back to article Linux distros fix kernel terminal root-hole bug

Linux admins need to get busy patching, as a newly discovered bug has emerged in the kernel's tty handling – and it lets logged-in users crash the system, gain root privileges, or otherwise modify and access data they shouldn't. This memory corruption flaw is certainly nothing like OpenSSL's remotely exploitable Heartbleed – …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Definition of "local"

    It would appear that "local" doesn't just include someone sitting in front of the screen, but rather anyone who can gain shell access remotely, if this C code is anything to go by.

    Nasty? Most definitely. Cue the Windows fans now saying "that's what you get for using free software", who by now are only just getting used to the idea that similarly nasty bugs affecting versions of Windows from XP to 8.1 are being discovered now.

    At least now I know of it, I can have this patched within the hour, I don't have to wait for upstream.

    1. Flocke Kroes Silver badge

      In the Microsoft World

      The patch would be ready today, but you cannot have it until Tuesday.

      1. Ole Juul

        Re: In the Microsoft World

        I'll gladly pay you Tuesday for a patch today.

        1. Anonymous Coward
          Anonymous Coward

          Re: In the Microsoft World

          "I'll gladly pay you Tuesday for a patch today."

          Untrue. For critical fixes MS will push them out-of-band.

          As F/OSS can't win on merit, they have to keep trying the PR FUD.

          1. Fibbles

            Re: In the Microsoft World

            "As F/OSS can't win on merit, they have to keep trying the PR FUD."

            Oh, the irony...

            1. Anonymous Coward
              Anonymous Coward

              Re: In the Microsoft World

              "Oh, the irony..."

              And the irony intake doubles when you consider the first sentence regarding critical updates in that post was entirely correct. Nothing like losing your audience by starting with the facts and then smothering them with a thick layer of crap.

      2. Anonymous Coward
        Anonymous Coward

        Re: In the Microsoft World

        The patch would be ready today, but you cannot have it until Tuesday.

        Or ever if it's Windows 2000/XP.

        I can still apply any patches I like to my old Slackware 3.6 installation (if I had one, I have the media for it though), while no one's there to write the patch for me, there's nothing stopping me writing my own and applying it other than my own patch-writing skills. This is why I choose open-source solutions over proprietary ones where possible.

        I suspect while us Windows Vista, 7 and 8.x users will be updating, the Windows XP users will be left to go it alone.

      3. Anonymous Coward
        Anonymous Coward

        Re: In the Microsoft World

        Just to point out to those harping on about waiting until patch Tuesday - previous studies have shown fewer 'days at risk' and on average a faster patch time for Microsoft OSs compared to enterprise Linux distributions. I am not aware of any that show the reverse.

        1. Anonymous Coward
          Anonymous Coward

          Re: In the Microsoft World

          "Just to point out to those harping on about waiting until patch Tuesday - previous studies have shown fewer 'days at risk' and on average a faster patch time for Microsoft OSs compared to enterprise Linux distributions. I am not aware of any that show the reverse."

          Got a link?

          1. sabroni Silver badge
            Thumb Up

            Re: Never mind the facts!

            Let's fill this page with MS hate then we can all pretend this Linux vulnerability never happened.

            1. HollyHopDrive

              Re: Never mind the facts!

              @sabroni There is far too much truth in that statement.

              I think it's far too easy to take the moral high ground with Linux though based on relatively few serious exploits over the years it's probably partly justified. But just like windows if you don't patch it.....

              I'm a big Linux advocate but I also an happy to admit that there are from time to time holes in it. But I'd still rather take my chances with it over windows. In fact I'm off to quickly patch my machines now....

              1. itzman

                Re: Never mind the facts!

                I patched it before commenting.

                Not that anyone but me knows HOW to get a shell here..

            2. Fatman
              FAIL

              Re: Never mind the facts!

              Let's fill this page with MS hate then we can all pretend this Linux vulnerability never happened.

              Which I am sorry to say, is a bad attitude.

              Someone fucked up.

              Period.

              Fix the goddammed bug.

              There only three things that matter to me:

              1) When did this get introduced (so we have some idea of how long we have been vulnerable)

              2) When was it reported

              3) When was the fix released.

              Sometimes the Linux community needs to 'take its medicine', just like those who worship at the altar of Redmond.

