Slashdot Mirror

← Back to Stories (view on slashdot.org)

Homeland Security Uncovers Critical Flaw in X11

Posted by ryuzaki0 on from the nice-catch dept.

Amy's Robot writes "An open-source security audit program funded by the U.S. Department of Homeland Security has flagged a critical vulnerability in the X Window System (X11) which is used in Unix and Linux systems. A missing parentheses in a bit of code is to blame. The error can grant a user root access, and was discovered using an automated code-scanning tool." While serious, the flaw has already been corrected.

5 of 517 comments (clear)

  1. Re:Related news by PlusFiveTroll · · Score: 4, Interesting

    Should this be modded funny or sad?

  2. Missing the point..... by TheDukePatio · · Score: 5, Interesting
    I see a ton of comments mod'd Funny, but what I'm surprised folks haven't focused on yet is the fact that it was found in OSS. The reason they're able to find, report, and get it fixed in a week is the fact that it's OSS. It's understandable that the DoHS is going to want to do a security audit on things like this.

    I wonder how many potential security holes Coverity's uncovered by scanning Windows source....oh wait....they can't. Well I'm sure if they signed an NDA they could tell M$ and get it fixed in a....um...err...sorry, you'll have to wait for the next patch cycle.

    --
    To Alcohol! The cause of, and solution to, all of life's problems.
    1. Re:Missing the point..... by ipfwadm · · Score: 4, Interesting

      On the other hand, because its OSS now all of the machines that remain unpatched have an exploit that is not only known, but but publicized by the developer, with diffs showing *exactly* what line of code the error is on.

      While I hate to sound like all the other OSS apologists that have posted so far ("yeah there's an exploit, but think of how many we could find if we could run it on the Windows source!" and other such tripe that ignores the fact that a serious bug was found in OSS software), your argument is a bunch of crap. You're basically saying that exploits in closed-source software are unknown and unpublicized, which is ridiculous.

      As for your Apache example, it would be just as simple to see what version of IIS a machine is running and look through MS KB to find the known exploits against it. Or look at bugtraq. Or anywhere else on the Internet. Just because the source is a secret doesn't mean the details of the available exploits are too.

      Oh and knowing the line of source code on which that the error exists is entirely irrelevant to the discussion -- having that knowledge doesn't make using an exploit any easier or more difficult. It may assist in developing new exploits, but when attempting to use one that has been found, that knowledge is superfluous.

  3. Re:OpenBSD fixed on Jan. 21, 2000 by Nutria · · Score: 5, Interesting
    "Look! I wrote an entire function (it was C) in one line!" He did, too. It was one of those 'for' loops with a 'while' and a bunch of things in one line. It was impossible to read.

    That reminds me of the Kernighan quote, which I heartily agree with:
    "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it."


    --
    "I don't know, therefore Aliens" Wafflebox1
  4. Critique... by jd · · Score: 4, Interesting
    1. Knowing the line won't help you figure out the exploit
    2. Whether anyone tells you about a bug or not, you're always capable of scanning source - or even binaries - in search of unknown exploits
    3. You knowing about a bug doesn't alter the odds of "Them" knowing about a bug - it only alters the odds of you fixing it
    4. X11 bugs are rarely externally exploitable, as not many people run X sessions over the public internet and therefore those ports will be blocked at the corporate (or personal) firewall
    5. The mathematical model of conflict ("Game Theory") only has a solution (ie: win no matter what the opponent does) when both sides know absolutely everything, ergo the only way to establish a sane IT security policy is to assume the attacker knows all the defects and exploits that exist, whether they are published or not


    That last one makes things tough. How can you have security when everything is known? Well, in practice that is the only context security is even possible. "Security through obscurity" really means "we don't know what our opponents know and we're not even sure what we know". If, however, you assume that your opponents know everything then you don't take shortcuts. You plan for contingencies, you have fallback positions, you have not just a plan but a roadmap of possibilities and how to deal with them.


    (At least, for any scenario too complex to actually have a complete solution for. For simpler problems, such as a chess puzzle or - for the past decade - the entire game of draughts, it is possible to map a complete, guaranteed winning strategy that will work no matter what the opponent does. Such a solution exists for the complete game of Chess and indeed for the complete game of Go, but has not yet been found. For any given computer system, such a solution must also exist for the operator/admin, but the chief problem has always been to get them to bother even putting the bits of solution that are known in place.)

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)