bad as Heartbleed
First, Heartbleed was actually a 5.0 base score, so this is more serious if you go strictly by CVSS score (which is not necessarily advisable). Reference [nist.gov].
Second, CVSS scores are based on a certain formula and small set of conditions; in particular, vulnerabilities are scored based on their immediate impact and not necessarily things that occur down the line. In other words, CVSS base scores do not include environmental metrics (There is a CVSS environmental score, but almost no one uses it except for CERT).
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Possibly 0, because it was patched before it was publicized.
However, there are those out there who are able to independently discover and make use of these bugs before the rest of us. Whether they did or not will probably not be known until the appropriate information is declassified.
Re: (Score:2)
Re:APK time. (Score:5, Insightful)
In the event you didn't see his constant ads, APK's activities were a commercial activity on this site, which an ad supported, non-government operated site has every right to block. The fact that he was incredibly annoying and abusive about dealing with criticism is just icing on the cake.
Get back to me when they start dealing with people who aren't billboards for a commercial product whose only other activity is trolling people who provide criticisms of said product.
Re: (Score:1)
Unfortunately our new overloaf Whisplash says he has 'dealt' with APK...
Yes, he implemented a filter which weeds out the spam posts.
Censorship has never been a part of Slashdot... until now. Sigh
1. This isn't censorship, it's blocking spam flooding.
2. Yes, this has existed for many years. Notice you don't see ads for MyCleanPC, Viagra, etc? Same thing.
3. APK is still more than capable of posting here, but if he includes his website or his copy-pasta the filter will block that post.
Re: (Score:1)
Re: (Score:1)
I still see APK posting here and there, mostly harassing whipslash, which is a fool's errand. But he's not able to spam every discussion thread with 20 posts full of bold italic psycho=>babble anymore, and I call that a victory. I'm rather enjoying the new /. ownership so far.
Re: (Score:2)
Re: (Score:2)
Still on DVL (Score:2)
Don't forget your statically linked executables.. (Score:1)
A patch to a .so file is a great fix for most things... But, if you build your own statically linked executables please "make clean", "make"
Just a friendly public service reminder from the "Grey, but still alive"
Defense (Score:2, Interesting)
iptables -t raw -A PREROUTING -p udp --sport 53 -m length --length 28:2000 -j DROP
The above line will block any attack based on this vulnerability.
It may impact some unusual but legitimate queries, though. Normal DNS queries usually have small enough responses to fit in this range.
If the above line is on a Linux machine that is performing as a trusted caching DNS server, it will also protect the clients from the attack.
You might be able to get a few more bytes into the threshold (because there are headers i
Re: (Score:2)
edns-packet-max=512
to your dnsmasq.conf if you run a local caching DNS server.
Re: (Score:2)
strlcpy() isn't good enough for glibc. (Score:5, Interesting)
No, it "only leads to other errors" [lwn.net].
Funny, I haven't heard of any showstopper bugs in OpenBSD libc - not this year, not ever. And it's ubiquitous, since I'm running it on my phone [undeadly.org].
This bug, after ghost, would be a good opportunity to take a step back for a serious assessment of what must be removed for a secure system.
Re: (Score:2)
a good opportunity to take a step back for a serious assessment of what must be removed for a secure system.
What to remove?
Features. New features. Old features are fine, they can receive bugfixes only. Refactoring may be done once every 10 years, but only if the code appears sloppy.
Done.
Even Matt's Script Archive became secure over time. Sucky code can be slowly improved until it borders perfection, but only if it still does the same thing it used to do, and no more.
Re: (Score:2)
OK I'll be sure to only run their code, and not ask their opinions about dinner or politics. ;)
Not sure you really thought through your hate-spew there... the context was actually wrench related in that metaphor!
