Announcement

Collapse
No announcement yet.

New Linux Kernel Vulnerability Exploited

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • New Linux Kernel Vulnerability Exploited

    Phoronix: New Linux Kernel Vulnerability Exploited

    Last month it was the X.Org Server with a noted security vulnerability and now this time around it's the Linux kernel...

    http://www.phoronix.com/vr.php?view=MTM3MjA

  • #2
    Time to update my 3.8.6 kernel.

    Comment


    • #3
      Just updated to 3.8.12.
      And...it's interesting that Red Hat backported the bug...

      Comment


      • #4
        It seems that the increasing linux popularity is bringing many of the risks which Windows suffer.

        I hope this trend of vulnerabilities always get fixed on time and a new era of linux viruses, worms, trojans, etc... don't fall on us.

        Comment


        • #5
          These kind of things... History has taugh us again and again that software is inherently buggy (insecure?); it is simply to many 'variables' that it is virtually imposible to escape this reality. It doesn't matter how much effort is put on design, it doesn't matter whether it is Linux, Windows, Solaris, BSD, MINIX, Plan 9, AIX, MULTICS, it doesn't matter if it is 'direct' or managed code...
          I think that shifting away from this (apparently) natural issue about software in general requires something radical and essentially new. I hope to be able to see such thing materialize.

          Comment


          • #6
            Originally posted by Sergio View Post
            I think that shifting away from this (apparently) natural issue about software in general requires something radical and essentially new. I hope to be able to see such thing materialize.
            Yes, like having package manager and being opensource, very *radical* : )

            Comment


            • #7
              Originally posted by TheOne View Post
              It seems that the increasing linux popularity is bringing many of the risks which Windows suffer.

              I hope this trend of vulnerabilities always get fixed on time and a new era of linux viruses, worms, trojans, etc... don't fall on us.
              I would think secret services and cyber defense/war agencies are interested that operating systems are kept vulnerable. No matter if it's Linux, Windows, OS X or any popular smartphone OS.

              What if Microsoft, Oracle, Google, perhaps even Red Hat etc are infiltrated by CIA, NSA or cyber security agencies? And why would we think that they aren't.

              (related: The Flame Virus Have the CIA and NSA Infiltrated Microsoft?, Special Report: U.S. cyberwar strategy stokes fear of blowback)

              Comment


              • #8
                Originally posted by brosis View Post
                Yes, like having package manager and being opensource, very *radical* : )
                The way OSS works helps people discover and fix vulnerabilities much faster than closed source OS (Windows)

                Comment


                • #9
                  Originally posted by DeepDayze View Post
                  The way OSS works helps people discover and fix vulnerabilities much faster than closed source OS (Windows)
                  This is true, DeepDayze. However, how many people ACTUALLY look at the code? Maybe the community is too confident about this, that ultimately there is hardly any practical difference between the open source vs closed source model when it comes to security.

                  Comment


                  • #10
                    Originally posted by Sergio View Post
                    This is true, DeepDayze. However, how many people ACTUALLY look at the code? Maybe the community is too confident about this, that ultimately there is hardly any practical difference between the open source vs closed source model when it comes to security.
                    people inside novell and redhat do, they are paid to do it

                    not to mention the uncountable independent contractors hired for managing code

                    the code is being looked at

                    Comment


                    • #11
                      Originally posted by tomato View Post
                      people inside novell and redhat do, they are paid to do it

                      not to mention the uncountable independent contractors hired for managing code

                      the code is being looked at
                      Of course; just as Microsoft's people are paid to look at Windows, or Oracle's at Solaris. Sure, the code is there and everyone can debug it, but if only people being payed are looking at it, how does it differ from the situation in the closed-source model?

                      Comment


                      • #12
                        It differs in that anyone, you, have the chance to look at it any time, should you so choose.

                        Comment


                        • #13
                          Originally posted by Sergio View Post
                          These kind of things... History has taugh us again and again that software is inherently buggy (insecure?); it is simply to many 'variables' that it is virtually imposible to escape this reality. It doesn't matter how much effort is put on design, it doesn't matter whether it is Linux, Windows, Solaris, BSD, MINIX, Plan 9, AIX, MULTICS, it doesn't matter if it is 'direct' or managed code...
                          I think that shifting away from this (apparently) natural issue about software in general requires something radical and essentially new. I hope to be able to see such thing materialize.
                          There already is this something radical and new like that. It's called Hardened Gentoo. Or PaX kernel sources, to be specific, which is what guards from buffer overflows like this one. That is, buffer overflows still happen due to poor code, but attackers can't use them, since they can't track where the code they want to be executed is located, as it's constantly randomised in memory. It does come at a cost of some overhead, though.

                          Comment


                          • #14
                            Originally posted by GreatEmerald View Post
                            There already is this something radical and new like that. It's called Hardened Gentoo. Or PaX kernel sources, to be specific, which is what guards from buffer overflows like this one. That is, buffer overflows still happen due to poor code, but attackers can't use them, since they can't track where the code they want to be executed is located, as it's constantly randomised in memory. It does come at a cost of some overhead, though.
                            I see that it implements the non-executable bit at the page level; it emulates the functionality if the hardware doesn't support it. The feature SEGMEXEC looks interesting. It also offers ASLR and other things. Overall very interesting. Yet, I found this: "March 4, 2005: VMA Mirroring vulnerability announced, new versions of PaX and grsecurity released, all prior versions utilizing SEGMEXEC and RANDEXEC have a privilege escalation vulnerability".

                            When I said that something radical was needed, I was thinking more on a complete shift in the way we create computer programs (just to put an example, functional instead of imperative systems programming).

                            Comment


                            • #15
                              Also lets not forget the fact that closed code can't get audited by outsiders. Open code tends to have its flaws documented to much greater extremes than closed code does. Also turn around time for flaws in open code is much faster. Often time turn around for flaws on closed code can take years.
                              Last edited by duby229; 05-15-2013, 06:56 PM.

                              Comment

                              Working...
                              X