New NULL pointer exploit anything to worry about...

[SagaciousKJB]

I'm sure mostly everyone has heard about the new NULL pointer exploit found in all kernel versions going back to 2001 Slashdot Linux Story | Local Privilege Escalation On All Linux Kernels

The question I have is how system administrators, security experts and average end users feel about this.

As an end user I'm not worried at all. In fact I've already got plans to simply patch the kernel I'm using; even if a user wasn't savvy enough to do that, I suspect patches to vendor kernel's are probably in the line up already. So I don't think that it's really a big deal in user land.

However what about for system administrators? Is it going to be painful at all for those that have to patch an older version of the kernel? I mean, will they be able to distribute a patch that will work for all versions of the kernel, or will each release need to have its own patch developed beforehand.

The security side of it is rather interesting too. I don't want to revive any OpenBSD vs Linux arguments or assert that Linux is insecure; but do you think this seriously diminishes the quality of Linux or its reputation? I mean, there was already one NULL pointer exploit out a few months ago, and now one that is a problem extending back 8 years of Linux kernel's. It has to make people wonder, "What else is just laying there waiting for people to be discovered,"

I mean, one of my concerns given Open Source has always been: What if someone examines the code, finds an exploit, and saves it to his or herself without notifying the community. Well I've always been assured that there's somuch peer review of Linux that a vulnerability like that would be noticed. Obviously my position is: If this one went undiscovered for 8 years, what's to stop there being a slew of other vulnerabilities that are long-standing and undiscovered, and even more frightening is what happens when a hacker or anyone with malicious intent discovers them before security researchers.

I still think that the Open Source model is more secure than a proprietary one, but to me it always has seemed like an issue proponents of it have pooh-pooed, staying firm to the belief that almost every security flaw will be caught quickly, and the ones that don't are inconsequential because of patching, etc. etc.


Anyway, it's very interesting to me because I've not been using Linux for more than a few years, and this is the first exploit that has some real "staying" power to it. Even after vendors have patched their distributions, I know of so many machines that would not be patched because their users don't update them. Other exploits, particularly local privilege exploits, have never really had as broad of an application base as this one has had The VMSplice exploit for example, effected a pretty large number of releases of the 2.6 branch and I still find machines I can use it on; now this one extends from 2.4 to the current 2.6 branch.

I wonder how hard it will be to find out-of-date distributions in a few months with a new kernel release and perhaps a new distribution release from vendors. I mean, how common is it now to find machines that haven't been updated and are still vulnerable to certain exploits? Not all that common from what I've seen. Will the fact that it effects a much greater number of releases really effect that?

[GNU-Fan]

Hello,

as far as I know these "local user can get root access" have been quite common. There is a lemma for server administrators that goes like "When a cracker gained unauthorized entrance as user on your machine, you lost it."

As you pointed out yourself, most local exploits were actually flaws in userland applications running as root, and therefore much more distro-specific. What is new is that this flaw applies to such a wide range of installations.

I mean, one of my concerns given Open Source has always been: What if someone examines the code, finds an exploit, and saves it to his or herself without notifying the community.

Doesn't this apply to any program, be it in source or compiled form?

Well I've always been assured that there's somuch peer review of Linux that a vulnerability like that would be noticed. Obviously my position is: If this one went undiscovered for 8 years, what's to stop there being a slew of other vulnerabilities that are long-standing and undiscovered, and even more frightening is what happens when a hacker or anyone with malicious intent discovers them before security researchers.

These things happen of course. I try to keep suspicious and curious about what my computer does. For example, is there network traffic through my router when there shouldn't be? It's the best solution I can think of, as total safety from security risks is utopian in my POV. Don't be careless, but also try not to worry to much about what-ifs