              1. MadMike

                Linux devs hides security issues

                http://arstechnica.com/security/2013/05/critical-linux-vulnerability-imperils-users-even-after-silent-fix/

                "...The fix to the Linux kernel was published last month. Its documentation did not mention that the code patched a critical vulnerability that could jeopardize the security of organizations running Linux in highly sensitive environments. This lack of security advisories has been standard practice for years among Linus Torvalds and other developers of the Linux kernel—and has occasionally been the subject of intense criticism from some in security circles...."

                "...The Linux kernel developers are notorious for not documenting security fixes. Here's an instance from a couple weeks ago. A security issue was fixed, but it wasn't documented as such, which simply leaves people guessing. Brad Spengler has been very vocal about this issue, and has found many, many patches that were pushed to the mainline that were to fix security vulnerabilities, yet weren't documented as security fixes. He's not the only one, but he has a fairly long track record of actually discovering vulnerabilities in the Linux kernel (as well as the creator of the grsecurity patchset)...."

                1. cyberelf
                  Facepalm

                  Re: Linux devs hides security issues

                  "This lack of security advisories has been standard practice for years among Linus Torvalds and other developers of the Linux kernel"

                  What's stopping them subscribing to the Linux kernel mailing list.

                  https://lkml.org/

          2. Gio Ciampa

            Re: In the Microsoft World

            And the identity of the body funding the study?

          3. Uffe Seerup

            Re: In the Microsoft World

            Got a link?

            http://arstechnica.com/apple/2008/04/report-microsoft-fastest-to-issue-os-patches-sun-slowest/

          4. Anonymous Coward
            Anonymous Coward

            Re: In the Microsoft World

            "Got a link?"

            http://www.informationweek.com/controversial-report-finds-windows-more-secure-than-linux/d/d-id/1031061?

            http://www.computerworlduk.com/news/security/3629/microsoft-we-patch-faster-than-apple-novell-and-red-hat/

            1. asdf

              Re: In the Microsoft World

              http://www.zdnet.com/linux-trailed-windows-in-patching-zero-days-in-2012-report-says-7000011326/

              This much more modern link would seem to back up what you are saying until you realize its coming from Microsoft shill zdnet and they are going off a dataset of only 2 zero days for either OS. The more interesting paragraph is this one.

              "The Trustwave report says the number of critical vulnerabilities, as determined by the Common Vulnerability Scoring System (CVSS) assessment of factors like potential impact and exploitability, identified in the Linux kernel was lower than in Windows last year, with nine in Linux compared to 34 in Windows. The overall seriousness of vulnerabilities was also lower in Linux than Windows, with Linux having an average CVSS score of 7.68 for its vulnerabilities, compared to 8.41 for Microsoft."

      4. h4rm0ny

        Re: In the Microsoft World

        >>"The patch would be ready today, but you cannot have it until Tuesday."

        if($bugPlatform == 'Windows') {

        echo($WindowsCriticism);

        } else {

        echo($WindowsCriticism);

        }

        The bug also wouldn't be detailed as a rule because (with the exception of very large customers), Windows is closed source, meaning the world wouldn''t know the details. Open Source's chief advantage is that it lets you verify when you don't trust the vendor and it lets you fork the code if you're not happy with them / they abandon it.

        With bugs, Open Source is a mixed bag. Some people seem to think it is a magical panacaea.

        Patch Tuesday is done because it helps enterprise customers manage updates, btw.

      5. king of foo

        Re: In the Microsoft World

        OK,

        C

        U

        Next

        Tuesday

        1. Anonymous Coward
          Thumb Down

          Re: In the Microsoft World

          "OK,

          C

          U

          Next

          Tuesday"

          How boringly crass of you.

      6. Wensleydale Cheese
        Happy

        Re: In the Microsoft World

        "The patch would be ready today, but you cannot have it until Tuesday."

        Which at this time of the month is nearly four weeks away.

    2. Anonymous Coward
      Anonymous Coward

      Re: Definition of "local"

      Linux bug? Wow, I didn't anticipate the Linux fans saying, "Cue the Windows fans gloating" (can dish it out but not take it, huh?) or pulling the old "ButbutbutWindows ..." straw man the minute I saw the headline. Oh - yes I did. And you guys never fail to live down to expectations :)

      1. Jim 59

        Re: Definition of "local"

        FYI there is no such thing as a "local" user in the unix/linux world, Reg is just using this layman's term for the benefit of those more familiar with other systems eg. Windows. And *ix came from the server end, so "sitting in front of the system" was never really a thing.

