Well the ink had barely dried on our recent Linux Blog Safari column about security when news came out last week that a new Linux kernel vulnerability had been discovered.
Affecting all 2.4 and 2.6 kernels since 2001 on all architectures, the flaw was found and then described Thursday on the cr0 blog by Julien Tinnes and Tavis Ormandy.
“Since it leads to the kernel executing code at NULL, the vulnerability is as trivial as it can get to exploit: an attacker can just put code in the first page that will get executed with kernel privileges,” Tinnes explained.
Similarly, “this issue is easily exploitable for local privilege escalation,” Ormandy wrote on Neohapsis. “In order to exploit this, an attacker would create a mapping at address zero containing code to be executed with privileges of the kernel, and then trigger a vulnerable operation.”
A patch was committed by Linus later that same day, but not before the news spread like wildfire to Slashdot, to OSnews and to The Register, to name just a few.
“Please, this is a _local_ privilege escalation,” wrote sofar on Slashdot, for example. “It’s not like code red infecting your box remotely. A sledgehammer is also a local privilege escalation.”
Then again: “The thing is, local privilege escalations can become remote privilege escalations when combined with buggy services that allow for code injection,” countered jandrese. “This is especially bad for people who are forced to run services that they don’t trust and thus place them in jails, only to discover that if the exploit happens at the kernel level then your jail means nothing.”
‘A Bit of Excitement’
Security problems are occasionally found in “just about every piece of nontrivial software,” Chris Travers, a Slashdot blogger who works on the LedgerSMB project, told LinuxInsider. “A single security vulnerability isn’t that interesting by itself, no matter how severe. What is more important is that it gets corrected and folks update their systems in a timely manner.”
The news certainly “caused a bit of excitement,” blogger Robert Pogson told LinuxInsider.
Nevertheless, it was announced and patched the same day — “unlike that other OS that would leave you twisting in the wind for weeks or months,” he added.
“I hate it when those pop up,” Slashdot blogger Gerhard Mack agreed. “It’s a good thing the patch has already been released.”
In fact, local privilege escalation isn’t new for Linux, Slashdot blogger gmuslera told LinuxInsider. “From time to time — not frequently, but it happens — a case comes to light and is usually solved quickly,” he said, citing another recent example.
“For it to be exploited, you need to be able to execute given binaries in the attacked system, something that is usually a big security problem already,” gmuslera noted.
This case is “big” because it involves most Linux installations, he added. “But that the vulnerability is already patched means that most distributions will update their kernels in the next few days,” he said.
‘Better and Easier Ways to Attack’
“Yawn. Yet another *local* threat,” echoed Slashdot blogger yagu. “Once again, local access to a machine usually means you have a lot more problems to worry about than just some exploit of the kernel. As far as I’m concerned, if someone got local access to privileged machines and wanted to exploit with this vulnerability, I’d question their competence.
“Local access? Kernel exploits? Ha! There are so many better and easier ways to attack with local access,” yagu added.
“It’s not that it’s not a serious vulnerability and that it shouldn’t be fixed — it’s more the histrionics around these revelations,” he told LinuxInsider. “Exploits with local access happen. Show me a tftp exploit, a telnet exploit, something that lets a remote user hack a Linux box, then we’ll talk.”
No More Bad Guy?
Speaking of talking, that’s just what bloggers have been doing ever since the Linux Loop’s Thomas Teisberg entreated the FOSS community to “match Microsoft” on interoperability.
“As much as the FSF would like to continue framing Microsoft as the bad guy in every situation, they aren’t,” Teisberg wrote, citing the so-called “browser ballot” for Windows 7 and the proposed file format ballot for Office 2010. “The Microsoft of today is very different from the Microsoft of 5 years ago, and supporters of open standards should start to match their moves towards interoperability.”
Did Linux geeks jump all over that one? You bet your ballot box they did.
‘Maybe It’s a Typo’
“Pardon me for introducing a tiny note of skepticism as I make the cautionary note that this is entirely and utterly opposite policy to everything else Microsoft has done for the past umpteen years,” asserted lemur2 on OSnews, for example. “One has to ask … where is the catch?”
And in response: “The catch, my dear Lemur, is that the Ayatollah K’Ballmer would never allow this democratic ballot unless he had a plan which absolutely ensured that his candidate would win it,” opined sbergman27.
Even more succinctly: “Maybe it’s a typo and the article was supposed to go under ‘Comedy’ instead of ‘Opinion’,” suggested tuxchick on LXer.
‘What MS Interoperability?’
“The file format ballot is a great idea for FOSS, as it increases the utility of such software,” Travers said. “I can’t imagine this being particularly controversial, though, since OOo has had an option for default file formats for as long as I can remember. …
“So, not only is it a great idea, but we did it first!” Travers asserted.
Similarly: “An option to change the default save type is a fantastic idea, regardless of what Microsoft does,” Mack opined.
‘I’d Reverse the Demand’
“Ignoring the nonsequitur for the moment — *what MS Interoperability?* — FOSS should strive for interoperability,” yagu began.
“How are they doing? Consider OpenOffice! OpenOffice often succeeds where MS fails in its ability to open different MS documents from different Office versions,” he asserted. “Firefox? It is at least as good in the ACID test as any MS browsers. Not bad for free software.”
The article’s “demand” is “a little specious,” yagu concluded. “Interoperability is probably one of the most important keys to excellent technology. Setting the bar so low as to match MS’s interoperability is a chip shot for FOSS. I’d actually reverse the demand: Microsoft should match FOSS’s level of interoperability.”
‘M$ Has Burned Too Many Bridges’
Even more so: “Matching M$ for interoperability? HAHAHA! That is the funniest demand I have ever heard made on GNU/Linux,” Pogson exclaimed. “M$ has a long history of blocking interoperability every way they could: shifting file formats, multiple complex APIs and protocols, restrictions in the EULA, exclusive dealing with OEMs and retailers. … What haven’t they done to prevent interoperability?”
The latest moves “seen as an opening by M$” were achieved only “by a decade of demands from large customers and legal orders,” he pointed out. “GNU/Linux already gives a large choice of browsers. For instance, in Debian I can choose Epiphany, IceWeasel, Konqueror, Lynx, Links or Galeon — and M$ does not even license IE to run on GNU/Linux.”
In short: “No. M$ has burned too many bridges to be considered a model citizen anytime soon,” Pogson concluded. “The only situation in which M$ is truly open is attracting malware. They can keep it. We should not emulate that behavior.”
Once again, the "Open Source" community shows its true stripes. They are not interested in openness or interoperability, only MS-bashing. Like the false liberals of the current BHO administration, they are for "open source" and "interoperability", but only if they get to define the terms. Sorry, but that doesn’t work.
And the Linux bug? Updating code in a private source code library is not "patched". Deployed and installed is "patched". How many vulnerable servers have been patched? None? half-dozen? Since Linux has no emergency patch deployment, scheme, is still very real.
Surely you can troll better than that…
I get the feeling you last used Linux somewhere in the 1990s.
These days most Linux distros have an emergency patch deployment system. My servers do one better and Nagios emails me if there are critical patches that haven’t been installed yet so generally I have machines fully updated less than 24 hours after Debian releases a security update.
All of the machines I admin have had the kernel security update installed so by your definition I’m patched.