Blame

I would imagine its probably Microsofts fault.

Linux rocks!!!

"I picked it out two weeks before the people whose job it is"

Hurrah for weasel words. Have you considered a job in politics?

Obviously there's hundreds of people doing exactly what he does, most find almost nothing, together they find a fraction of the bugs found by "those whose job it is" (as well as not repairing them).

It's like the incredibly improbable numberplate I have, XY-32-TP --- what's the chance, 1 in 45million!!

Security schmekurity

So this is why I never could make Wine work on my Fedora. Linux desktop for the masses my foot. Gimme less security, not more.

Fail

Wine is not a desktop environment, as many other commentards are likely to have pointed out before me.

Ehhh?

"A software developer has uncovered a bug in most versions of Linux that could allow untrusted users to gain complete control over the open-source operating system.

The null pointer dereference flaw was only fixed in the upcoming 2.6.32 release candidate of the Linux kernel, making virtually all production versions in use at the moment vulnerable"

Then....

"The latest bug is mitigated by default on most Linux distributions, thanks to their correct implementation of the mmap_min_addr feature"

Make your minds up!

Linux suxx0rs

OMG ANUTHER bug?!!? ycant thees ppl lrn 2 chk there codes b4 releesig it?1/1 Linux just suxxors!! Linuxs got more holes then swis ches now. y does ppl stil use that gabrage U shuld all switch to a BSD they gots waaaaay more seccurrity and more sable too.

</parody>

Just thought I'd try a parody of the usual post found in Windows security issue comment threads.

Not this guy again

This guy popped up with a fairly obscure but quite cute exploit that is basically a local privilege escalation.

If this was a remotely expoitable vuln, then ok, but really the biggest class of issue is the dumb user running some random file from the web and that is all this amounts too in terms of threat.

While I'm glad he raised and disclosed the bug enabling me to patch my kernels, I think this guy is making a lot of fuss over basically a couple of sloppy lines of code.

In fairness the entire net/socket.c file has a couple of example of "use before check" bugs,

it wouldn't take more then an hour to fix and for the most part they bomb correctly.

The real issue is being allowed to mmap page 0, which if you can't do then his exploit fails miserably.

Most distro kernels come with mmap_min_addr enabled anyway, if they don't frankly it's not hard to add a line to the /etc/systctl.conf file like vm.mmap_min_addr=4096

or run "sudo sysctl -w vm.mmap_min_addr=4096" on the command line.

Sure if your using wine or pulse-audio then there are issues as they need to mmap low addresses but for a lot of people stopping a user from downloading and running untrusted code is more difficult then sandboxing the system and more effective in security terms

And as for slating red-hat, they are on the case, see http://kbase.redhat.com/faq/docs/DOC-18042

Sure There are security issues with Linux but why not write a patch, submit to the LKML and be done with it.

Easily fixed

What you really need to know:

http://kbase.redhat.com/faq/docs/DOC-18042.

Or a clear description of the setting:

http://wiki.debian.org/mmap_min_add

Pretty trivial really. Mr Spengler is starting to sound a lot like chicken little.

Ewww

Very nasty indeed.

Luckily for most, Windows® doesnt have that 'feature'.

I have a mate who will already be pissing blood over this - hahaha you hippie, thats what you get for going to uni!

Cupcake anyone, while we watch the Trolls and Fanbois over-react?

Worst comment ever

"It's interesting to me that I picked it out two weeks before the people whose job it is to find this sort of stuff,"

What is the point of saying this???? This just proves open source is working. Presumably he is about as likely to find a flaw as anyone else (discounting different levels of smarts). If this was Microsoft and he was finding bugs with fuzzing or what not then he would have a point. The purpose of Linux is to rely on users like himself to find these bugs. Open source is working, move along.

OMG!

Linux behaving like Windwoes?

if only

they had written the kernel in ADA instead of that half-arsed 'c' language

Latest Linux? Or just old Red Hat?

Your headline is more than misleading: the latest -and not-so-latest- Linux is indeed fully patched, only Red Hat left a hole in there, which is actually not even there anymore in their "latest" (as you put it) release. So "Bug in latest Linux gives untrusted users root access" actually reads "Hack in old RHEL gives users root access". And even so, coming from the guy who discovered that a person running programs as root can get root access (Shock! Horror!), I have my doubts.

@ NOC

indeed, this could not happen to windows and os X.

no source to look at

lmho

rg

Really seems to be MS compatibility hitting you

From article: "or desktop environments such as Wine."

Wine is not a desktop environment, but a Windows emulator. It needs a Windows-compatible insecure memory layout. There are also some "ported" programs that use a bundled version of Wine underneath. True Linux programs (including Linux desktop environments like Gnome) don't care about the mmap_min_addr setting. So this is a case of getting insecurity for catering to Windows-originated software.

Improbable

@By Marvin the Martian Posted Tuesday 3rd November 2009 21:16 GMT

It's like the incredibly improbable numberplate I have, XY-32-TP --- what's the chance, 1 in 45million!!

=========================

What's the formal name for this logical fallacy ? I've heard it referred to as "The Golf Course Fallacy", as in 'what's so special about the blade of grass my ball landed on', but I don't think that is correct.

