Welcome to WebmasterWorld Guest from 23.20.79.227

Forum Moderators: bakedjake

Message Too Old, No Replies

Six Year Old Critical Bug In Linux Silently Patched

     
1:56 pm on Aug 20, 2010 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:23054
votes: 332


Six Year Old Critical Bug In Linux Silently Patched [networkworld.com]
The Linux kernel folks "silently" pushed out a patch for a critical privilege escalation bug this week. It was for a hole that could allow an attacker to execute code at the root level from any GUI application. The patch took two months after the flaw was reported on June 17, researchers says. SUSE engineers claim they originally found it, reported it and patched it in SUSE way back in September, 2004, says the security blog The H. But the SUSE patch never made its way into the kernel at that time.
2:51 pm on Aug 20, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member wheel is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 11, 2003
posts:5069
votes: 12


lol. That's funny on a couple of levels.

1) replace the word 'linux' with 'windows'
2) repost the article in a linux forum
3) stand back!
4:40 pm on Aug 20, 2010 (gmt 0)

Senior Member from KZ 

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 10, 2005
posts: 2889
votes: 5


When Microsoft issues a security patch, potential hackers have to disassemble the binary code and try to find the hole that patch fixed. With Linux it is much easier. You just download the kernel source code versions from just before and after the patch release. A source code comparison will exactly tell you which problem was present in the kernel.

Everyone with basic programming knowledge can do that. We will probably see a massive attack on unpatched Linux systems in the coming period.
5:02 pm on Aug 20, 2010 (gmt 0)

New User

5+ Year Member

joined:June 13, 2010
posts:36
votes: 0


lammert - It actually wasn't terribly silent nor hard to spot. Ubuntu this morning offered me "Important security updates", and clicking the Details button showed there were several kernel fixes to stack memory handling. That sounds like the bug which was described.

Of course, with Windows we'd be waiting for a corporation to consider blessing us with a fix because there's no stable option for users to contribute and distribute fixes.
6:08 pm on Aug 20, 2010 (gmt 0)

Junior Member

10+ Year Member

joined:July 4, 2004
posts:103
votes: 0


Oh, the sweet irony.
6:18 pm on Aug 20, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 23, 2002
posts:659
votes: 0


I just did a YUM UPDATE KERNEL and the latest version was kernel.i686 0:2.6.18-194.11.1.el5

The kernel org says the bug has now been addressed in versions 2.6.27.52, 2.6.32.19, 2.6.34.4 and 2.6.35.2 of the kernel. It is now up to the distro makers to push the fix out to their users.


But over at Kernel.org they say 2.6.35.2 is the latest stable kernel.

I guess we will have to wait for Centos distro folks to catch up.
9:27 pm on Aug 20, 2010 (gmt 0)

Preferred Member

5+ Year Member

joined:June 15, 2007
posts:413
votes: 13


what does this do to the live linux CD's I have sitting around?
12:57 am on Aug 21, 2010 (gmt 0)

Junior Member

5+ Year Member

joined:Oct 3, 2008
posts:96
votes: 0


Wait, people actually use GUI applications on Linux?
3:33 am on Aug 23, 2010 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 21, 2002
posts:737
votes: 8


There have been recent MS Windows 7 bugs fixed that were found to exist as far back as Windows 95.

Some IE6 bugs that have been on the books since it released in 2001 were fixed in 2009 too!

My second point is that hackers are getting better at finding exploits that the programmers hadn't thought of safeguarding against back in the day.
9:57 am on Aug 25, 2010 (gmt 0)

Senior Member from LK 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2501
votes: 30


@lammert, I doubt that there will be a massive attack because exploiting this requires either a locally installed malicious or compromised GUI app. Someone that far into the system can already do a lot of damage.
6:30 am on Nov 27, 2010 (gmt 0)

New User

5+ Year Member

joined:Nov 25, 2010
posts:22
votes: 0


I think Microsoft justifies patching bugs years later by calling them "Undocumented Features" until they come up with a fix..