        Okay there is a feint definition - "local" can mean a user listed in the the local /etc/passwd file, as opposed to LDAP or similar.

        1. John Deeb

          Re: Definition of "local"

          There's no real fixed definition, Jim59. Someone can also speak about "local" in terms of "local access" to the hardware under the OS itself which is fairly common with (shared) workstations since decades and since last decade even more so with all the Unix derivatives and improvements around. Local access which by the way would change the whole security context right there and then. Perhaps a better term in this article would be "users able to start-up a local shell process". This is not that much different from starting some sshd or httpd subprocess or thread by accessing some port. Although shells are more powerful processes with more possibilities than most other user services. By design of course. Perhaps on a large shared hosting provider, one might have some different security concerns and expectations than on private platforms. For that reason the impact factor of this bug doesn't seem that high but still important enough to think about though. Briefly.

    3. Tom 38
      FAIL

      Re: Definition of "local"

      It would appear that "local" doesn't just include someone sitting in front of the screen, but rather anyone who can gain shell access remotely, if this C code is anything to go by.

      A local user is someone who has unprivileged access to run code on a computer. A remote user is someone who has access to provide inputs to a program running on that computer.

      This isn't new.

      1. h4rm0ny

        Re: Definition of "local"

        >>"A local user is someone who has unprivileged access to run code on a computer. A remote user is someone who has access to provide inputs to a program running on that computer."

        I think they were just clearing up that "local user" didn't mean that the person had to be sitting at the machine - they could still be half-way around the world. Obviously most people with Linux experience will understand what local user means in this context, but some will still think if a bug allows a local user to do something, it was meant you had to have access to the machine. You don't.

    4. Tim Starling

      Re: Definition of "local"

      Nice to know you can patch it within the hour. By the way, the fix was committed to the public kernel source 12 days ago, and Ubuntu had the fix 10 days ago.

      http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4291086b1f081b869c6d79e5b7441633dc3ace00

      The CVE number was allocated last December, and that timing roughly corresponds with a public discussion about potential race conditions in the relevant code:

      http://article.gmane.org/gmane.linux.kernel/1610783

      1. cyberelf

        Re: Definition of "local"

        "The CVE number was allocated last December, and that timing roughly corresponds with a public discussion about potential race conditions in the relevant code:"

        How has this been around since 2009?

        'Pseudo-terminal buffer bug from 2009 discovered', theregister

        "I discovered that kernel 3.12 has broken terminal handling"

        http://article.gmane.org/gmane.linux.kernel/1610783

    5. Stevie

      Re: that's what you get for using free software

      That's what you get for not using a Clearpath mainframe with OS2200 installed.

      If you want a proper job doing you need to use a proper computer.

      Tsk!

  2. Valeyard

    This wouldn't have happened...

    ...if you'd been using the Sinclair Spectrum

    1. Dodel

      Re: This wouldn't have happened...

      No it crashed when you inserted the joystick adapter instead..

      1. itzman

        Re: This wouldn't have happened...

        No it crashed when you inserted the joystick adapter instead..

        You got as far as that?

    2. Anonymous Coward
      FAIL

      Re: This wouldn't have happened...

      Pah we know Speecy's are rubbish and that the BBC MicroB is a proper home computer....

      (Yes I was a speccy owner, but I have to provide the same load of juvenile bollocks still spouted today, just to keep us on track).

  3. Jamie Jones Silver badge

    Don't forget the design

    It's not simply about bugs - All humans make mistakes after all.

    The point is that the way unix (and unix like) systems are designed means that bugs are generally more contained, and therefore typically less destructive.

    Windows 'all or nothing' design means that a whole system can be rooted by a malformed PDF, JPG or MP3 etc.

    Another attack vector is done by low level access to GPU I/O. Unfortunately, Unix isn't totally immune to bugs here, as X needs to run with root privs (and even if access was simply granted to the I/O, it would still often be enough to root a system

    However, on servers, you simply don't run a GUI. Try doing *that* with Windows!

    An extension to that is that I run my servers with everything that is unused stripped from the kernel. I'll never need to use the USB ports, raid controllers, and there is no bluetooth or wi-fi etc.

    So, all that code is stripped out, as is any backwards-compatibility code for previous versions oof the OS where I don't require that either.

