Blame
I would imagine its probably Microsofts fault.
Linux rocks!!!
A software developer has uncovered a bug in most versions of Linux that could allow untrusted users to gain complete control over the open-source operating system. The null pointer dereference flaw was only fixed in the upcoming 2.6.32 release candidate of the Linux kernel, making virtually all production versions in use at …
Hurrah for weasel words. Have you considered a job in politics?
Obviously there's hundreds of people doing exactly what he does, most find almost nothing, together they find a fraction of the bugs found by "those whose job it is" (as well as not repairing them).
It's like the incredibly improbable numberplate I have, XY-32-TP --- what's the chance, 1 in 45million!!
"A software developer has uncovered a bug in most versions of Linux that could allow untrusted users to gain complete control over the open-source operating system.
The null pointer dereference flaw was only fixed in the upcoming 2.6.32 release candidate of the Linux kernel, making virtually all production versions in use at the moment vulnerable"
Then....
"The latest bug is mitigated by default on most Linux distributions, thanks to their correct implementation of the mmap_min_addr feature"
Make your minds up!
...in 3... 2... 1...
Honestly folks, the fact that there's a bug in the Linux Kernel does not surprise me - *any* program big enough to be useful is big enough to have bugs. However, the fact that an *independent* developer was able to find the bug by reviewing the source code is something that could not have happened with either Windows or OSX.
Good, bad? The choice is yours. I personally run Windows XP on my desktop and Ubuntu Linux on my web/mail servers at home - use the tool best suited for the job sort of thing.
OMG ANUTHER bug?!!? ycant thees ppl lrn 2 chk there codes b4 releesig it?1/1 Linux just suxxors!! Linuxs got more holes then swis ches now. y does ppl stil use that gabrage U shuld all switch to a BSD they gots waaaaay more seccurrity and more sable too.
</parody>
Just thought I'd try a parody of the usual post found in Windows security issue comment threads.
This guy popped up with a fairly obscure but quite cute exploit that is basically a local privilege escalation.
If this was a remotely expoitable vuln, then ok, but really the biggest class of issue is the dumb user running some random file from the web and that is all this amounts too in terms of threat.
While I'm glad he raised and disclosed the bug enabling me to patch my kernels, I think this guy is making a lot of fuss over basically a couple of sloppy lines of code.
In fairness the entire net/socket.c file has a couple of example of "use before check" bugs,
it wouldn't take more then an hour to fix and for the most part they bomb correctly.
The real issue is being allowed to mmap page 0, which if you can't do then his exploit fails miserably.
Most distro kernels come with mmap_min_addr enabled anyway, if they don't frankly it's not hard to add a line to the /etc/systctl.conf file like vm.mmap_min_addr=4096
or run "sudo sysctl -w vm.mmap_min_addr=4096" on the command line.
Sure if your using wine or pulse-audio then there are issues as they need to mmap low addresses but for a lot of people stopping a user from downloading and running untrusted code is more difficult then sandboxing the system and more effective in security terms
And as for slating red-hat, they are on the case, see http://kbase.redhat.com/faq/docs/DOC-18042
Sure There are security issues with Linux but why not write a patch, submit to the LKML and be done with it.
Theo de Raadt, the leader of the OpenBSD OS had this to say about Linux and Torvalds:
If anyone wants a choice quote from me about the recent Linux holes,
this is what I have to say:
Linus is too busy thinking about masturabating monkeys, he doesn't
have time to care about Linux security.
For the record, this particular problem was resolved in OpenBSD a
while back, in 2008. We are not super proud of the solution, but it
is what seems best faced with a stupid Intel architectural choice.
However, it seems that everyone else is slowly coming around to the
same solution.
"It's interesting to me that I picked it out two weeks before the people whose job it is to find this sort of stuff,"
What is the point of saying this???? This just proves open source is working. Presumably he is about as likely to find a flaw as anyone else (discounting different levels of smarts). If this was Microsoft and he was finding bugs with fuzzing or what not then he would have a point. The purpose of Linux is to rely on users like himself to find these bugs. Open source is working, move along.
For many commercial customers, upgrading immediately to the latest bug fix releases of the kernel is not a realistic option. For example if you use OCFS2 you might have to wait a little while for them to update their kernel modules. Or if you're an HP customer and use their Proliant Support Pack with their updated drivers you also have to wait for a version to be released that supports the kernel you want to move to. Typically this happens about every 3 months and they will always lag behind the the very latest kernels because kernel releases are a moving target and HP have to stop at some point to QA before they do a release.
I can't speak for IBM or Dell as I don't have any experience with those vendors. Would be interested to hear from anyone who does.
As root type "sysctl vm.mmap_min_addr". If the result is 4096, the problem has been dealt with. If it is 0, read the man page for "sysctl.conf".
