Slashdot Mirror
Critical Security Hole in Linux Wi-Fi
thisispurefud writes "A flaw has been found in a major Linux Wi-Fi driver that can allow an attacker to run malicious code and take control of a laptop, even when it is not on a Wi-Fi network."
← Back to Stories (view on slashdot.org)
So here is a Linux driver problem, a patch is available, though not widely dispersed. The news here is that even in a largely neglected (though it shouldn't be) slice of the Open Source technology, specifically the deadly difficult wi-fi landscape, bugs are found and fixed right away (at least that's the gist of part of the article).
I'm more afraid of the neglected patches MSFT deems behind closed doors as not important enough to reveal to the public. How many zero-day exploits is MSFT discussing behind those closed doors right now, and what are they deciding about the fate of security to my machines?
I know I'm spinning here, but I don't find it much of a stretch to interpret this as good PR for the Linux world -- they find problems, they fix them.
(It doesn't seem to fix the other problem... I'm so sad and tired of trying to get laptops running linux reliably with wi-fi, I barely even bother messing with it anymore... If I want wireless linux on a laptop, I'm doing via Vmware's bridge. It shouldn't be like this.)
It doesn't matter which operating system you use - they all contains buffer overflows. In a way, the consumer is to blame for this. BSD has been whiling with little to no market-share despite the fact it's free. Nobody it seems wants software that's secure out of the box and stays secure.
People want features and features are the enemy of security. So the status-quo continues even though we've known how to fix these issues for forty years.
Simon
Once again, Linux is safe from such a common attack because only seven people have successfully set up WPA. If this had been a Windows flaw, where every machine natively understands WPA and no work at the command prompt is needed, this would be disastrous.
This shows that Linux has been taking the right stand. By making the machine difficult to get running, it's unlikely that the machine will be able to connect to anything and become infected. Windows made the mistake of making the machine easy to use, allowing for simply network connection and ease of ownership (OWN3D).
Dekker Dreyer
DefectiveByDesign? Oh wait ... wrong OS.
Here is a reference to a more informative report.
... this was fixed 4 months ago?
http://madwifi.org/changeset/1842
Humorous, but if someone wants a quick and painless route, check out Ubuntu. I running 7.04 beta on my laptop and wifi works well with my two very different APs in WPA(psk) mode. Installed and working, no tweaking, no manual compiling, no config file fiddling required. After running Linux for 12+ years I am quite happy with the state of Ubuntu.
Kindness is the language which the deaf can hear and the blind can see. - Mark Twain
It's interesting that people start talking about Microsoft right away in reaction to this hole, as if the only thing that matters here is how this flaw relates to Microsoft.
What I see is more the horrible state of software security. A security model that relies on all the writers of driver code in your computer to do their job right is a poor security model.
I know I'm spinning here, but I don't find it much of a stretch to interpret this as good PR for the Linux world -- they find problems, they fix them.
Great.. I guess I'd rather have the Linux World where there aren't any serious problems to begin with. The larger picture here is that computer security kinda sucks, not that Microsoft is better/worse at it than Linux is.
I'm so sad and tired of trying to get laptops running linux reliably with wi-fi, I barely even bother messing with it anymore
Huh. I've had very good luck recently with Ubuntu. The built in wifi in my laptop worked out of the box with Ubuntu, and two other cards I own worked as well.
It hasn't always been like this of course. A couple years ago WiFi support was extremely lacking.
AccountKiller
The bug was in the open source portion of the driver, the closed-source HAL merely locks the range of radio frequencies and transmit powers allowed.
You are overlooking the way that most Joe Linux users get their updates - automatically. When security flaws are found and patches are delivered, you can guarantee that the people who package that software at Redhat, Ubuntu, Debian and other major distributions are aware of the update. Those security patches will be tested and rolled out into the main update repositories, probably within 24 hours to all the mirrors worldwide. The automatic update daemon on Joe User's modern Linux distro will be downloading the update within the next 24 hours or sooner. From security patch being announced to patched home computer in 48 hours in the worst-case scenario.
One of the nicest things about the distro's automatic updates is that this applies to ALL packages in the distro. I don't need to worry about Apache needing it's own updater. So no - the average Joe running Linux does not suffer - he gets informed about the update or even has it applied without manual intervention depending on the settings. Joe benefits and so does the community who recognise that fixing security flaws promptly is key.
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
Why is a tagging keyword 'haha'?
The madwifi howto is here. It seems that you can type, "lsmod | grep ath_pci" to find out if you are running the supposedly exploited module. My simple Etch system does not have this or wlanconfig tools by default, though those tools look very nice and I'm sure this little problem will be fixed quickly.
I have to agree with you about the uselessness of the PC World article. Besides not having any useful information, it's filled with FUD about free software wifi and confused "popularity argument" babble. In short it's more of a, "everyone else has these problems too, so Windoze away," pacifier than it is a news article.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
... this was fixed 4 months ago?It looks that way to me.
