A major security vulnerability in the Linux kernel, which was revealed on Sunday, has claimed its first confirmed UK victim in business ISP Claranet. Hackers used a bug in the sys_vmsplice kernel call, which handles virtual memory management, to gain root privileges and replace Claranet customers' index.html files with the …
...that it was domains starting with a number, A or B. Time to register zzzzz.com!
I wonder what distro Claranet are using. Debian's only on 2.6.24 on unstable, and as far as I am aware odd numbers, eg, 2.6.23, are dev/testing only, no? What were they doing on 2.6.23/4 in the first place?
I thought Linux was secure
And this is the problem. With all you Linux fanbois harping on constantly about how secure your system is you tend to forget that believing your own bullshit compromises your systems.
Get your asbestos underwear on - here comes the flame war as the Windoze mob finally get to crow about a vulnerability in Linux!
"The affected system call first appeared in version 2.6.17, but wasn't left open to exploit until changes were made with the 2.6.23 kernel."
2.6.23 is a very new kernel to be running in a production environment.
the patched Kernel available now I would suggest getting it and installing it. If your lucky enough to be using Slackware.
Well it's a good job...
It's a good job they were using Linux as I frequently hear that it is so much more secure than Windows.
As far as I know I got a patch for my Ubuntu desktop's kernel yesterday; So it took less time to fix and distribute across several levels of community than it took for the hotfixing gunk to be made.
I have to laugh because it's pretty much a few lines change to fix. Though I was quite impressed following the issue how transparent the whole process was.
I got hit...
My hosting company in which I have a reseller account was hit on Sunday as well. And not of my domains start with a number, A or B, so it was much more than that. All the index.html, index.htm, index.php files were overwritten.
Thankfully Linux is so secure and Windows is the only flawed OS on the earth.
Proof that Open Source Software is DANGEROUS
This is exactly why closed-source proprietory software like Microsoft Windows is safer, because hackers don't even need to reverse engineer the cancer that is open source code in order to see how it works.
And before any of you Linux fanboi losers sad enough to flame me suggest that I am a Microsoft employee, I am not. I can only count on two hands the number of times I have visited their HQ.
so few comments
on a major security flaw affecting potentially thousands of users, oh thats right it isnt a microsoft product. I guess all those that go round telling people that "I use Linux so I dont need to worry about security" are not too keen to raise their voices?
FreeBSD for the win.
Linux is the ghey.
Re: I hear...
That's probably because "Within 10 minutes Claranet contained and halted the malicious activity" i.e. the script probably worked alphabetically and didn't get time to do the whole lot.
re: I hear...
Quite obvious if you think about it: if you gain access to a virtual hosting server's filesystem, the host directories will be in alphabetical order, so an exploit script would traverse the directory tree in the same way. I can remember when ClaraNet was BSD...
A company where the technical staff cannot be bothered to interview candidates so they let the HR and secretaries perform technical interviews with multiple choice questions they cannot even read correctly. Why am I not surprised...
As Graig Lake used to say "We get whatever Christmas we deserve..."
Paris hilton as most appropriate approximation of an eastern european HR lass performing an interview is most appropriate here...
Looks like you've got your lips wrapped firmly around Bill Gates halo *slurp*
Local root exploits
Local root exploits in Linux (by which I mean core parts of a Linux system) aren't all that rare. I would guess there's at least one a year. So, you can't have lots of untrustworthy local users on a Linux system and expect this sort of thing not to happen every now and then. The usual solution, for hosting companies, etc, is to use virtual machines to separate the users from each other, though quite a lot can be done with chroot jails if you don't mind giving the users a very restricted environment.
It's not clear to me from the report whether Claranet was attacked by a "legitimate" local user or whether there was also some kind of remote exploit used to gain access in the first place.
I'm not sure it makes sense to compare with Windows. Does Windows even attempt to protect itself against untrustworthy local users?
