Slashdot Mirror
Linux Has a USB Driver Security Problem (bleepingcomputer.com)
Catalin Cimpanu, reporting for BleepingComputer: USB drivers included in the Linux kernel are rife with security flaws that in some cases can be exploited to run untrusted code and take over users' computers. The vast majority of these vulnerabilities came to light on Monday, when Google security expert Andrey Konovalov informed the Linux community of 14 vulnerabilities he found in the Linux kernel USB subsystem. "All of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine," Konovalov said. The 14 flaws are actually part of a larger list of 79 flaws Konovalov found in Linux kernel USB drivers during the past months. Not all of these 79 vulnerabilities have been reported, let alone patched. Most are simple DoS (Denial of Service) bugs that freeze or restart the OS, but some allow attackers to elevate privileges and execute malicious code.
If all it takes is access to plug in a USB dongle, that's a different kind of access than being able to open up the machine and tinker with it. Secretary turns her back for a moment? Plug it in while you can.
Hell, with the tendency for people to plug in USB keys found on the street still to this day, that's all that would be required to exploit these flaws in an otherwise impenetrable building.
-=This sig has nothing to do with my comment. Move along now=-
Wow, Hollywood has actually been accurately portraying the state of security in Linux for years, and nobody realized!
If it turns out that the secretaries of the world have been running Linux all these years, I will be rather surprised :)
I don't care if it's 90,000 hectares. That lake was not my doing.
Why can't Linus in his infinite wisdom do the same?
If Linux was a microkernel architecture kernel, it would be safer, but slower by about 20%. So the reason is speed.