WINE is for running Windows programs on a Linux box, but it has limitations. Last time I read about it, WINE was unable to install or run Windows malware correctly.
Closed source drivers can cause some hassle (none in this case). If some kit provides so much benefit for you that it is worth the hassle, ask the supplier to provide a minimal open source wrapper around a binary blob like nVidia have for years.
Your headline is more than misleading: the latest -and not-so-latest- Linux is indeed fully patched, only Red Hat left a hole in there, which is actually not even there anymore in their "latest" (as you put it) release. So "Bug in latest Linux gives untrusted users root access" actually reads "Hack in old RHEL gives users root access". And even so, coming from the guy who discovered that a person running programs as root can get root access (Shock! Horror!), I have my doubts.
From article: "or desktop environments such as Wine."
Wine is not a desktop environment, but a Windows emulator. It needs a Windows-compatible insecure memory layout. There are also some "ported" programs that use a bundled version of Wine underneath. True Linux programs (including Linux desktop environments like Gnome) don't care about the mmap_min_addr setting. So this is a case of getting insecurity for catering to Windows-originated software.
Security features do not happy end users make - as nicely demonstrated by AC@22:00, and the comments about redhat breaking the feature on purpose. End users are made happy by more features, which require more development effort, which requires lower barriers to entry.
If you're playing market catchup (as Linux is on the desktop) then this may mean loosening things up to make emulations, wrappers and crude ports work. I must presume that the sco binary wrappers that eased Linux server uptake 10 years ago had some similar requirements.
The other area for lowering barriers for entry is making things easier for developers. This was a major part of how Microsoft won PC/Mac round 1 in the 80s. I'd be surprised if this wasn't also part of the RHEL decision. Easier for developers means allowing them to be a bit sloppier, or making them jump through fewer hoops to achieve a goal that would be hugely painful to reach correctly (pulseaudio seems to fit into this bucket).
I think that the Linux kernel team have made some better tradeoffs in this regard than the Windows team, with de Raadt and company just refusing to play. It's a factor in the fight for desktop marketshare, and unfortunately it's not in Linux's favour.
@By Marvin the Martian Posted Tuesday 3rd November 2009 21:16 GMT
It's like the incredibly improbable numberplate I have, XY-32-TP --- what's the chance, 1 in 45million!!
=========================
What's the formal name for this logical fallacy ? I've heard it referred to as "The Golf Course Fallacy", as in 'what's so special about the blade of grass my ball landed on', but I don't think that is correct.
The quest to know what I'm talking about has been downsized to an epic scavenger hunt ... could you help me out ?
The Reg seems to be going overboard with its balance of views regarding Windows vs Linux this week.
This is good as it gives more cred to the good stuff.
Also good to note that it seems only RHEL due to the other Distro's correct implementation of the mmap_min_addr feature and that the bug has already been fixed in the latest upcoming 2.6.32 kernel.
I wonder how long it would have taken Apple or MSFT to fix something like this.
oooh, the one with the most enterprise grade solutions in FTSE organisations too...
egg....face...interaction.
As a side note... I thought LINUX was superior in every way, was completely secure and would *never* be victim of the same mistakes/bugs that befall Windows or OS X?
My linux is certainly 100% secure...I can't get the damned thing to run X, so a permanent "power off" state is in effect. Formatting with Win2k8 will be a lot less painful than a descent into CLI hell trying to get display drivers to work in LINUX.
"Theo de Raadt, the leader of the OpenBSD OS had this to say about Linux and Torvalds:"
Ah yes, OpenBSD, the project that gave us OpenSSH and its remotely-exploitable root exploit.
Of course bugs are discovered in software. But when that happened, you might have expected the openssh.com website to have a big red warning saying there was a critical problem and telling people to upgrade urgently. Did they? Nope. The announcement is buried in the smallprint at http://www.openssh.com/security.html in weasly negative-speak:
"OpenSSH 2.3.0 and newer are not vulnerable to the "Feb 8, 2001: SSH-1 Daemon CRC32 Compensation Attack Detector Vulnerability", RAZOR Bindview Advisory CAN-2001-0144. A buffer overflow in the CRC32 compensation attack detector can lead to remote root access. This problem has been fixed in OpenSSH 2.3.0. However, versions prior to 2.3.0 are vulnerable."
He spends his free time looking for minor security holes in the Linux kernel does he? Either he's hoping some security firm will give him a job or he's already being paid by somebody to do it.
Whinging about developers not finding the bugs won't help his case much when many of those developers give their time for free and contribute much more than he does, by actually coding. His hobby, it appears, is floccinaucinihilipilification. Finding a couple of minor holes hardly justifies all the crowing he's doing. From the way he's gobbing off you'd think he'd single handedly fixed several major holes, where as all he's done is discovered a couple of minor ones.
Time, I think, that he got himself a sense of perspective - a little lesson of "world big, you tiny" is required.
