RealTime IT News

NULL Security Flaw Threatens Linux


Netstat -vat by Sean Michael Kerner (bio)

A command line view of IT

From the 'this is not a drill' files:

Linux users take note: we're all at risk from a kernel privilege escalation flaw. No it's not the end of the world that will lead to massive remote exploits and all Linux servers being pwnd. But it is something to be concerned about.

The flaw is a NULL pointer error that exists in all versions of the Linux kernel released since 2001. No that's not a typo.

This is a flaw that potentially has been in Linux for eight years and has somehow escaped the 'many eyes' philosophy of finding security flaws. It has also somehow escaped the static analysis that is performed on the Linux kernel that is supposed to find such NULL pointer flaws.

"Tavis Ormandy and myself have recently found and investigated a Linux kernel vulnerability," Security Researcher Julien Tinnes wrote in his advisory. "It affects all 2.4 and 2.6 kernels since 2001 on all architectures. We believe this is the public vulnerability affecting the greatest number of kernel versions."

[Continue reading this blog post at Netstat -vat by Sean Michael Kerner]