Unless this is a different vulnerability, Debian applied the fix over four months ago, two days after the patch was available, and eight days after the vulnerability was first reported
I saw the article and immediately started aptitude to get the fix, only to discover that I already got it, two weeks before Christmas. Nice.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Actually, I had more trouble getting my wireless card to work in Windows XP than Ubuntu 5.10. Turns out not every wireless card supports Windows' wifi config tool, and mine was one of them. For some reason, nobody seems to tell hardware vendors that their Value-add software feels more like value subtract.
Of course, I did have the foresight to ask my friends about what works on Linux, which I'm sure helped tremendously. However the laptop I bought didn't really let me choose a wifi card, and it still works with Ubuntu. Of course, Ubuntu takes a much more friendly stance on closed source drivers than Debian or Fedora, and that also helps a great deal. I'm pretty sure neither of my wifi devices work out of the box with Fedora (one more reason I didnt switch back to Fedora after trying out Ubuntu).
I Browse at +4 Flamebait
Open Source Sysadmin
Of course, it would have been too much trouble for PC World to mention exactly which version of the madwifi driver was susceptible to this particular flaw. So much better to let people dig through changelogs which might address any number of past vulnerabilities.
I patch and update regularly, so I just wasted some time double checking on a flaw that had been fixed on my system a long time ago.
Sorry chap, people start bashing on linux (and its users) as soon as any kind of vulnerability is found.
In this case, the vulnerability is in a 3rd party driver and not in the kernel itself. Nevertheless the not-so-techie reader just reads "Linux vulnerability".
Btw. Dont forget that the public is used to hear about Windows vulnerabilities, they dont notice them anymore.
Delta-Mike November Bravo Tango
Get rid of wifi cards (PCI as well as PCMCIA), and instead implement the wifi 'client' side with an ETHERNET jack to connect .. well, anything that has or can have an ethernet port. Have a 'router' build in that is accesible and configurable via HTTP and/or telnet. Include a 'bridge mode' where, once configured, the router steps out of the way for cases where you are on a known network where you trust its security, or for 'public' untrusted networks you leave the build-in router enabled, isolating you from unexpected inbound connections.
Then, you dont need specific 'drivers' for wifi hardware (you just need to support ethernet)
Um, "Joe Linux" here, chiming in. I run Fedora, which was pre-installed on oddball hardware. If Fedora has automatic updates like Ubuntu, and if they just work, I sure as hell haven't heard about them. The Fedora repository is about 10% of the way to useful. 15%, when I'm feeling charitable. I'm on Core 3 because I haven't found a distro that can deal with my system, and, since I'm a biology geek not a computer geek, I have no idea what to do or the time to spend finding out.
It gets worse. I don't even know if I'm running a madwifi driver or not. I looked at the running processes, but there's nothing obvious there. I don't know if madwifi is called something else in the process list. I do know I have a Atheros chip.
The point I'm trying to make is more than just displaying ignorance. The point is that it may be hard for those of you who are close to the subject to realize just how opaque it is to those of us who aren't. If you're in the know, share their knowledge. It's kind of frustrating, from my perspective, to hear, "It's all automatic, and if it's not, you're just too hopeless to deal with."
(All that said, you're quite right that when updates are applied automatically and effectively, both the clueless and the clued benefit. That's why I'm getting my next system with Ubuntu on it!)
Mac, Linux, Solaris, etc. have had many more security advisories than MS Windows has had to endure
I'm not sure where you are getting that idea, but according to secunia, Microsoft and Redhat have had exactly 3 vulnerabilities this month, with Microsoft vulns being more critical. Sure there was the Solaris telnetd vuln that made headlines, but I think it's just your perception. Plus I also think you're failing to take into account the ANI cursor overflow at the end of March which was a big deal.
Sure, exploits exist, but you have to DO something.
That's not true. Look at the ANI bug, it was actively being exploited in the wild on web pages that injected the overflow using the iframe tag. All you had to do was visit a website, no clicking required.
How many "users" running Linux are even going to know about this vulnerability, let alone patch it.
Again this seems like a case of selective memory to me. Remember the Intel wireless vulnerability that came out just before the Maynor-Apple announcement? Well if you have a Intel wireless chipset on your windows PC, you have to manually install a new driver from Intel, there is no Microsoft patch and it will *not* appear in windows update even if you have auto-updates turned on. So I fail to see how that's any different. In fact a number of Linux distros actually do have updates available for this Madwifi vuln.
Okay, what is it about the "average user" that makes Linux not ready for prime time?
Okay, now you're talking about Windows. And I'll disagree about 90% of Microsoft's security problems being the fault of the users. The default install of a system should be secure enough WITHOUT requiring the users to know how to secure it.
And by "something" you mean "plug it into the Internet as it was advertised".
Meanwhile, Ubuntu ships with NO open ports by DEFAULT. So I can plug it straight into the Internet in it's default configuration.