    Can you do that on Windows? Other than maybe remove a few .SYS files, you are basically stuck.

    1. Anonymous Coward
      Anonymous Coward

      Re: Don't forget the design

      "on servers, you simply don't run a GUI. Try doing *that* with Windows!"

      Since Windows 2008 you can run a server without the GUI. It looks your Windows knowledge dates back to 1995.

      "I run my servers with everything that is unused stripped ... raid controllers..."

      Strange kind of server. with no fault tolerance. Is the one you're running in your bedroom?

      "Can you do that on Windows?"

      Sure. You just have to learn how to do that. BTW: drivers are kernel modules in Windows. It looks you have no clue about how Windows is designed and works.

      1. Tim Bates

        Re: Don't forget the design

        "Since Windows 2008 you can run a server without the GUI. It looks your Windows knowledge dates back to 1995."

        I'm not a Windows Server person, but doesn't that option simply provide you with a graphically windowed command prompt instead of using Explorer? It's not running Windows without a GUI. It's running a terminal as the shell for the GUI. Totally different thing.

        Happy to be corrected, but the screenshots of Server Core I saw look like a GUI (albeit a lame one) to me.

        1. This post has been deleted by its author

        2. Anonymous Coward
          Anonymous Coward

          Re: Don't forget the design

          "doesn't that option simply provide you with a graphically windowed command prompt instead of using Explorer"

          It provides you with a text only command prompt terminal windows on a blue background. No GUI whatsoever.

      2. Jamie Jones Silver badge
        FAIL

        Re: Don't forget the design

        "

        Since Windows 2008 you can run a server without the GUI. It looks your Windows knowledge dates back to 1995.
        "

        Oh, they've finally caught up!

        Ok, my mistake, and you are right, I fortunately haven't had to deal with windows servers since before 2008, so I take that one back if it's true, though I bet it's more of a 'reduced GUI' than true non-GUI.

        The GUI was far too entwined when I last used windows

        "I run my servers with everything that is unused stripped ... raid controllers..."

        Strange kind of server. with no fault tolerance. Is the one you're running in your bedroom?"

        A veiled insult! Nice one!

        But no, not at all. Well, actually, yes, to the servers in my house, but I'm referring to the proper commercial servers.

        I'd love for you to explain how keeping code for various different different raid controllers that I don't use helps with fault tolerance. I *did* say *unused* stuff, didn't I?

        "Can you do that on Windows?"

        Sure. You just have to learn how to do that. BTW: drivers are kernel modules in Windows. It looks you have no clue about how Windows is designed and works.

        Well, I did mention .SYS files briefly, but yer, I screwed up there too.

        Thanks for the reply.This posts icon is directed at me

    2. Peter2 Silver badge

      Re: Don't forget the design

      > "However, on servers, you simply don't run a GUI. Try doing *that* with Windows!"

      Ok. Server manager -> Remove roles or features -> features -> User interfaces and infrastructure -> Server graphical shell <untick> reboot.

      No more GUI.

      At the end of the day, any non trivial software product will contain bugs, regardless of if it's open or closed source.

      1. Anonymous Coward
        Anonymous Coward

        Re: Don't forget the design

        "Ok. Server manager -> Remove roles or features -> features -> User interfaces and infrastructure -> Server graphical shell <untick> reboot."

        Except that no GUI is the default for Windows Server, so normally you wouldnt have to remove it anyway.

      2. Anonymous Coward
        Anonymous Coward

        Re: Don't forget the design

        > "However, on servers, you simply don't run a GUI. Try doing *that* with Windows!"

        Ok. Server manager -> Remove roles or features -> features -> User interfaces and infrastructure -> Server graphical shell <untick> reboot.

        No more GUI.

        now turn it back on without your GUI Server Manager tool ;)

      3. Joe Montana

        Re: Don't forget the design

        Even if you remove the "gui", your just removing the frontend management programs, the actual graphics stack is all still there and used to display a command prompt in a movable resizable window. Your not truly running without a gui, your just running with a crippled one. It would be like running X11 on linux with a basic window manager and then only using it to run xterm.

    3. h4rm0ny

      Re: Don't forget the design

      >>"The point is that the way unix (and unix like) systems are designed means that bugs are generally more contained, and therefore typically less destructive.

      Windows 'all or nothing' design means that a whole system can be rooted by a malformed PDF, JPG or MP3 etc."