The difference here between Windows and Linux is that when the vulnerability was discovered in Linux there was a hotfix and a patch out almost the same day, and every vendor should have a patch out in less than a month. It also doesn't affect too many production systems as it's only a very narrow range of version that are affected, it just happens to be that a couple of the biggest distros are currently using one of those versions. If it had been one of the smaller distros you probably wouldn't have even heard about any sites actually getting hit by this. Contrast that to Windows where the response is usually to sweep the vulnerability under the rug and put out a patch in a month or two. In Linux, if you were inclined you could compile the patch and install the hot fix as soon as it was released and you would have had a window of vulnerability of less than 2 days. In Windows you're at the mercy of Microsoft and there's nothing you can do about it until they decide to release a patch in a month or two.
As for this particular vulnerability, I find it interesting that production systems were hit, as it shouldn't be remotely exploitable. It's a privilege escalation attack that requires permission to compile (or download) a binary and execute it on the target machine. Sounds like maybe they're running something else in need of a patch, or someone brute forced or social engineered their way onto the system.
Also, despite what I said I do run Windows for specific things (gaming), but I also use Linux and OS X where appropriate (work and laptop respectively). I do think Linux and OS X are superior to Windows, but you have to use the platform your programs require.
HAHA Linux losers! Windows 1 : Linux...234786234
Let's be honest, if the same number of Linux users commented like this on every article that reported a Windows vulnerability, old El Reg'd need to host its comments database on one of those Google portable datacentres.
quick! linux security problem!
windows supporters - ATTAAAAAACKK!!!!!!!!!!
despiter the fact that it's literally 1 problem, already fixed.....
btw, I'm not a linux fanboi. Just find it funny when the windows fanboi's retaliate for any and everything, and exhibit confirmation bias in bucketloads....
Isn't this a local exploit? Did the perps register an account or just hack in to someone elses shell? Doesn't say much for the password policy eh!
To All The Fanboys ( both win and linux )
Nothing Is Perfect.
I am Not a Windows Fanboy..
I am using windows Xp for 3 years and never got a BSOD.
It Mostly hangs and i press the reset button.
I am Not a Linux Fan boy
I used Ubuntu For a Month . It sucks . i liked using win.
So FLLLLLLLAMEEE ONNNNNN
Disclosure != vulnerability
I'm a big fan of open source - I run Linux at home, administer it at work (alongside Windows), and even own a Macbook Pro. - so my thoughts aren't tainted by any agenda :)
That said - just because this vulnerability was fully disclosed a few days ago and patches came out shortly after, doesn't mean to say that this vulnerability hasn't been in the wild for quite some time or that the time taken from public disclosure to patching makes Linux inherently more secure. For all we or anyone knows hackers may have been using this to root servers for months (2.6.17 has been out a while).
This is a BIG vulnerability in the kernel and the code involved should really have been picked up by peer review. I can only assume through a basic understanding of the process by which kernel patches are approved that the vmsplice code was added to the kernel without a great deal of analysis.
I think this vulnerability just goes to show that no code is totally secure, and source being open does not guarantee security or quality.
Been there, fixed that
The fix for Ubuntu came out a couple of days ago.
Nice to get a reminder that I shouldn't get tooooo complacent.
Mind you, never run bleeding edge kernels or major software anyway.
Alien: Well, ..... someone must have planted the bug ;)
Linux is more secure - not completely secure
First a few things to note about this security hole
a) It can only be exploited by someone with access to the system.
b) It only effects the 2.6.23 kernel, anyone stupid enough to be running that in a shared user/web hosting environment deserved what they got
c) It was fixed in all versions of the kernel within a few hours of first being spotted (and that's the benefit of open source).
d) Just because something is closed source, that doesn't offer security. It's more likely to protect flaws which are being actively exploited from discovery and give criminals much more time to exploit them. Some Windows flaws have been exploited for over a year before they were even noticed and several weeks passed beyond that before fixes became available.
I'd welcome every single security researcher out there to turn their attention to linux. They will find flaws faster and linux security will improve at a greater rate.
Most informed Linux users have never claimed 100% security. Usually it's the Windows fan boys who twist words because that's the only way they can deal with what they perceive to be a threat to their way of life. However for most people security is only one aspect of choosing linux and incidents like this aren't going to stop the increasing take up of linux worldwide.
Re: I thought Linux was secure
No, it's not totally secure. Nothing is.
