New Zero-Day Flaw Hits Millions Of Linux Servers

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
All you alternative OS types out there should read this. Android users should probably pay attention too. :(

A new, previously undiscovered flaw that allows an attacker to escalate local user privileges to the highest "root" level is said to hit "tens of millions" of Linux PCs and servers. Because some of the code is shared, the zero-day flaw also affects more than two-thirds of all Android devices.
 
Read somewhere that to exploit someone would need access to a local account on the machine, which means you probably already failed anyway. Also, if you go to the actual Github page with the POC there are a lot of comments from people who are saying the best they see on a desktop is a terminal but without any special privileges.

But hey, something to cause panic makes a good headline right?
 
Im sure all software has bugs. Its how fast the companies patch it that is the main issue
 
But, I thought Linux didn't have security issues because open source and stuff?
 
alxlwson said:
But, I thought Linux didn't have security issues because open source and stuff?
Click to expand...

No linux user claims that and if they do they are stupid. At best its MORE secure because of "open source and stuff" and this is a perfect example of that. Someone found an issue, a fix was made and deployed.

That's the definition of how open source works.

Contrast that with Windows. if a security issue is found we dont know the exact code that causes the problem, so the best you can do is contact Microsoft with the issue (not with a patch/fix), and then wait for them to issue the fix. And then, you can never be sure that they issued a general fix that addressed the issue, or simply pulled a Volkswagon and "fixed" the issue by hiding from your testing.

And if your distro is slow to patch things, you can patch it yourself. Admittedly this is a last resort thing, but it's better than the alternative. Do you think there are any reported bugs in Windows/OSX that are just ignored and never fixed? Do you have any way to resolve that yourself?

tl;dr - Linux isn't just magically secure because open source, it's secure because people find flaws and resolve them.
 
heatlesssun said:
All non-trivial software has bugs. Period. One can debate the number and severity between various systems but this is just CS 101.
Click to expand...

You and I know that, but sometimes it seems like certain *nix users (as well as OS X users) don't (or didn't).

The first major attack that I remember was on *nix, in the mid 90s, which took down much of the backbone. Can't remember what the attack was, but it was an exploit that had been patched long before the attack.
 
bisby said:
No linux user claims that and if they do they are stupid. At best its MORE secure because of "open source and stuff" and this is a perfect example of that. Someone found an issue, a fix was made and deployed.

That's the definition of how open source works.

Contrast that with Windows. if a security issue is found we dont know the exact code that causes the problem, so the best you can do is contact Microsoft with the issue (not with a patch/fix), and then wait for them to issue the fix. And then, you can never be sure that they issued a general fix that addressed the issue, or simply pulled a Volkswagon and "fixed" the issue by hiding from your testing.

And if your distro is slow to patch things, you can patch it yourself. Admittedly this is a last resort thing, but it's better than the alternative. Do you think there are any reported bugs in Windows/OSX that are just ignored and never fixed? Do you have any way to resolve that yourself?

tl;dr - Linux isn't just magically secure because open source, it's secure because people find flaws and resolve them.
Click to expand...

Yes. I was sarcasming ;)
 
heatlesssun said:
All non-trivial software has bugs. Period. One can debate the number and severity between various systems but this is just CS 101.
Click to expand...

Exactly, and in the case of Linux, this is already patched by the time I read the article as opposed to waiting until next patch Tuesday (Microsoft) or next major OS release in 9 months (Apple)...

The tricky part will be Android devices, as we know, oems and carriers are not exactly religious about providing updates on their phones...
 
nilepez said:
You and I know that, but sometimes it seems like certain *nix users (as well as OS X users) don't (or didn't).

The first major attack that I remember was on *nix, in the mid 90s, which took down much of the backbone. Can't remember what the attack was, but it was an exploit that had been patched long before the attack.
Click to expand...

The first widespread virus attack I remember was in the late 80s I believe, it was Unix based, that's really all there was at the time especially networked, Windows was pretty minor at the time. And yeah, that's one thing that often get missed as well. One of the most devastating Windows attacks of all time, Code Red, had been patched months prior. Zero days are obviously really bad but the vast majority of malware leverages bugs and issues that have been fixed.
 
Zarathustra[H];1042094547 said:
Exactly, and in the case of Linux, this is already patched by the time I read the article as opposed to waiting until next patch Tuesday (Microsoft) or next major OS release in 9 months (Apple)...

