Slashdot Mirror
'Most Serious' Linux Privilege-Escalation Bug Ever Is Under Active Exploit (arstechnica.com)
Reader operator_error shares an ArsTechnica report: A serious vulnerability that has been present for nine years in virtually all versions of the Linux operating system is under active exploit, according to researchers who are advising users to install a patch as soon as possible. While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation vulnerability rather than a more serious code-execution vulnerability, there are several reasons many researchers are taking it extremely seriously. For one thing, it's not hard to develop exploits that work reliably. For another, the flaw is located in a section of the Linux kernel that's a part of virtually every distribution of the open-source OS released for almost a decade. What's more, researchers have discovered attack code that indicates the vulnerability is being actively and maliciously exploited in the wild.
"It's probably the most serious Linux local privilege escalation ever," Dan Rosenberg, a senior researcher at Azimuth Security, told Ars. "The nature of the vulnerability lends itself to extremely reliable exploitation. This vulnerability has been present for nine years, which is an extremely long period of time." The underlying bug was patched this week by the maintainers of the official Linux kernel. Downstream distributors are in the process of releasing updates that incorporate the fix. Red Hat has classified the vulnerability as "important."
"It's probably the most serious Linux local privilege escalation ever," Dan Rosenberg, a senior researcher at Azimuth Security, told Ars. "The nature of the vulnerability lends itself to extremely reliable exploitation. This vulnerability has been present for nine years, which is an extremely long period of time." The underlying bug was patched this week by the maintainers of the official Linux kernel. Downstream distributors are in the process of releasing updates that incorporate the fix. Red Hat has classified the vulnerability as "important."
OMGUbuntu why use linux answered in 3 short words
Why use Linux? Because of security!
Hmm .. something just doesn't sound right here.
I am Slashdot. Are you Slashdot as well?
What I worry about is not the 10 Linux Desktops on the Planet; but the gazillion of devices running Embedded Linux. NONE of them will receive an update that will resolve this, and if it happens to be in some IoT or Networking device (let's say, a Router...), you are pwned, or most certainly can be.
So, with the "Many Eyes" theory, how does a bug like this exist for NINE YEARS? I don't CARE how "obscure" the code is; surely SOMEONE can spot a logic flaw or buffer-overrun error in that time, even in code they don't fully understand!
This is much like the long-lurking SSL vulnerability a couple of years back. Did that ever get fully resolved?