I assume everybody is an idiot, regardless of success or letters. That helps me to make use of whatever their work product is without getting distracted by love, hate, or other things that are off-topic. Last time I did some auto repair I hired an unemployed wrench-turner to help. He wasn't some gen
Re: (Score:3)
It's the politics part that usually applies. The strlcpy() thing cited is politics, just not governmental politics.
I've had three arguments with Theo. The first was over his claim that position-independent executables were "very expensive," which I responded to by benchmarking the entire execution of a Linux OS and determining that the system would indeed slow down if it couldn't find 4 seconds of CPU idle time out of each day (the hit was 1% or 6%, depending on optimization; but the proportion of time
Re: (Score:1)
Dropping names to brag about disagreeing with famous people does not cause me to presume that there will be technical insights that I should read the details to find. Rather, it tells me that you're biased and have a bone to pick, and were not able to successfully remove the bias to create a technical discussion of the issues. So your attempt to argue finer points won't even be examined. There is too much available noise for that to be reasonable. I have to be convinced that a signal has low noise before ev
Re: (Score:2)
Then you restrict your access to information, and have no way to analyze the technical merits of any point anyway.
Pejorative puns are fun, especially when you can mix in a or two. I suppose you wouldn't understand the creative process either, though. [thetvking.com]
Re: (Score:2)
Of course I restrict my consumption of information. There is an available information glut, and most of it is noisy.
Notice that that doesn't restrict my access in any way.
You are very sloppy in your words, and your thinking. Pejoratives cause you to be ignored. You enjoy it, so I hope you also take full credit for your results.
I find it funny you think I would click an external link; even funnier that the domain name is some TV-thing. ROFLCOPTER
Also, if you're snooty and ready to tell people they don't unde
Re: (Score:2)
It's an information thing. Creativity is derived from inventory of the brain's contents and the abstract association of various bits of memory. Had you understood that, you might have drawn several tangential ideals from everything I've said; instead you think like a brick.
Re: (Score:2)
The third was a buck against his analysis of OpenSSL's Heartbleed vulnerability, which he claimed was vulnerable due to the use of an internal ring buffer allocator rather than malloc(), instead of by virtue of not performing bounds checking (there were *several* points he was wrong on).
I have to agree with Theo on this one - if the OpenSSL devs used malloc rather than their own pool the bug would have been discovered on day two of release. Sooner, ever, if they had run valgrind on it.
Understand that maintaining an internal pool of memory (allocated once at startup) means that tools like valgrind cannot determine out-of-bounds errors.
Re: (Score:2)
Not really. Out-of-bounds errors would only occur if you intentionally gave the library bad data. Theo's argument was OpenBSD's malloc() would immediately catch an out-of-bounds *read*, but it can't do that without consuming geometrically more memory--the average size of a malloc() allocation is under 200 bytes, and OpenBSD would need to right-align all allocations in an isolated 4096-byte page to do the kind of trapping Theo asserts, meaning something like Firefox would consume around 20GB of physical R
Re: (Score:2)
If OpenSSL had used calloc() or the equivalent instead of malloc(), Heartbleed would have been harmless. If you're writing code that needs security, don't allocate a block and just keep whatever the heck was last in it.
Heartbleed was not a buffer overflow vulnerability, and using Theo's malloc/free would not have helped. An attacker would ask for a buffer of N bytes, and the software would allocate one. The attacker would write over a few characters, and get the rest sent back. Heartbleed was a failu
Minimal impact (Score:2)
Has to get around stack overflow protection canaries (-fstack-protector-strong or -all), address space randomization, and a non-executable stack and heap. Ubuntu has run -fstack-protector-strong (covers functions calling alloca()) since gcc 4.9 release after 2015-05, according to #1317307 [launchpad.net]. Kees Cook added the -strong feature to gcc, and is part of Ubuntu's compiler team, so it went straight into Ubuntu.
Good luck exploiting this bug.
Re: (Score:2)
This sort of sounds like the bravado of someone who is sure that they are protected because they have anti-virus software installed.