      Everyone else has pointed out to you that you can run Windows without a GUI since 2008, so I'll cover the error about thinking GNU/Linux is more secure by design. Like your ignorance about GUIs on Windows, it appears your knowledge here also dates from pre-vista.

      Windows vs. UNIX permissions

      Windows ACLs are substantially more powerful than standard GNU/Linux permissions. They're also more capable than the ACLs that you can install on GNU/Linux but which no-one does. If your immediate reaction is to disagree, please read the link above to a previous discussion.

      >>"An extension to that is that I run my servers with everything that is unused stripped from the kernel. I'll never need to use the USB ports, raid controllers, and there is no bluetooth or wi-fi etc."

      Yeah, I used to do the same on my home computers. Please do not tell me you are running a professional service on custom-hacked around installs and are out of the distros official packages and updates. What if you leave and your replacement hooks up a SCSI drive or sticks in a USB device and you've removed the modules? What if some kernel update comes down and you don't have the time to start recompiling everything (or do you compile on another machine and copy over binaries?) This cannot be a production machine - please! If I found one of my sysadmins had been manually fiddling around with the kernel of one of our CentOS boxes, I would roast them alive.

      >>"Can you do that on Windows? Other than maybe remove a few .SYS files, you are basically stuck."

      Well you can uninstall any drivers you don't need if you really want to. It's not going to save you any memory or processor load because they're dynamically loaded as needed just the same as kernel modules on Linux. In neither case are they going to be a security vulnerability if they're not being executed so if you're doing this for security reasons on GNU/Linux, then not only do you not understand how Windows works, you don't fully understand how Linux works, either. A security vulnerability in a SCSI module is not going to be an issue if that module is never loaded. And your server isn't going to load that without a reason. The only gain of removing it is reducing the size of your kernel by about forty bytes. (basically you're removing an if clause that contains a call to load module that will never be triggered).

      1. Anonymous Coward
        Anonymous Coward

        Re: Don't forget the design

        "Windows ACLs are substantially more powerful than standard GNU/Linux permissions."

        You forgot to mention constrained delegation too. In Windows I can give an account ONLY the rights it needs to do something above a standard user. UNIX / Linux has the really insecure kludge of having to run SUDO - a tool which MUST execute as UID 0 / root to do a similar thing. So you always have to run SUDO code as root first to then drop down to a lower level - very bad design.

      2. Joe Montana

        Re: Don't forget the design

        The problem is that a complex permissions system means that many people don't know how to use it, and most of those that do can't be bothered to do so.

        For most use cases the standard unix permissions are not only more than adequate, they are also easy to understand and easy to manage. There's a reason that very few people enable the more advanced ACLs.

      3. Jamie Jones Silver badge
        Happy

        Re: Don't forget the design

        >>"The point is that the way unix (and unix like) systems are designed means that bugs are generally more contained, and therefore typically less destructive.

        Windows 'all or nothing' design means that a whole system can be rooted by a malformed PDF, JPG or MP3 etc."

        Everyone else has pointed out to you that you can run Windows without a GUI since 2008, so I'll cover the error about thinking GNU/Linux is more secure by design. Like your ignorance about GUIs on Windows, it appears your knowledge here also dates from pre-vista.

        Yes, I admit I didn't know that, but as has been pointed out already, that option produces a reduced interface, it doesn't remove the whole GUI system. Also, how do you do remote administration in that environment? Do you still have to remote desktop/vnc etc. ?

        Windows vs. UNIX permissions

        Windows ACLs are substantially more powerful than standard GNU/Linux permissions. They're also more capable than the ACLs that you can install on GNU/Linux but which no-one does. If your immediate reaction is to disagree, please read the link above to a previous discussion.

        Firstly, coming from a VMS background, I agree that standard Unix permissions are not all that powerful. But do you want to compare that to win3.1? Just as relevant.

        Secondly, I don't use Linux. I haven't used Linux in over 15 years (apart from the Android tablets), but saying their ACL's are too complicated is as stupid as people saying that all Windows users do everything as Administrator, because the alternative is too complicated.

        Thirdly, the article was about bugs in things that already run with full privileges, so banging on about ACLs and file permissions is only vaguely related to the discussion in hand.

        But, whatever, the ACLs and capabilities sandbox, along with process 'jailing', on the systems I use are more than adequate.

