A Tale of Two Root Exploits, and Why We Shouldn't Panic
Sep 27, 2010 5:00 AM PT
There's no denying Linux is more secure than perpetually-patching Windows, but the past month or so has not provided an ideal demonstration.
In August, we saw the arrival of a long-overdue fix for a kernel bug that was six years old; now, in the last week or so, it's been not one but two root exploits causing a fuss.
"Running 64-bit Linux? Haven't updated yet? You're probably being rooted as I type this," was the introduction on Slashdot to CVE-2010-3081, the second such vulnerability to come to light in recent days.
Preceding it by just a few of those days, of course, was CVE-2010-3301, which had actually been discovered and fixed back in 2007 before the patch was inexplicably removed again the very next year, reintroducing the vulnerability.
Put it all together, and you'll see why more than a few Linux bloggers have been scratching their heads about security.
A Matter of Size?
"Perhaps the kernel's size is becoming too unwieldy," suggested Anonymous Coward on the Slashdot discussion of CVE-2010-3301, for example. "I mean this is what, the third 'reverted' security patch we've heard about in the recent past that needed replacement?
"Maybe it's time to separate out core kernel code and the arch specific stuff into separate modules with separate administration," Anonymous Coward added. "Git would make this easy, so why aren't we seeing it done?"
On the other hand, "I thought only windows got exploited this way....," wrote drinking12many, referring to CVE-2010-3081. "Oh thats right All OS's do."
'You Are Probably NOT Being Rooted'
Then again: "Linux sucks, but it sucks a lot less than Windows," countered Runaway1956. "I mean, the 'fix' is already out."
Alternatively, "you are probably NOT being rooted even as you read this," asserted Barbara Hudson, a blogger on Slashdot who goes by "Tom" on the site. "Every ksplice story slashdot has carried has turned out to be no big deal. I'm going to ignore it, based on their previous performance."
So, should Linux users be worried? Is the bug invasion upon us? Linux Girl took to the streets of the blogosphere for more insight.
'The Article Is Alarmist'
"Of course it's worrisome," said Chris Travers, a Slashdot blogger who works on the LedgerSMB project. "But all software has occasional security problems, and it will be fixed.
"I don't see a major reason to be overly worried about this bug in particular," Travers told Linux Girl. "If one follows good security practices, the exposure is minimized."
Indeed, "the article is alarmist," Hudson agreed. "It was ONE shared-hosting public-facing server at iWeb.com, among their tens of thousands of servers.
"Are you running a publicly-facing shared-host server? No? Then don't worry about it, and when your distro comes out with a new kernel, just update," Hudson recommended.
'Bad Month for Linux'
Such problems "inevitably creep in, but it was a learning experience to find them return after being fixed once," blogger Robert Pogson said. "Perhaps some kind of cross-reference on changelogs might prevent a recurrence."
Still, "we get one every few years -- that other OS gets one a month," Pogson pointed out. "The Linux boys and girls can do better, but M$ will never catch them without a major rewrite.
"I updated a few key machines ASAP in GNU /Linux," he added. "I have lost many nights' sleep with that other OS."
It has been a "bad month for Linux," agreed Montreal consultant and Slashdot blogger Gerhard Mack. "Hopefully someone has learned from this."
Ultimately, "Linux getting rooted just shows what I have been saying all along: There is NO operating system that can't be hacked, be it windows, Linux or OSX," Slashdot blogger hairyfeet told Linux Girl.
"Linux guys saying it can't be hacked is a classic case of 'magical thinking' and doomed to fail," hairyfeet explained. "Magical thinking is when you say, 'because we have product x we are safe!'--and it never works."
Not just reserved for operating systems like Linux, such "magical thinking" can be applied to firewalls or authentication servers, "or even crazy length passwords or gluing USB ports shut," hairyfeet noted.
'That Is Hard Work'
"In the end, however, "the ONLY way to secure a network is a top to bottom approach, with everything running on least permissions principles and nothing getting net access that doesn't require it," concluded hairyfeet. "Sadly, that is hard work and requires dedication.
"It is an OS, folks -- millions of lines of code. It isn't a ball club; no need for fanboys here," hairyfeet added. "Just because you root for Linux doesn't mean it can't be rooted."