Re:Minimal impact (Score:4, Insightful)
Anti-virus software is an arms race. This is a change to the fundamental behavior of the compiler toolchain and produced code.
Think like someone tells you dishwashers are dangerous because they use high-temperature hot water, and then your glasses all crack because they drop from 145F as they're exposed to the cold air when you open the door after a wash cycle. You then point out that your glassware is all borosilicate glass and can take a temperature drop of 120 degrees celsius across 1 second without damage. Going from boiling to ice water won't break your glass; heating it dry over an acetyloxy torch and then dumping it in an ice bath *will* shatter it.
What you're looking at here isn't a system that catches one specific attack signature. You're looking at an attack which fundamentally relies on overflowing a buffer on the stack, rewriting RETP with an address on the stack that contains code injected as part of the overflow, and then jumping into that code on RETL instruction. This executes your code from the stack.
Meanwhile, the software being attacked stores a runtime-randomized word between the stack variables and RETP, then verifies it hasn't changed before a call to RETL, so you have to guess a 32-bit or 64-bit integer (1 in 4 billion or 1 in 16 billion*billion). If that fails, the system *still* has randomized the stack base, so you have to load a value into RETP which points to your code on the stack, which can be in any of thousands or millions of locations. Should you manage to guess both a one-in-four-billion and a one-in-524-thousand value simultaneously (one-in-2251-billion-billion) (or bigger on 64-bit), the stack is still non-executable: the OS will claim a general protection fault due to trying to execute non-executable memory.
That means this attack can't be carried out successfully without extreme luck (1 in 9.7 billion billion billion) or advanced knowledge of the program's address space (which the attacker must inspect while the program is running--it changes on every run); and even then, the attack has to do something distinctly other than injecting code. Heap, main executable, and library load addresses are also randomized on each run, so luck in dodging out the primary protections leads directly to rolling bigger dice in hopes of getting lucky a third time.
In this particular attack, you can't just launch an attack at a target. You have to gain control of DNS responses for that target, then wait for the target to make a DNS query. All of the above then apply. Good luck.
Re: (Score:2)
While you are probably correct. It still strikes me as hubris to be so dismissive.
Also, you know a lot about dishwashers.
Re: (Score:2)
You comment about dishwashers using hot water, but not about glass that can handle sudden temperature differentials?
I'm being realistic. It's like saying you can't do any banking on the Internet because someone could steal your credit cards when you log into your bank site; that worked in 1990, but we've since started using SSL and 128-bit encryption. Banking is safe, and running around screaming that the packets go through a bunch of routers in between and someone might be able to read the data is just
Re: (Score:2)
Most nerds think about the properties of different types of glass with some frequency, because glass is a common material that we interact with in multiple areas of life.
We also hear a lot of idiots say a lot of idiot things, generally consistent with the scene you described. However, I've never heard that one about dishwashers being dangerous. It is hilarious. Absolutely more surprising than knowing about glass properties.
Also, here in the US a "high temp" commercial dishwasher is expected to reach 180F on
Re: (Score:2)
Dishwashers aren't dangerous per se. It's just that cheap soda lime glass does crack when heated. I've had glass mugs explode in my hand while hand-washing: when pulled out from under the faucet, the cool air caused the glass to contract and crack, sometimes loudly, sometimes energetically. I lost *six* mugs in a set that way, the type made of green-tinted glass that's not thermally stable at all. If you open a dishwasher while the same type of glass is still hot, you expose heated glass to cool air;
Re: (Score:2)
Wow, that exposes your debugging skills pretty bad. One, OK. Everybody makes mistakes, one bug is not even a foul. Two, well, your first theory was just that it was a flawed unit. Three, OK, your first mitigation technique didn't work. Six? And then you're going to go on from there to lecture on code quality? You focus a lot on temperatures, I can inform you right now that your hot water heater is not adjusted to specification, and you failed to expect to need to adjust your washing technique to mitigate th
Re: (Score:2)
I simply assumed the glasses were shit, and stopped using that type of glass after they all broke. It's the same principle behind never [youtube.com] using perl [youtube.com].