"However, the fact that an *independent* developer was able to find the bug by reviewing the source code is something that could not have happened with either Windows or OSX."
Not the case. OSX is open source except for desktop cosmetics. One of my work colleagues put a Windows source CD on my desk, made available under Microsoft's "Shared Source" program. I haven't read it, because I don't want Microsoft suing me for copyright or patent infringement if I contribute anything they consider similar to an open source program. To sell Windows to government and security sensitive environments, MS wouldn't make these sales without disclosing source. So Windows users are not protected from code review because of Microsoft's inability to keep source code in house.
This gets worse, because black hats who have no intention of contributing to open source have access to Windows source code and white hats, who also technically have access, for reasons given above are unlikely to want to read it unless paid by employers with very large security budgets specifically to do so.
The world needs a new OS.
Not a new version of Windows, MacOS, Linux, Unix, OpenVMS, OS400, zOS, or anything else.
It needs a new OS built from the ground up to be fundamentally secure. Written from scratch, without worrying about end features and groovy interfaces. Start with the very basics and build it up. If everything at lower levels is secure, there's no reason everything added can't be secure
Why not? Expensive.
And I bet it still has bugs and holes!
What most of the people bouncing up and down and pointing "you're insecure" fingers at Linux fail to realise is the nature of this exploit.
It's a local root exploit: that is you have to be running code on the machine in order to take advantage of the problem.
How do you do that? Well, you persuade someone to download and run some malware on the machine. Good luck with that, it's not impossible but I'm sure you'll find some gullible idiot somewhere on the net. On the other hand, that gullible idiot is likely to fall for more overt trickery (eg don't use two-factor authentication, it's not secure because you don't need a password).
Server admins aren't in any particular hurry to patch local root exploits because the unwashed masses aren't allowed anywhere near the machine ....
You Linux fanboys make me laugh. Well, you would if you weren't so sad.
You forever moan about windows running in admin mode, yet when it comes to linux you write:
"Did i read right? This is a local exploit. Therefore the hacker needs to be actually at your computer? In that case not too big an issue."
You laugh whenever there is a windows exploit, yet when it comes to Linux, you write:
"Honestly folks, the fact that there's a bug in the Linux Kernel does not surprise me - *any* program big enough to be useful is big enough to have bugs."
This is why people in the real world don't take you seriously.
Anyway, is Linux still alive? I thought everyone moved to BSD a long time ago....
I love the LINUX fanboi's response to LINUX problems like this. Rational, reasonable, stating sensible facts, and mitigations thereof.
The very same people who scream like little girls about Microsoft doing anything similar, as if the greatest offence in the history of mankind had been commited and is completely unforgivable.
Software development is the one of the most complex tasks mankind has ever undertaken, there will always be vulnerabilities in code, stop being arses thinking your precious littel hobbyist operating systems are any different.
Blinkered, idiotic losers. You really are.
"What's the formal name for this logical fallacy ? I've heard it referred to as "The Golf Course Fallacy", as in 'what's so special about the blade of grass my ball landed on', but I don't think that is correct."
I don't think it is any of the accepted "logical fallacies". I usually call it a "selection effect" (and wikipedia calls it a "selection bias"). I suppose it might be a "post hoc ergo propter hoc" thing, but it really ought to have a name, suitably dripping in ridicule, because it happens far too often IMHO. How about "placing your bet after the end of the race"?
Secure OS? Well, it would work with just a secure kernel, really, as long as modules like drivers run in a less-privileged layer and there are sufficient monitoring functions in said secure kernel.
Aussi boffins are already on the way to doing that:
http://www.theregister.co.uk/2009/08/17/secure_kernel/
"You forever moan about windows running in admin mode, yet when it comes to linux you write:
Did i read right? This is a local exploit. Therefore the hacker needs to be actually at your computer? In that case not too big an issue.
The reason they say that is because of the extra difficulty to remotely exploit Linux when compared to Microsoft operating systems. See Metasploit.org for details.
"As root type "sysctl vm.mmap_min_addr". If the result is 4096, the problem has been dealt with. If it is 0, read the man page for "sysctl.conf"."
Ah yes, no problem. Obvious to anyone really. You just have to sparkelate your griblets and verify that the munxing mask has a value of 37. It goes without saying that you use the dhyef.fgrtty utility to fix it.
Sigh.
The bug itself is just one of those things that happens sometimes (and apparently less often with Linux than Windows) but the above quote is why Linux will never win against Windows in the home environment. In a server environment it's tolerable to have esoteric commands and config files and reasonable to expect administrators to know how to use them. Back in the real world where 90% of computers operate it isn't.
In fact I'd go further and say that that kind of thing is a potential Achilles heel for Linux. 'Security through obscurity' never was very effective but 'sbscure security configuration' is worse.