        >>"An extension to that is that I run my servers with everything that is unused stripped from the kernel. I'll never need to use the USB ports, raid controllers, and there is no bluetooth or wi-fi etc."

        Yeah, I used to do the same on my home computers. Please do not tell me you are running a professional service on custom-hacked around installs and are out of the distros official packages and updates. What if you leave and your replacement hooks up a SCSI drive or sticks in a USB device and you've removed the modules? What if some kernel update comes down and you don't have the time to start recompiling everything (or do you compile on another machine and copy over binaries?) This cannot be a production machine - please! If I found one of my sysadmins had been manually fiddling around with the kernel of one of our CentOS boxes, I would roast them alive.

        I'm pleased you know your limits. Too many people go out of their depth in these matters, and cause more problems.

        Of course I run all the production servers on tuned kernels - all competent people do. Attempting to demonise it by calling it 'custom-hacked' is either an attempt to make it look a bad thing, or you really aren't all that knowledgeable on kernel design.

        Having only a few hundred thousand users a day, these machines are obviously far less used than Facebook/Google etc., but do you really think they run their systems on generic kernels? Or do you think only these big companies employ people capable of kernel tuning?

        As I say, I'm glad you know your limits, and whilst I currently have no responsibility for hiring/firing, I'd be less than pleased if one of my staff had similar shortcomings.

        I know not every one has the time organisational luxury to do it, but yes, most of the time I compile from source. There are no binary installed blobs here. And whilst I don't do full compiles on production boxes, it is quite possible to do it at nice +20 without any significant performance impact on live services.

        As for new hardware etc., as you've already mentioned yourself (but conveniently seem to forget)...... KERNEL MODULES.

        <troll>Typical Microsoft attitude - overcome efficiency shortcomings by throwing more CPU/RAM at the problem</troll>

        >>"Can you do that on Windows? Other than maybe remove a few .SYS files, you are basically stuck."

        Well you can uninstall any drivers you don't need if you really want to. It's not going to save you any memory or processor load because they're dynamically loaded as needed just the same as kernel modules on Linux. In neither case are they going to be a security vulnerability if they're not being executed so if you're doing this for security reasons on GNU/Linux, then not only do you not understand how Windows works, you don't fully understand how Linux works, either. A security vulnerability in a SCSI module is not going to be an issue if that module is never loaded. And your server isn't going to load that without a reason. The only gain of removing it is reducing the size of your kernel by about forty bytes. (basically you're removing an if clause that contains a call to load module that will never be triggered).

        Again, I apologise about windows kernel modules. I really though that there was still a hell of a lot that to remain within the kernel directly, but if you're saying otherwise, I'm not in a position to argue.

        And again, not a Linux user. However, the systems I use tend to have a lot of stuff contained within the main kernel at default - it's more efficient that way, and less of a security risk if kernel module loading is disabled, or restricted to console control etc.

        There is also no point having something as a kernel module if it always needs to be loaded. You can strip your core kernel of stuff you'll never use, and add stuff you will always use.

        Still, this is all largely tangential to the original point that windows machines have been rooted by malicious media files. This wouldn't happen on any sane system.

        Do current windows versions still have explorer embedded in the kernel?

        I was largely intentionally trolling in my original post (I can't always help it when it comes to windows/linux;apple - they are all easily flammable targets), but it seems my ignorance of Windows systems was my downfall. Still, thanks for replying with so many fallacies and inaccuracies that I don't now feel quite as much of a moron.

        Have a nice day!

        1. h4rm0ny

          Re: Don't forget the design

          Let's deal with this first: "I was largely intentionally trolling in my original post".

          That is not helpful and is actually destructive. Especially when you admit you don't even know the facts.

          >>"Yes, I admit I didn't know that, but as has been pointed out already, that option produces a reduced interface, it doesn't remove the whole GUI system"

          You were wrong on this. Several people pointed it out. One person claimed otherwise. You self-admittedly haven't any direct knowledge but you chose to believe the one person who agreed with you. That is called confirmation bias. They were wrong as well - they wrote that the entire graphics stack is still there. What you see if plug a monitor into a Server Core instance is a terminal window, there's not a menu, there's not a single GUI tool, it's a terminal window. I have motherboards with a BIOS from fifteen years ago with more of a GUI than that.

