The Linux kernel folks "silently" pushed out a patch for a critical privilege escalation bug this week. It was for a hole that could allow an attacker to execute code at the root level from any GUI application. The patch took two months after the flaw was reported on June 17, researchers says. SUSE engineers claim they originally found it, reported it and patched it in SUSE way back in September, 2004, says the security blog The H. But the SUSE patch never made its way into the kernel at that time.
2:51 pm on Aug 20, 2010 (gmt 0)
lol. That's funny on a couple of levels.
1) replace the word 'linux' with 'windows' 2) repost the article in a linux forum 3) stand back!
4:40 pm on Aug 20, 2010 (gmt 0)
When Microsoft issues a security patch, potential hackers have to disassemble the binary code and try to find the hole that patch fixed. With Linux it is much easier. You just download the kernel source code versions from just before and after the patch release. A source code comparison will exactly tell you which problem was present in the kernel.
Everyone with basic programming knowledge can do that. We will probably see a massive attack on unpatched Linux systems in the coming period.
5:02 pm on Aug 20, 2010 (gmt 0)
lammert - It actually wasn't terribly silent nor hard to spot. Ubuntu this morning offered me "Important security updates", and clicking the Details button showed there were several kernel fixes to stack memory handling. That sounds like the bug which was described.
Of course, with Windows we'd be waiting for a corporation to consider blessing us with a fix because there's no stable option for users to contribute and distribute fixes.
6:08 pm on Aug 20, 2010 (gmt 0)
Oh, the sweet irony.
6:18 pm on Aug 20, 2010 (gmt 0)
I just did a YUM UPDATE KERNEL and the latest version was kernel.i686 0:2.6.18-194.11.1.el5
The kernel org says the bug has now been addressed in versions 126.96.36.199, 188.8.131.52, 184.108.40.206 and 220.127.116.11 of the kernel. It is now up to the distro makers to push the fix out to their users.
But over at Kernel.org they say 18.104.22.168 is the latest stable kernel.
I guess we will have to wait for Centos distro folks to catch up.
9:27 pm on Aug 20, 2010 (gmt 0)
what does this do to the live linux CD's I have sitting around?
12:57 am on Aug 21, 2010 (gmt 0)
Wait, people actually use GUI applications on Linux?
3:33 am on Aug 23, 2010 (gmt 0)
There have been recent MS Windows 7 bugs fixed that were found to exist as far back as Windows 95.
Some IE6 bugs that have been on the books since it released in 2001 were fixed in 2009 too!
My second point is that hackers are getting better at finding exploits that the programmers hadn't thought of safeguarding against back in the day.
9:57 am on Aug 25, 2010 (gmt 0)
@lammert, I doubt that there will be a massive attack because exploiting this requires either a locally installed malicious or compromised GUI app. Someone that far into the system can already do a lot of damage.
6:30 am on Nov 27, 2010 (gmt 0)
I think Microsoft justifies patching bugs years later by calling them "Undocumented Features" until they come up with a fix..