Linux is simply more secure than Windows because of major design differences; if operating systems were compared to, say, a mosquito net, Linux would be a mosquito net with a few small holes in it, while Windows would be a mosquito net made from chicken wire.
RE: I Wonder... By Jamie Kitson
The odd / even thing for testing and stable distributions is only the second digit: in this case 6(a stable version, 2.5.xxx was the last development version) (2.6.xxx). But overall this system has been moved away from. Linus had something to say about it, a bit of googling should bring up the interview - basically that that model of development was too slow and painful - trying to huge amounts of updates and integration, so now he has moved the kernel to a development model of many small releases. He said that he is very happy with the way it works, and that he doesn't see the kernel moving on from 2.6 anytime soon.
Bring back OpenVMS
If only Digital had allowed Dave Cutler to port OpenVMS to the Intel world. And if only some more energy would be put in writing proper tools and quality code on whatever platform you prefer.
I must be getting old so I'd better get my ...
This relates to diversity. As with biological diverstiy, a pathogen can wipe out entire species of crops and more when there is little bio-diversity. Does this not seem to apply to other systems as well. All these problems are contained within a small subset of Linux systems. However, when a exploit is found in MS Server or MS Desktop OS, it has the potential of disrupting millions of systems.
Next point: Should mission critiical systems (hospitals, doctors, government agencies, energy, etc.) be using their own version of open source OS to limit their exposure to malware, exploits, etc.
Whilst true that the Linux community will typically get the patch out quicker (hacked together by some spotty teenager and tested by users), whilst MS will develop and thoroughly test the patch behind closed doors, the fact is that the closed source vulnerabilities in Windows are almost always ones that are announced by themselves or security firms but where the hackers do not have access to the source to work it out themselves.
i.e. With Windows, by the time the hackers really have developed a hack, MS has long since rolled out the *fully tested* patch.
Now don't get me wrong. I love Linux too. However, the whole "it's secure because it's Linux" is both a myth and a dangerous assumption.
The fact is there are far more security patches rolled out on Linux than Windows. They're occurring all the time, but few people make a song and dance about it unless you get a headline incident like this.
That both Linux and Windows get patched pretty quick is a positive thing anyway, and reality probably is that so long as people update they are mostly safe from these vulnerabilities.
The real issue with Linux is with poor administration and the assumption that updates are not required. Sadly a lot of neglect occurs with web servers, and especially in applications that aren't part of the normal distribution and therefore update process.
I mean, what do I see in my web server logs these days? Not IIS hack attempts like I used to see 10 years ago, but almost all the attempts are aimed at known flaws in PHP applications. Not in PHP or Linux, but in the applications.
Didn't Microsoft release fixes for 6 crits yesterday?
Couldn't work out how long they'd been open for, and granted, most were for 'userland' stuff like Office, but that was after about a minute of looking. I'd say that the very fact *1* security flaw has been exploited in a Linux deployment is newsworthy says it all...
A few points.
Firstly, to all you Windows Fanbois: The reason this is newsworthy is because it is RARE! Compare this to Windows where every time an automatic update is done your get several security fixes.
Also, WRT Chris' comment "Proof that Open Source Software is DANGEROUS", this is where you are wrong.
The fact that security vulnerabilities are easier to find means they get found quicker. Often before the major distros release the new software (whether kernel update or something else). If a "hacker" finds it first, and it is already out in production environments, it gets reported quickly and fixed.
Contrast this with MS. The only way people not working there can test for security flaws before release is in a beta program. And they cannot check the source code for them. Even during the beta testing, hackers will be looking for vulnerabilities, as well as the good folks at MS and security firms. Do you think these hackers will report the problem to MS?
So some make it out into production environments. When a flaw is found, it must be reported to MS. MS must then build a patch, test it to make sure it doesnt break something else, then release it. The end user must then download and install it. Overall this makes for a much longer period of vulnerability.
Therefore I put it to you that, from a security point of view, CLOSED source is more dangerous.
"In Windows you're at the mercy of Microsoft and there's nothing you can do about it until they decide to release a patch in a month or two."
Strange that the last few MS vulnerability warnings I have read on El Reg also state that users who are fully patched are already protected.