I can inform you right now that your hot water heater is not adjusted to specification, and you failed to expect to need to adjust your washing technique to mitigate that.
You seem to have not noticed it didn't burn my hands.
the nuclear containment building is not a viable metaphor for the type of code mitigation strategies you describe.
It limits the scope of damage without preventing the actual precipitating event. C buffer overflows no longer allow remote code execution, but rather cause denial of service. With privilege separation strategies, you use a non-privileged daemon to sendmsg() a file handle (e.g. TCP connection) to a privile
Re: (Score:2)
I simply assumed the glasses were shit, and stopped using that type of glass after they all broke. It's the same principle behind never [youtube.com] using perl [youtube.com].
Didn't read past that. That wouldn't get you to six, it would get you to one or two and then you'd throw away the rest. There would be no reason to wash the remaining one using the same technique that was proven flawed for that unit; deciding the units were all crap would underscore that, not eliminate it.
BTW, welcome to slashdot. No, we don't click video links. This is a place for stuff that matters, not stuff too vapid to write down.
Re: (Score:2)
Why would I simply throw away glasses I could get a few more uses out of? I drive a 2004 Mazda 3; should I get a new car because third gear's been broken for 2 years?
The shit you've been babbling about is more vapid than anything on YouTube.
Re: (Score:2)
Re: (Score:2)
Yes, it requires even-more-unlikely scenarios.
Among those, many of the techniques you've provided require the ability to write to arbitrary memory locations (in which case you can use *that* bug to emulate *this* bug, so no change). Some rely on Windows Safe Exception Handling exploits. One of the methods given is "attack a function that isn't protected", which is a handwave.
The phrack article has a program exploiting itself by inspecting its own memory space and then jumping over terminator canaries.
Re: (Score:2)
Has to get around stack overflow protection canaries (-fstack-protector-strong or -all), address space randomization, and a non-executable stack and heap. Ubuntu has run -fstack-protector-strong (covers functions calling alloca()) since gcc 4.9 release after 2015-05, according to #1317307 [launchpad.net]. Kees Cook added the -strong feature to gcc, and is part of Ubuntu's compiler team, so it went straight into Ubuntu.
Good luck exploiting this bug.
Denial of service by crashing the process is of course not as nasty as remote code execution, but it can easily be nasty enough, especially if the properties of DNS would allow you to penetrate deep inside networks and services generally believed to be protected. My personal favorite vector here would be XML exposed to parsers that auto-load whatever DTD or other schema that is specified.
Re: (Score:2)
This is all true; and yet the media machine dismisses all denial-of-service attacks, all bugs that just crash your application, and instead jump up and down with white sheets making spooky noises whenever they see the words "Remote Code Execution." The report here is that glibc has this huge, terrifying attack surface turning any application into a hacker back door paradise; that assessment is false.
Did you hear about CVE-2015-1473, allowing a local or remote user to trigger a denial-of-service in glibc
Re: (Score:1)
Jokes on you, DNS uses pascal-style length prefixed strings like SSL.
That's how we get attacks like heartbleed: "255A"
Re:Hands up (Score:4, Insightful)
Who saw the name of the library, immediately went "oh, another C buffer attack," and rolled their eyes?
It's interesting how these things go.
If this would have been a vulnerability in MSVCRT, everyone would have mocked Microsoft and Windows.
However as this is a Linux vulnerability, the attention is turned to the used programming language instead.
Something to think about.
Re:Hands up (Score:5, Insightful)
If this would have been a vulnerability in MSVCRT, it would be concealed as long as possible, and who knows when it would be fixed?
However as this is a Linux vulnerability, it was openly discussed and it was fixed at once.
There, FTFY.
