Serious Security Vulnerability in Linux Kernel
In light of the recent attack on the Debian Project’s servers, researchers have found some serious security vulnerabilities in the Linux Kernel. This vulnerability can enable a hacker to gain root access to a machine. (For those of you Windows only types, this is like the Admin). Once you have root, you can do anything, root is the uber user.
The vulnerability is in the form of an integer overflow in the brk( ) system call (memory-management). When the call invokes the do_brk( ) function, using user-supplied address and length variables, the call does not check for integer overflows when adding the variables together.
I am not one to dwell on an email virus or something like that. But fundamental problems in the Kernel are pretty catastrophic. Let me explain why. Because the vulnerability is in the OS kernel itself, the problem affects just about every distribution of the operating system from kernel version 2.4.0 through 2.5.69. That means that every version of Linux installed on every computer on the planet needs to be upgraded when a fix is available.
I am not going to lower myself to the mudslinging of the MS v Linux silliness, but am going to remind all the folks out there who tell us that Linux is free. The Linux community will rally fast to address this very serious security issue and everyone everywhere will have to upgrade their Linux installs worldwide (including Nicole’s machine in my living room sitting on my nicely secure Windows network). That is a total cost of ownership (TCO) issue. Nothing is free. It costs time and money to do this (just as it does when you apply a MS patch or upgrade).