Linux at risk from NULL security flaw

From the ‘this is not a drill’ files:

Linux users take note: we’re all at risk from a kernel privilege escalation flaw. No it’s not the end of the world, that will lead to massive remote exploits and all Linux servers being pwnd. But it is something to be concerned about.

The flaw is a NULL pointer error that exists in all versions of the Linux kernel released since 2001. No that’s not a typo.

This is a flaw that potentially has been in Linux for eight years and has somehow escaped the ‘many eyes’ philosophy of finding security flaws. It has also somehow escaped the static analysis that is performed on the Linux kernel that is supposed to find such NULL pointer flaws.

“Tavis Ormandy and myself have recently found and investigated a Linux kernel vulnerability,” Security Researcher Julien Tinnes wrote in his advisory. “It affects all 2.4 and 2.6 kernels since 2001 on all architectures. We believe this is the public vulnerability affecting the greatest number of kernel versions.”

Linux founder Linus Torvalds, late Thursday committed a patch to the Linux kernel that will mitigate the issue – which is good. But considering that it takes time for such a patch to propagate into kernel builds used by the Linux distributions, there is cause for concern.

News Around the Web