Basically, the problems with Windows are generally created by idiots who know nothing about computers (what's a firewall?). You don't tend to get that with Linux simply because you need a bloody degree in computer science to get the damn thing to do what you want it to do. But also for this reason you more than likely know a little about security (i.e. you know not to open that attachment from that unknown source). Windows is built specifically for end-users and is designed so that the end-user doesn't need to know how the OS works to be able to use it. The upshot of this is that hackers are having to use social engineering techniques to breach systems at the only vulnerable component - the user.
It's not easy being a fanboi when the rug is pulled from under you eh? All of the reasons that are continually spouted on here about how you don't have to worry about this that and the other because you run a "secure" system will just have to stop before your complacency compromises your system. Welcome to the real world, your bubble has been burst.
And @Robert Grant
"Let's be honest, if the same number of Linux users commented like this on every article that reported a Windows vulnerability..."
They do, every time. And yes, we're sick of hearing it.
Suck it up boys, it's your turn to take some flak. And please, less of the BS in future eh? It only makes you look foolish when we get headlines like these.
at least it was patched fairly quickly, unlike...
I quote "I do think Linux and OS X are superior to Windows, but you have to use the platform your programs require."
Couldnt agree more, windows sucks but you have to use it every now and again.
But as alternatives gain ground the requirement to bathe in the devils vomit is getting less as time goes by, thankfully.
Not only claranet?
I have a few sites on easily, one of which (near the top of the alphabet) was defaced on Tuesday. Several .php pages, all starting at the top of the alphabet.
RE: Peter W
No, the funny thing is Peter that El Reg decided to post this on their site. Linux exploits happen every week at least, if not more.
The difference is that El Reg is bias towards OSS so hardly reports it. Remember the big random number generator issue a few months back. Funny that the Windows issue was listed on El Reg but the Linux one a few days later wasn't.....
Truth is all OS's have holes, and they all need to be patched. Windows, BSD, OS X, Linux etc.
I suggest people commenting on OS security take a look first at the various independant websites that monior exploits. Secuina, CERT etc.
Linux isn't secure...
Shock horror, A Linux user stating that fact that all windows users know to be true!!
The cancer that is open-source spreads FUD about how secure it is before falling prey to a hacker and not fixing the patch for six months... no... wait.... sorry, what I mean to say was:
1) This kernel shouldn't have been used on a production system
2) No computer system is completely secure against attack unless it is switched off, sealed in a lead-lined case, covered in cement, surrounded by Nuclear Waste and blasted into space before being blown up...and even then someone would probably be able to hack it given time...
3) Linux has bugs. Thousands of them every year. Some of them become exploits, these are usually patched within 24-48 hours. Linux may not be completely secure, but it is secure, and more so than windows.
No Perfect Security
As with any computer operating system (Unix, Linux, Windows, Sun and all combined flavors) there is no perfect security process! The more lines of code, the more features, the more critical the system the more likely that someone will eventually find a hole, bug, or other electronic or socially engineered weakness and exploit it. The only thing we can hope for is DILIGENCE in design and operations. In other words PAY ATTENTION !!! Pay attention to the code you write, pay attention to the code you buy/download/install/borrow/steal, pay attention to your systems very closely and make sure you have backups and know how to use them!
All other claims to be un-hackable and/or indestructible just make for cute commercials (Hi, I am a Mac) and anyone that believes them should really be in sales, not tech support!
Difference in attitudes
The Linux community had a patch out within a few days of the vulnerability's discovery. Microsoft would, at the very least, wait until the next 'patch tuesday'; they can (and have) spent a few weeks 'verifying' the flaw, and a few more 'fixing' it.
More than the number or severity of security vulnerabilities, it's the priority given to fixing them that sets Linux above Windows.
The real problem is feeping creaturism
It's a stupid bug in a stupid syscall added to make webserver benchmarks look good.
The specific bug is the absence of checking on a memory address passed from a user program into the kernel.
In other words: it's caused by a combination of sloppy programming and vanity.
It says nothing about the relative security of linux vs. Windows.
OTOH, if they'd kept linux small and simple, like un*x used to be, instead of bloating it, this wouldn't have happened, so I suppose it says something about the security of badly- (or non-)designed systems in general.
