LINUX BLOG SAFARI

A Tale of Two Root Exploits, and Why We Shouldn’t Panic

There’s no denying Linux is more secure than perpetually-patching Windows, but the past month or so has not provided an ideal demonstration.

In August, we saw the arrival of a long-overdue fix for a kernel bug that was six years old; now, in the last week or so, it’s been not one but two root exploits causing a fuss.

“Running 64-bit Linux? Haven’t updated yet? You’re probably being rooted as I type this,” was the introduction on Slashdot to CVE-2010-3081, the second such vulnerability to come to light in recent days.

Preceding it by just a few of those days, of course, was CVE-2010-3301, which had actually been discovered and fixed back in 2007 before the patch was inexplicably removed again the very next year, reintroducing the vulnerability.

Put it all together, and you’ll see why more than a few Linux bloggers have been scratching their heads about security.

A Matter of Size?

“Perhaps the kernel’s size is becoming too unwieldy,” suggested Anonymous Coward on the Slashdot discussion of CVE-2010-3301, for example. “I mean this is what, the third ‘reverted’ security patch we’ve heard about in the recent past that needed replacement?

“Maybe it’s time to separate out core kernel code and the arch specific stuff into separate modules with separate administration,” Anonymous Coward added. “Git would make this easy, so why aren’t we seeing it done?”

On the other hand, “I thought only windows got exploited this way….,” wrote drinking12many, referring to CVE-2010-3081. “Oh thats right All OS’s do.”

‘You Are Probably NOT Being Rooted’

Then again: “Linux sucks, but it sucks a lot less than Windows,” countered Runaway1956. “I mean, the ‘fix’ is already out.”

Alternatively, “you are probably NOT being rooted even as you read this,” asserted Barbara Hudson, a blogger on Slashdot who goes by “Tom” on the site. “Every ksplice story slashdot has carried has turned out to be no big deal. I’m going to ignore it, based on their previous performance.”

So, should Linux users be worried? Is the bug invasion upon us? Linux Girl took to the streets of the blogosphere for more insight.

‘The Article Is Alarmist’

“Of course it’s worrisome,” said Chris Travers, a Slashdot blogger who works on the LedgerSMB project. “But all software has occasional security problems, and it will be fixed.

“I don’t see a major reason to be overly worried about this bug in particular,” Travers told Linux Girl. “If one follows good security practices, the exposure is minimized.”

Indeed, “the article is alarmist,” Hudson agreed. “It was ONE shared-hosting public-facing server at iWeb.com, among their tens of thousands of servers.

“Are you running a publicly-facing shared-host server? No? Then don’t worry about it, and when your distro comes out with a new kernel, just update,” Hudson recommended.

‘Bad Month for Linux’

Such problems “inevitably creep in, but it was a learning experience to find them return after being fixed once,” blogger Robert Pogson said. “Perhaps some kind of cross-reference on changelogs might prevent a recurrence.”

Still, “we get one every few years — that other OS gets one a month,” Pogson pointed out. “The Linux boys and girls can do better, but M$ will never catch them without a major rewrite.

“I updated a few key machines ASAP in GNU /Linux,” he added. “I have lost many nights’ sleep with that other OS.”

It has been a “bad month for Linux,” agreed Montreal consultant and Slashdot blogger Gerhard Mack. “Hopefully someone has learned from this.”

‘Magical Thinking’

Ultimately, “Linux getting rooted just shows what I have been saying all along: There is NO operating system that can’t be hacked, be it windows, Linux or OSX,” Slashdot blogger hairyfeet told Linux Girl.

“Linux guys saying it can’t be hacked is a classic case of ‘magical thinking’ and doomed to fail,” hairyfeet explained. “Magical thinking is when you say, ‘because we have product x we are safe!’–and it never works.”

Not just reserved for operating systems like Linux, such “magical thinking” can be applied to firewalls or authentication servers, “or even crazy length passwords or gluing USB ports shut,” hairyfeet noted.

‘That Is Hard Work’

“In the end, however, “the ONLY way to secure a network is a top to bottom approach, with everything running on least permissions principles and nothing getting net access that doesn’t require it,” concluded hairyfeet. “Sadly, that is hard work and requires dedication.

“It is an OS, folks — millions of lines of code. It isn’t a ball club; no need for fanboys here,” hairyfeet added. “Just because you root for Linux doesn’t mean it can’t be rooted.”

2 Comments

  • hairyfeet wrote:"Just because you root for Linux doesn’t mean it can’t be rooted"

    Because we use GNU/Linux we have the power to do something about vulnerabilities. With that other OS we cannot examine or modify the code and so are powerless except to pull the plug. I have worked in places that used that other OS that did that when the big waves of worms hit. They disconnected their routers from the Internet. With GNU/Linux we have many more options and the diversity of our environment makes the target smaller for intruders. I run four different kernels in my place. With that other OS we would have the same one for every machine.

    Further with that other OS only M$ can fix the vulnerabilities. With GNU/Linux anyone can fix them. I am a big fan of GNU/Linux because it works for IT.

    • First of all, don’t be "that" guy, okay? You could have just written the definitive treatise on security, but when you use that tired old M$ junk you come off as a troll, no different than the "linux suxorz" or the "Macfag" troll, and since it is obvious from the rest of your post you are not a troll, lets try to keep discussion civil, okay?

      As for that otherOS, I hate to tell you but you are falling for "magical thinking" which is where "product X will save us!" which is a lie. Security has NOTHING to do with the OS, unless you are just lazy and don’t bother and are expecting to have the OS do the work.

      The ONLY way to secure a network is just as a said, a top to bottom least permissions approach. I have done that many a time with that "OtherOS" as you call it and my networks weathered the worms just fine, thanks. If your network admin does his job there is no need for "magical thinking" as ANY OS can be secured, it simply takes proper planning, which one should do on any network.

      And finally please give that old "we have the power" a rest will ya? Are you REALLY capable of rewriting an OS kernel to remove say… a USB exploit caused by a bad memory pointer? Have you REALLY gone over the 1.2 million or so LOC that make up the OS you are using? Just because you have access to it doesn’t magically give you "mad skillz" anymore than having a GPU makes me the head of Pixar. See the 6 year old x server bug for proof that "more eyes make bugs shallow" is BS.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

How important is social media to the success of your business?
Loading ... Loading ...

LinuxInsider Channels