Re: (Score:2, Informative)
However as this is a Linux vulnerability, it was openly discussed and it was fixed at once.
There, FTFY.
It was disclosed in July last year. That doesn't meet my definition of "at once".
https://sourceware.org/bugzilla/show_bug.cgi?id=18665
Re: (Score:2)
I wish I didn't have to agree with you. In fact the "speed" with which this was addressed is sufficient to yield some credence to those who believe that it was supported by those who have in other circumstances acted to intentionally weaken secure cryptography, and other secure systems.
I will grant that the evidence in support of this theory is so scant that accepting it counts as paranoia, but similarly it is strong enough that rejecting it counts as living in a fools paradise. As with many situations it
Re: (Score:2)
Re: (Score:2)
The source to MSVCRT is distributed with Visual Studio - it would be pretty hard to conceal a vulnerability like this.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
And i don't mean the political ones. Libraries. And i don't mean the physical ones. Long live static executables.
I would think that if you have linked your binaries with libresolv.a instead of the dynamic libraries, you will continue to be at risk until all the binaries that do so have been rebuilt.
With dynamic linking, someone replacing the shared library only has to restart the binaries that still use the old library.
So no, I would venture that those that go the static route are somewhat worse off.
Re: (Score:2)
Re: (Score:2)
In addition to the problems with your comment already listed, I'd like to add that avoiding libraries would only mean pasting the code from the library into a single file before compilation. None of the code would be different in the non-library version, and so none of the bugs would be different either.
You could expand it to the more general solution, __FUCK_CODE, but where would you even define it?
Re: (Score:2)
Well, it's different from that, and both worse and better.
If programs all used static libraries, then there would be an indefinitely large number of versions of each library on each working machine, but each library would only be accessible to the programs that were compiled with it.
This would have the advantage that "breaking changes" wouldn't affect working code. And the advantage that different versions of, say, a browser would be likely to use different versions of each library. THIS would make it mor
Re: (Score:2)
Having static everything would certainly prevent a virus making use of libraries from infecting every process, but that isn't necessary or even desirable to them. Having more different available versions to attack would increase the likelihood of infection. But more to the point with these exploits is attacks generally, not the special case of viruses. If somebody is attacking a system, they're going to attack all of the available surface until they get in, and then stop. Having all those different library
Re: (Score:2)
Most viruses/exploits target a particular library running in the context of a particular application. This would fragment their ecosystem. And vaccinations against particular diseases (AKA binary patches) would be possible...but they've be very version dependent.
You're right, not every paradigm is going to be applicable, and I thing, after making due allowances for metaphor translation, this one would be too expensive. But the proposal isn't ALL bad.
Re: (Score:2)
Most viruses/exploits target a particular library running in the context of a particular application.
That has a lot to do with the historical way that applications are linked, though. If applications were commonly linked against different libraries, there would be a lot more fuzzing and things going on. The nature of the exploits would be different than they are.
Targeted attacks already use the techniques that would be more common in that alternate world.
The proposal isn't all bad; it may or may not even be bad, generally. But since it wouldn't be able to achieve what it claims, it is more likely harmful t
Re: (Score:2)
Last year we had two (Heartbleed and the Bash-bug), this year we had one (so far). I am affected by none of them. (My DNS-requests only go to my ISP and I am not afraid they will hack their clients - and yes, I did patch it anyway.)
Before that we had several years without any serious one.
IIRC, the only one that ever affected me was 2002 (or so?), the big SSH vulnerability.
In all other cases some special conditions were needed for the exploit that didn't apply to me (for example the Bash-bug didn't affect an
Re: (Score:2)
I'm still an undergraduate student. I fully expect to be able to make a living in the industry though, and I intend to use whatever skills and time I have to educate as many people as possible about the massive fraud that is the open source "movement". It is time to take back programming from the narcissists and the amateurs
... says the person who just admitted he doesn't get paid to program.