In a classic case of ‘two steps forward, one step back’, it seems that just after Microsoft gave 22,000 lines of source code and somewhat ‘validated’ the open source community, a couple of researchers found a serious security hole that has been present in the Linux kernel for get this, wait for it… 8 YEARS.
This latest vulnerability bug involves the way kernel-level routines react when left unimplemented. Since these are unimplemented, it leads to the kernel executing code at NULL and leaves the Operating System open to local privilege escalation and completely compromises the system.
This is the second time in less than a month that a serious security vulnerability has been reported in the Linux kernel. The first, in mid-July, described a similar bug regarding NULL reference pointers that put newer versions at risk of complete compromise.
The scope of systems affected by this latest bug are all 2.4 and 2.6 versions since May 2001 running on the Intel platform.
I feel these two occurrences should prompt questions from users of Open Source software. For example:
1) What is the current testing process? It seems regression testing back in May 2001 was not completed at all or not thorough enough.
2) Going forward, how can we feel safer regarding kernel updates?
3) Since SELinux did not catch it, is there a problem with Security-Enhanced Linux?
4) Is there any way we can get a report on the number of systems that were affected? And at what level?
I think there are two upsides to these vulnerabilities, and that is that this should be a wakeup call for the testing process as well as pointing out the fact that even though it is open source and free, utilizing a professional and proactive vendor will help in mitigating your risk.
Talk to you later,
TASCer