Critical Security Hole in Linux Wi-Fi
thisispurefud writes "A flaw has been found in a major Linux Wi-Fi driver that can allow an attacker to run malicious code and take control of a laptop, even when it is not on a Wi-Fi network."
← Back to Stories (view on slashdot.org)
So here is a Linux driver problem, a patch is available, though not widely dispersed. The news here is that even in a largely neglected (though it shouldn't be) slice of the Open Source technology, specifically the deadly difficult wi-fi landscape, bugs are found and fixed right away (at least that's the gist of part of the article).
I'm more afraid of the neglected patches MSFT deems behind closed doors as not important enough to reveal to the public. How many zero-day exploits is MSFT discussing behind those closed doors right now, and what are they deciding about the fate of security to my machines?
I know I'm spinning here, but I don't find it much of a stretch to interpret this as good PR for the Linux world -- they find problems, they fix them.
(It doesn't seem to fix the other problem... I'm so sad and tired of trying to get laptops running linux reliably with wi-fi, I barely even bother messing with it anymore... If I want wireless linux on a laptop, I'm doing via Vmware's bridge. It shouldn't be like this.)
It's interesting that people start talking about Microsoft right away in reaction to this hole, as if the only thing that matters here is how this flaw relates to Microsoft.
What I see is more the horrible state of software security. A security model that relies on all the writers of driver code in your computer to do their job right is a poor security model.
I know I'm spinning here, but I don't find it much of a stretch to interpret this as good PR for the Linux world -- they find problems, they fix them.
Great.. I guess I'd rather have the Linux World where there aren't any serious problems to begin with. The larger picture here is that computer security kinda sucks, not that Microsoft is better/worse at it than Linux is.
I'm so sad and tired of trying to get laptops running linux reliably with wi-fi, I barely even bother messing with it anymore
Huh. I've had very good luck recently with Ubuntu. The built in wifi in my laptop worked out of the box with Ubuntu, and two other cards I own worked as well.
It hasn't always been like this of course. A couple years ago WiFi support was extremely lacking.
AccountKiller
You are overlooking the way that most Joe Linux users get their updates - automatically. When security flaws are found and patches are delivered, you can guarantee that the people who package that software at Redhat, Ubuntu, Debian and other major distributions are aware of the update. Those security patches will be tested and rolled out into the main update repositories, probably within 24 hours to all the mirrors worldwide. The automatic update daemon on Joe User's modern Linux distro will be downloading the update within the next 24 hours or sooner. From security patch being announced to patched home computer in 48 hours in the worst-case scenario.
One of the nicest things about the distro's automatic updates is that this applies to ALL packages in the distro. I don't need to worry about Apache needing it's own updater. So no - the average Joe running Linux does not suffer - he gets informed about the update or even has it applied without manual intervention depending on the settings. Joe benefits and so does the community who recognise that fixing security flaws promptly is key.
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
Sorry chap, people start bashing on linux (and its users) as soon as any kind of vulnerability is found.
In this case, the vulnerability is in a 3rd party driver and not in the kernel itself. Nevertheless the not-so-techie reader just reads "Linux vulnerability".
Btw. Dont forget that the public is used to hear about Windows vulnerabilities, they dont notice them anymore.
Delta-Mike November Bravo Tango
I see this "X language is magically secure" stuff all the time. No, it isn't. The fact that your language is higher-level does not make it more secure. Look at PHP. It's horrible, far worse than C.
Or perhaps you prefer Java, and think that running your code in a VM is a silver bullet. Think again. If you want that code to actually do anything, you're going to have to give it access to the outside world. Your web app can still let people do things they shouldn't. Security is not just about buffer overflows and SQL injection; it's about anything that could let someone get access they shouldn't have. Which can happen from plain old bad logic.
Admittedly, it is easy to make mistakes with C. But C is pretty much the only thing to write a kernel in. In a device driver, you have to mess around with real memory, and real IO, and that sort of thing. More importantly, C is old enough so that its common security mistakes are already known. You'd have a much harder time with some random language.
Basically, a "secure" language is not one that prevents you from doing things you shouldn't. What you want is a language that makes it easier to write secure code than to write insecure code.
It's a much more complex problem than simply using 'safe' functions. People don't always put the correct size into the size field, and there are entire classes of exploits, e.g. format string vulnerabilities, that don't use the traditional buffer overflow mechanism at all.
I've heard that the BSD folks have a saying that a bug is just an attack nobody has the intelligence to turn into an exploit yet. I take it you've never written code that crashes?
We've upped our standards. Up yours.
It doesn't seem like a campaign to me. From my vantage point (obsessively neutral about tools) it looks like insecurity masquerading as a big community hug and wank session.
People who are secure in the choices they've made don't need to trumpet them all over the place. In particular, they don't segue any possible (tenuous) link into a rant about the superiority of their choice.
Slashdot - where whining about luck is the new way to make the world you want.
Wireless works by default on my box with Ubuntu. XP+vista both require a driver download.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.