          The other poster (who though they didn't know what they were talking about and were a single dissenting voice, you chose to believe over the rest of us), claimed that the entire graphics stack was still present. You could have easily checked this if you cared about actually being right, as opposed to defending your position. A very basic Server 2008 install running as Server Core will use about 180MB of memory footprint as opposed to 310MB for a version with the GUI configured with the exact same roles. Does that sound like it's doing nothing other than just not displaying a few menu options? It doesn't require all the same updates (only needing a subset as the GUI ones aren't needed). A base install of Server Core takes 1.6GB vs. 7.6GB for the GUI'd version - again, configured with exactly the same roles. Again, does that sound like it's nothing other than just turning off some GUI tools? It also runs fewer services so there's a small attack surface for malicious software / attacks.

          So when a bunch of people with experience / expertise tell you something and one anonymous coward makes an unsupported statement otherwise, don't seize on their post, turn round to everyone else and effectively say 'ha! i wasn't wrong after all". Because you're reason for choosing to believe that poster over everyone else is transparant. Better, spend two minutes looking up some facts.

          >>"Also, how do you do remote administration in that environment? Do you still have to remote desktop/vnc etc. ?"

          I use the above questions to suggest that you really shouldn't be arguing about what Windows can and cannot do as you clearly have very little knowledge about this area. I'm happy to answer your questions, however.

          If you think about it for a moment, btw. you'll realize that it cannot be VNC as VNC is simply a way of relaying the normal GUI / desktop to a remote machine and transmitting mouse / keyboard movements to it. Without a GUI in the first place, this could not be the way it works!

          Typically you would use Server Manager, which is a remote server management tool for Windows Server and supercedes Remote Desktop. It doesn't work by giving you a remote desktop view, but instead provides tools for managing services / running scripts / configuring the remote machine. Well, multiple remote machines, actually. You'll have a sysadmin there running Server Manager, and they'll flick between different remote machines.

          Here: http://technet.microsoft.com/en-us/library/cc732131%28v=WS.10%29.aspx

          Note, command line / Powershell is a fundamental part of Windows Server. There's no part of the OS that isn't exposed to Powershell / configurable by it. So a lot of the time, if you have the knowledge or some available scripts, you can just use a command line to manage it.

          >>"Firstly, coming from a VMS background, I agree that standard Unix permissions are not all that powerful. But do you want to compare that to win3.1? Just as relevant."

          No I don't, because it's not just as relevant. You wrote about "the way unix (and unix like) systems are designed"and compared it to "Windows all or nothing design". I've pointed out that Windows isn't all or nothing and I compared it to UNIX permissions because that's what you compared it to.

          Also, I never said that UNIX permissions are not powerful. They are. I only wrote that Windows was not an "all or nothing" system and that you appear to have no knowledge of this on Windows since before Vista.

          >>"I haven't used Linux in over 15 years (apart from the Android tablets), but saying their ACL's are too complicated is as stupid as people saying that all Windows users do everything as Administrator, because the alternative is too complicated."

          Nowhere did I say that ACLs on GNU/Linux are too complicated. Nor do I agree that they are. Whatever you're trying to argue against, it's nothing that I said. Indeed, very few people even actually use the ACLs on GNU/Linux. They stick with the traditional UNIX permissions system which are not access control lists.

          Thirdly, the article was about bugs in things that already run with full privileges, so banging on about ACLs and file permissions is only vaguely related to the discussion in hand.

          Again, you yourself brough this up. I just pointed out that you were wrong. Don't blame me for correcting you, or try to say something isn't relevant after you yourself were the one that raised it, just because you no longer find is supports your case.

          >>"I'm pleased you know your limits...Of course I run all the production servers on tuned kernels"

          Then I'm sorry to see that you don't know yours. You custom compile kernels on your machines introducing the possibility of hard to diagnose bugs, making it extremely difficult for someone to step into your role when needed and probably rendering any enterprise support agreements you have null and void. You say you haven't used GNU/Linux for 15 years so perhaps on the VMS world, things are different. But we're talking about Linux here so perhaps, like on Windows, you shouldn't pronounce authoritatively on this subject.

          >>"all competent people do"

          Way to insult all the skilled GNU/Linux sysadmins out there who don't custom compile the kernel on their production machines (and I work with a number of such people, btw).

          1. h4rm0ny

            Re: Don't forget the design

            (contd.)