The tricky part will be Android devices, as we know, oems and carriers are not exactly religious about providing updates on their phones...
Click to expand...

Lol most android phone owners never get a single update to their phone. They're left on the dry.
 
heatlesssun said:
The first widespread virus attack I remember was in the late 80s I believe, it was Unix based, that's really all there was at the time especially networked, Windows was pretty minor at the time. And yeah, that's one thing that often get missed as well. One of the most devastating Windows attacks of all time, Code Red, had been patched months prior. Zero days are obviously really bad but the vast majority of malware leverages bugs and issues that have been fixed.
Click to expand...

Which is why the Windows 10 mandatory updates makes sense...

...as long as those updates aren't abused by Microsoft to shove "features" people don't want down their throats...

If I designed an OS, I would design it suh that once a new security exploit was discovered, the network would only allow contact with the update server, until installed and resolved, preventing its further spread.
 
Zarathustra[H];1042094547 said:
Exactly, and in the case of Linux, this is already patched by the time I read the article as opposed to waiting until next patch Tuesday (Microsoft) or next major OS release in 9 months (Apple)...

The tricky part will be Android devices, as we know, oems and carriers are not exactly religious about providing updates on their phones...
Click to expand...

Microsoft will release out of band patches from time to time. You are supposed to test these things. I guess this was an issue that was easy to fix but it's not been fully tested if was just discovered and fixed.
 
Zarathustra[H];1042094558 said:
If I designed an OS, I would design it suh that once a new security exploit was discovered, the network would only allow contact with the update server, until installed and resolved, preventing its further spread.
Click to expand...

NAP, Network Access Protection, can do that. It's optional on your network, but it's Windows based (there is probably a *nix version), and if your AV is not up to date, or a patch is missing, you're only able to reach a specified area - updates, etc..

Linux flaws are nothing new. They get patched very quickly.
 
heatlesssun said:
The first widespread virus attack I remember was in the late 80s I believe, it was Unix based, that's really all there was at the time especially networked, Windows was pretty minor at the time. And yeah, that's one thing that often get missed as well. One of the most devastating Windows attacks of all time, Code Red, had been patched months prior. Zero days are obviously really bad but the vast majority of malware leverages bugs and issues that have been fixed.
Click to expand...

This is true, but that's why we like GNU/Linux so much.
GNU's Not Unix ;)
 
drescherjm said:
Lots of installed servers will be using older kernels. That is why the number is so low.
Click to expand...

3.8 (where the problem was introduced) is pretty old now though.

I can't speak to other distributions as I don't use them, but for Ubuntu let's assume that servers are running LTS releases.

The next LTS release will be 16.04, Xenial Xerus in April, and will ship with the 4.4 Kernel

The current LTS release is 14.04 Trusty Tahr, which shipped with 3.13, but has since been updated to 3.16 through the enablement stack.

If we go all the way back to 12.04, the previous LTS (and oldest version still supported) it shipped with the 3.2 Kernel, but has since been updated to 3.13 through the enablement stack.

In other words, you need to either be running a really old, unsupported distribution, or not be keeping up with your updates in order to have a pre 3.8 Kernel on your server...
 
Tuxon86 said:
bu-bu-bu-but, Linux...
Click to expand...

i got an update to this within minutes of seeing this headline. Nobody said Linux was immune... just that things get fixed FAST.

Apple often waits months before patching serious zero days.
 
I was also thinking of all the ARM devices out there that have even older kernels. I know my router uses a 2.6 kernel and so does my cable modem.
 
GaryJohnson said:
WTF is that thing. I'm pretty sure it should be sentient by now, that's how complex it is.
Click to expand...

Managing complexity is a key issue in all non-trivial systems. The more complexity a system can manage, the more it can do. But at some point you have to figure that the only way to build more complex systems is with AI. The programs will write themselves. And I guess that's when Skynet takes over.
 
drescherjm said:
I was also thinking of all the ARM devices out there that have even older kernels. I know my router uses a 2.6 kernel and so does my cable modem.
Click to expand...

2.6 Kernel is unaffected.

If you read the article, it says the issue was introduced with the 3.8 Kernel.
 
You must log in or register to reply here.
Back
Top