'Most Serious' Linux Privilege-Escalation Bug Ever Is Under Active Exploit

Reader operator_error shares an ArsTechnica report: A serious vulnerability that has been present for nine years in virtually all versions of the Linux operating system is under active exploit, according to researchers who are advising users to install a patch as soon as possible. While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation vulnerability rather than a more serious code-execution vulnerability, there are several reasons many researchers are taking it extremely seriously. For one thing, it's not hard to develop exploits that work reliably. For another, the flaw is located in a section of the Linux kernel that's a part of virtually every distribution of the open-source OS released for almost a decade. What's more, researchers have discovered attack code that indicates the vulnerability is being actively and maliciously exploited in the wild.

"It's probably the most serious Linux local privilege escalation ever," Dan Rosenberg, a senior researcher at Azimuth Security, told Ars. "The nature of the vulnerability lends itself to extremely reliable exploitation. This vulnerability has been present for nine years, which is an extremely long period of time." The underlying bug was patched this week by the maintainers of the official Linux kernel. Downstream distributors are in the process of releasing updates that incorporate the fix. Red Hat has classified the vulnerability as "important."

Re:Why Use Linux?

Why use Linux? Because of security!

Hmm .. something just doesn't sound right here.
True. The thing that doesn't sound right is the belief that security is binary. Security is a continuum and sometimes a series of tradeoffs. It's not, never has been, and never will be 100%.

So no, finding a security bug in the linux kernel doesn't mean that linux is any less secure. We know these things happen. The idea is that it happens LESS often, and with less severity, and with fewer downsides than with Windows.

Re:Why Use Linux?

[wjcofkc]

Why use Linux? Because as much as I love FreeBSD as a hardware barebones headless server for this and that, dealing with hardware driver issues for a fully featured desktop ranges between a pain in the ass and impossible. Otherwise I would be using the PC-BSD variant as a desktop productivity OS over Linux.

Re:Why Use Linux?

So, how many security holes just as bad as this one has been silently plugged in Windows the last 15 years? How many equally serious security holes are being exploited in Windows right now? How many worse security holes are being exploited, or waiting to be found in Windows, right now?

I don't now. But I'm willing to guess the answer isn't "zero" to any of those questions. Nobody ever claimed Linux was bulletproof, the point is that it's better than the alternative.

Linux is less complex than Windows, bugs tend to be more public (no silent fixing of things while fixing other breakage), and get fixed faster than Windows. That's how it's more secure. Not because it's bulletproof.

It's also not a massive piece of spyware in itself.