BTW: this somewhat invalidates the OSS idea that a million eyes make for safe code: if that was so then this bug would never have made it into production.
There's no Paris Hilton angle, but there's no Jessica Biel icon (who she?): the exploit source code file was named "jessica_biel_naked_in_my_bed.c"
Aren't men sad?
Its funny how I just did an XP install an an older laptop, around 60 or so updates to install on an OS thats how old now. Then an older pc, I put Xubuntu on, latest gutsty gibson release, just start it up and it tells me their is 168 patches available. So an OS that is just released has a 168 patches yet a 5 or so year old os only has 60. Good thing Linux is so secure that those 168 patches must be only for wallpapers and new icons.
Fanboys, at least they're good for keeping you warm this warm with all the hot air they keep fanning around.
Re: quick! linux security problem!
>windows supporters - ATTAAAAAACKK!!!!!!!!!!
>despiter the fact that it's literally 1 problem, already fixed.....
>btw, I'm not a linux fanboi. Just find it funny when the windows fanboi's retaliate for
>any and everything, and exhibit confirmation bias in bucketloads....
But... they're hungry! It's not often a crumb falls from the table for them to feed on.
Who the hell's waiting for a fix?
This was a one-liner. I did it myself and re-compiled in less than fifteen minutes from the exploit becoming known to me a few days ago.
THAT's why I use open-source. Everything goes wrong sometimes, but I can fix my system myself without having to wait.
Would it be terribly unsporting
to curtail this flame war by asserting that those believing this to be of value in the great MS vs Linux vs BSD vs OS/2 debate are clearly Nazis?
"As for this particular vulnerability, I find it interesting that production systems were hit, as it shouldn't be remotely exploitable. It's a privilege escalation attack that requires permission to compile (or download) a binary and execute it on the target machine. Sounds like maybe they're running something else in need of a patch, or someone brute forced or social engineered their way onto the system."
Given its some kind of hosting environment, its only as secure as their customers sites. If someone has their own php script running that does no input validation, or is running an out of date version of some bulletin board software, gallery or whatever, a hacker could easily use a Cross Site scripting attack to gain access to the box, something I've seen happen with other websites. It doesn't require any thing else unstable on the box. Even a quick 5 minute Google will show all sorts of copies of various scripts all ready to be injected in such ways.
@Tim - Fully tested?
"Microsoft only rolls out fully-tested patches?" Are you kidding me? How many times have you seen MS roll out the 'patch to the patch'? Just last year in our organization, we got a "fully tested" patch that had half of our 500 users complaining about frequent IE crashes. MS eventually released an updated patch, but to say that the quality of MS patches is somehow better than Linux fixes is absurd. Not a fanboi of either OS. I use both and they both have things I like and things that are a royal pain in the ass.
re: Bring Back OpenVMS
"If only Digital had allowed Dave Cutler to port OpenVMS to the Intel world. "
You can get VMS on Intel. Unfortunately it's on one of Intel's occasional failures, the Itanium (who else remembers the iAPX432 and I20 and other ventures which prove that Intel are not invincible, and prove that Intel won't throw good money after bad indefinitely even if they can afford to).
Sadly the current owners of VMS don't have the same track record of investment in VMS development and support as the people who brought it to you in the first instance, and its security record is no longer as unblemished as it was, particularly where software has been ported to VMS from the UNIX world without taking full account of VMS security mechanisms which simply don't exist in the Unix world (yes I'm talking about some bits of TCP/IP services).
linux aka cack
If it had been a closed source OS then they wouldnt have known about a bug in virtual memory managment (thats not to say there wouldnt have been one elsewhere)
I'm surprised at the lack of clue being shown by some users here
I'm a *nix sysadmin that works mainly with Linux & Solaris. I love OSS and do believe that the OSS model offers security advantages.
News flash: No mainstream OS in use today is very secure.
Anyone who claims that simply running a given OS will make their system/network secure hasn't got a clue about security. Perhaps some end users might believe this sort of thing but in my experience even the most inexperienced sysadmins realise that security is a bit more complicated than that. Security is a process that has a purely human component.
As for this exploit itself - it is a local root exploit. This isn't the first in the Linux kernel and it won't be the last. Every other OS has had equivalent problems too.