Way over-blown story...
|
| Author | Content |
|---|---|
| JaseP Aug 20, 2010 9:20 AM EDT |
This story is way over-blown... First: The vulnerability has not been shown to do anything other than crash the X-server. There are no instances of it being exploited in the wild. Second: From what I read,... To cause the necessary overflow, you need to fill the stack (for instance with pixmaps). Anything that did that would very likely get noticed, even by an "ordinary" user,.. darn quick. And probably it would be terminated by them before it can fully execute because it is hogging system resources, without any knowledge or concern that it was a mal-ware package. Third: I suspect it could never be used over the internet because an attacker first has to first get local user privledges in order to run code. Most systems are set by default not to allow X-server access by remote users. So, they need one piece of malicious code to run FIRST before they can inject their code package to escalate the privledges. It is not a bot-net-virus type exploit that will take advantage of this vulnerability. Taking advantage means an active hacker sitting at a keyboard, attacking a particular system vulnerability remotely. And Note: Many, if not most, Linux internet servers do not run an X-server. This is a concern for desktop users. Is it a serious concern,... Sure,... I am sure someone, somewhere, can find a way to create an exploit package that is both subtle, small, as well as "elegant." Can a typical script kiddie do it??? No. Has anyone done it yet??? No. The solution is to patch. The only problems are on legacy systems that have to run older kernel versions that have not been patched. Suggestion: On a system that absolutely has to run an older kernel, try and stick with one of the distros that had already patched the hole... The bottom line is that while POTENTIALLY very serious, the vulnerability is more an example of yet another theoretical vulnerability, without a known an exploit, rather than a real world one. But this does illustrate the beauty of Open Source, that anyone can find a flaw and offer suggestions to fix it. Many eyes to spot & fix the problem. I really wish our own Linux pundits would not fuel the fire of the anti-Linux camp. I am sure that M$ fans will have a field day with this vulnerability. |
| gdr Aug 20, 2010 10:07 AM EDT |
@ JaseP -- you need to use the terms "exploit" and "vulnerability" correctly. In accepted usage, a "vulnerability" is a flaw that has the potential to be "exploited". Once an exploit exists for a vulnerability, there is a problem. Vulnerabilities without exploits don't have practical consequences (but need to be fixed before an exploit is developed). The terms are not interchangeable, as you have done in your post. Just an FYI. |
| JaseP Aug 20, 2010 4:30 PM EDT |
@ gdr,... Thanks for the clarification & please note that I wrote it in my in-between moments during the work-day... So no to little proofreading. PS I edited it for better terminology and readability... |
| phsolide Aug 20, 2010 4:39 PM EDT |
I agree that this is way, way over-blown. If a similar flaw in WIndows' GDI appeared, it would get a big yawn. But the fact of the matter is that linux kernel flaws don't appear too often, so just as an analogous Windows flaw would get no headlines, this gets Big Headlines. I also think there's another factor at work: the Anti-Malware people have this huge, long history of predicting that Unix/Mac/Linux will get a cloud of viruses/worms/trojans any old week now. Of course these predictions, dating back to at least the Morris Worm of '88, have never come true. But the Main Stream Media, who gets press releases and tips from Anti-Malware companies, sees this as a chance to Break A Big Story and get cited and get hits for years. So, they jump on every opportunity with both feet. |
| JaseP Aug 20, 2010 4:45 PM EDT |
@ Phsolide,... I think everyone is so USED TO windoze vulnerabilities... A Linux kernel one is so rare... But agreed on the media. Remember they are being paid by advertising dollars from the likes of McAffee and M$. Why do you think that CNN.com runs so many stories about iPhone this, or iPad that?!?! Follow the money... |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!