And with Ubuntu's default installation, that is not a problem.
But it is a problem with Windows.
But you say that that means that Linux is not ready for prime time.
Users will always install vulnerable apps. You cannot compare two systems based upon what the admins of those systems can or cannot do with them. Instead, compare the default installations and how their security models are implemented.
If this was a Microsoft flaw there wouldn't be any talk of "good PR" in releasing a patch quickly, or any other positive angle. There would be reply after reply about Microsofts' code being bloated, the evils of closed-source, monopolistic tactics, that one time when Bill Gates stood on a cats tail by mistake, etc. Linux isn't the only golden boy, Firefox (vs IE), Google (vs big nasty corporations), etc get just as much ridiculously transparent partisan treatment.
Vulnerabilities, particularly serious ones, are never good news. At the very least it would cost businesses who have deployed Linux engineer time in fixing (applying patch(es)) the problem, it generates uncertainty in the market - it creates the potential for business managers who just scan the IT news pages to say "didn't Linux have that serious problem not long ago?". This much is true of any OS, particularly one that businesses need to rely on.
I'm a firm believer in open-source, and I use both Windows and Linux in equal measure both at work and at home. I don't however believe fundamentally that the fact Windows and IE are closed-source automatically make them "poorly written". As has already been remarked a lot of this comes down to usage statistics... with a 90%+ market share you can guarantee that every hacker out there is trying to find fault in every single DLL that Windows ships with. As Linux gains more traction in the desktop & server markets as time goes on you can be sure that there will be most vulnerabilities like this being found. Programmers make mistakes, and there is no such thing as bug-free software.
I really wish Slashdot could dispense with the hidden agendas, partisan attitudes and blatent fanboyism and not sweep serious vulnerabilities like this under the carpet as if they aren't a big deal. Dimissing them as trivial is - if anything - more damaging than giving them the proper attention.
You won't be getting any updates for FC3 since the Fedora Project has dropped support for that. If you like the Fedora distribution you can go with FC6 or wait for May 24 when FC7 is due to be released. Otherwise, Ubuntu is a fine distribution.
Try this:
What? ®
Wait! Someone got WiFi to work in Linux!?
Okay, easy...just saying this is one area that's always been behind in Linux.
Which is not, a part of Linux, nor will it ever be while the driver relies on proprietary firmware.
What part of "the flaw was in the open portion of the driver" did you manage to miss?
The number of security advisories has very little bearing on OS's tho...
An issue with madwifi is an issue which can affect linux, but is not a bug in linux per se (since its not in the default kernel).
It may be a bug with a particular distribution of linux, if that distribution were to include these drivers.
Similarly, a bug in firefox or apache could also affect windows users if they chose to install it, but it won't be flagged as a windows bug because it's not present by default. Conversely, it will be flagged by most linux vendors as most linux distributions do include these programs.
When needs to be considered is that:
There are many linux distributions, each of these will release their own advisory listing affected versions of their distro, so you may get 10 advisories for a single issue.
Most linux distributions come with thousands of apps, far more than come with windows or even than microsoft publish as a whole.
Back to drivers, there are many many companies producing drivers for windows, many of which are questionable quality (most windows crashes are often blamed on poor drivers, how many of these crashes could be exploitable bugs?) so there are probably many many security holes to be found. The difference is that people aren't looking for holes in third party windows drivers, they would only affect people with certain types of hardware, and there is plenty of much lower hanging fruit to be found on the average windows system.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
It doesn't seem like a campaign to me. From my vantage point (obsessively neutral about tools) it looks like insecurity masquerading as a big community hug and wank session.
People who are secure in the choices they've made don't need to trumpet them all over the place. In particular, they don't segue any possible (tenuous) link into a rant about the superiority of their choice.
Slashdot - where whining about luck is the new way to make the world you want.
You wouldn't have to test for longer than hours or a few days if you had a comprehensive suite of unit tests. This is just a buffer overflow, not a feature addition. QA/acceptance testing should consist of checking that only code relevant to the bug was modified, and that the modification actually addresses the bug.
I can't blame Microsoft for having to use a longer term testing plan. Many developers have abused the APIs, and Microsoft has shown themselves to be committed to making Windows backwards compatible, to a fault.
If Linux developers abused the APIs this way, the API maintainers would tell them to get stuffed. Everyone involved knows it, so API abuse isn't much of an issue, and so smarter testing strategies can work.
In short, Microsoft screwed themselves out of doing things the "right" (expedient) way by holding developer's hands. Of course, holding developer's hands made it a very attractive platform to work with -- the strategy has obviously worked to their financial advantage.
After all, I am strangely colored.
I use [linuxdistro] and am a firm believer in open source software, but we just can't pretend that [securityflawfixedmonthsago] isn't a big deal. Your average Joe user isn't able to install a patch and this just proves that Linux is not ready for the desktop.