The quest to know what I'm talking about has been downsized to an epic scavenger hunt ... could you help me out ?

Fedora is OK, apparently

> "As root type "sysctl vm.mmap_min_addr". If the result is 4096, the problem has been dealt with. If it is 0, read the man page for "sysctl.conf"."

On Fedora 10, with no sysctl tweaks at all, I get a result of 65536. Everything works too, including pulseaudio.

CentOS is OK, too, apparently

Me again ...

Running "sysctl vm.mmap_min_addr" on a default CentOS 5.3 install gave the same result as Fedora 10 (i.e. 65536).

memmap & root

There's your problems right there, design faults.

Get a life

OMG even when the article is purly Linux related the geeks can't help but bring Windows into it. You people should get a life..........

This is a surprise

The Reg seems to be going overboard with its balance of views regarding Windows vs Linux this week.

This is good as it gives more cred to the good stuff.

Also good to note that it seems only RHEL due to the other Distro's correct implementation of the mmap_min_addr feature and that the bug has already been fixed in the latest upcoming 2.6.32 kernel.

I wonder how long it would have taken Apple or MSFT to fix something like this.

Redhat oopsie

oooh, the one with the most enterprise grade solutions in FTSE organisations too...

egg....face...interaction.

As a side note... I thought LINUX was superior in every way, was completely secure and would *never* be victim of the same mistakes/bugs that befall Windows or OS X?

My linux is certainly 100% secure...I can't get the damned thing to run X, so a permanent "power off" state is in effect. Formatting with Win2k8 will be a lot less painful than a descent into CLI hell trying to get display drivers to work in LINUX.

Meh

A small issue. Noone is going to bother writing a virus that targets Linux anyway.

@Neoc - Windows open to black hats

"However, the fact that an *independent* developer was able to find the bug by reviewing the source code is something that could not have happened with either Windows or OSX."

Not the case. OSX is open source except for desktop cosmetics. One of my work colleagues put a Windows source CD on my desk, made available under Microsoft's "Shared Source" program. I haven't read it, because I don't want Microsoft suing me for copyright or patent infringement if I contribute anything they consider similar to an open source program. To sell Windows to government and security sensitive environments, MS wouldn't make these sales without disclosing source. So Windows users are not protected from code review because of Microsoft's inability to keep source code in house.

This gets worse, because black hats who have no intention of contributing to open source have access to Windows source code and white hats, who also technically have access, for reasons given above are unlikely to want to read it unless paid by employers with very large security budgets specifically to do so.

The Solution

The world needs a new OS.

Not a new version of Windows, MacOS, Linux, Unix, OpenVMS, OS400, zOS, or anything else.

It needs a new OS built from the ground up to be fundamentally secure. Written from scratch, without worrying about end features and groovy interfaces. Start with the very basics and build it up. If everything at lower levels is secure, there's no reason everything added can't be secure

Why not? Expensive.

And I bet it still has bugs and holes!

It's been mentioned before, but it's worth re-iterating

What most of the people bouncing up and down and pointing "you're insecure" fingers at Linux fail to realise is the nature of this exploit.

It's a local root exploit: that is you have to be running code on the machine in order to take advantage of the problem.

How do you do that? Well, you persuade someone to download and run some malware on the machine. Good luck with that, it's not impossible but I'm sure you'll find some gullible idiot somewhere on the net. On the other hand, that gullible idiot is likely to fall for more overt trickery (eg don't use two-factor authentication, it's not secure because you don't need a password).

Server admins aren't in any particular hurry to patch local root exploits because the unwashed masses aren't allowed anywhere near the machine ....

@Pete 8

"Cupcake anyone, while we watch the Trolls and Fanbois over-react?"

Thank you, don't mind if I do.

Mmmmm. Cake....

Blinkered.

I love the LINUX fanboi's response to LINUX problems like this. Rational, reasonable, stating sensible facts, and mitigations thereof.

The very same people who scream like little girls about Microsoft doing anything similar, as if the greatest offence in the history of mankind had been commited and is completely unforgivable.

Software development is the one of the most complex tasks mankind has ever undertaken, there will always be vulnerabilities in code, stop being arses thinking your precious littel hobbyist operating systems are any different.

Blinkered, idiotic losers. You really are.

@The Solution

Secure OS? Well, it would work with just a secure kernel, really, as long as modules like drivers run in a less-privileged layer and there are sufficient monitoring functions in said secure kernel.

Aussi boffins are already on the way to doing that:

http://www.theregister.co.uk/2009/08/17/secure_kernel/

Local user exploit - no longer exploitable

..and now for the weather

A storm that has been brewing tor several months has now broken over a small teacup in a shed in finland..................

Why Linux fanbois are right

"You forever moan about windows running in admin mode, yet when it comes to linux you write:

Did i read right? This is a local exploit. Therefore the hacker needs to be actually at your computer? In that case not too big an issue.

The reason they say that is because of the extra difficulty to remotely exploit Linux when compared to Microsoft operating systems. See Metasploit.org for details.

When will Reg disable Anonymous comments?

They rarely contribute anything of worth.