            >>"And again, not a Linux user. However, the systems I use tend to have a lot of stuff contained within the main kernel at default - it's more efficient that way, and less of a security risk if kernel module loading is disabled, or restricted to console control etc."

            Then as with Windows, you should stop pronouncing on things in the GNU/Linux world (which as you helpfully pointed out in trying to dismiss my earlier point, is what this story is about). On GNU/Linux, you have dynamic module loading by default and it would be pointless to compile everything in as part of the kernel. It gains you nothing. As I said earlier, removing a module you're not going to need saves you perhaps 40 bytes of compiled kernel size and has no measurable performance impact. I mean that quite literally. You could not measure it. Disagree, then I invite you to try. I used to experiment with this in my Gentoo days. I got more benefit out of tweaking the compile flags than I did actually dropping support. At least the former could, just barely, be measured.

            >>"I know not every one has the time organisational luxury to do it, but yes, most of the time I compile from source."

            Again, it gains you next to nothing and if an important security update comes down whilst you're not there or busy or if you leave the company or if you lose track of what updates you need to apply, hard luck on your employers (and users)! As I say, you clearly have no experience of professional GNU/Linux administration.

            >>"<troll>Typical Microsoft attitude - overcome efficiency shortcomings by throwing more CPU/RAM at the problem</troll>"

            What?

            >>"I really though that there was still a hell of a lot that to remain within the kernel directly, but if you're saying otherwise, I'm not in a position to argue."

            In other words, you don't have evidence that what people with actual experience of this are telling you is false, but you wont accept that, you'll just condede that you can't prove otherwise. You can, btw. It's called going and having a look for yourself. Either fire up a Windows install or do a bit of searching online. It's pretty easy.

            >>"There is also no point having something as a kernel module if it always needs to be loaded. "

            Irrelevant, it doesn't prove the inverse. You were claiming there's an advantage to removing the modules that you don't need. Unless you desperately need those forty bytes of kernel size or an extra few KB of disk space, there isn't. Your original claim was that it reduces potential vulnerabilities. I pointed out that if a module isn't loaded, then this doesn't matter. You're now attempting to find reasons why you shouldn't remove a module, but it doesn't take away the fact that doing so confers no advantage. And the reasons not to have already been given - support and maintenance problems from a hacked-around kernel. That's being unprofessional and thinking that you're technically smart.

            >>"Still, this is all largely tangential to the original point that windows machines have been rooted by malicious media files. This wouldn't happen on any sane system."

            All systems have flaws. You were arguing that Windows was more vulnerable to one because it has an "all or nothing" permissions system. And that's been shown to be wrong.

            >>"Do current windows versions still have explorer embedded in the kernel?"

            No. I'm not sure they ever did. Or else you have the weirdest definition of kernel ever.

            >>"but it seems my ignorance of Windows systems was my downfall."

            There's nothing inherently wrong with ignorance. What is wrong is making confident assertions about something when you know you don't have experience on it. (For example, arguing with a GNU/Linux developer about Linux when you admit you haven't used it for fifteen years).

            >>"Still, thanks for replying with so many fallacies and inaccuracies that I don't now feel quite as much of a moron."

            What in my post was a fallacy or innacuracy? I don't think you're a moron but I think you have been speaking about things you don't know much about and you're attempting to justify on being called out on them.

            >>"Have a nice day!"

            Somehow, I don't think you're a very sincere person.

  4. Anonymous Coward
    Anonymous Coward

    Proof-of-concept bug ..

    Don't seem to work here ..

    $./a.out

    [+] Resolving symbols

    [+] Resolved commit_creds: (nil)

    [+] Resolved prepare_kernel_cred: (nil)

  5. Sceptic Tank Silver badge
    FAIL

    It's been around for faulty years .....

    I forget now: why is there still no safe buffer management in a language that has been around since 1972? It's not like we're programming for machines that have 512 bytes of "core" and it costs $2.99 per CPU cycle anymore.

    Trust the programmer ... pah!

  6. fskmh
    Coat

    On perusing the ChangeLog for 3.14.4 (released the day before this article was written) it seems this issue was fixed. In any event the featured 0day is not working here on 3.13.9 or 3.14.2. Not having a go at the writer of the article but I am sticking my finger in the eye of that anon twat with so much time on his hands. BTW, that Internet Explorer Memory Corruption Vulnerability (CVE-2014-1776) seems to be quite popular with China's APT1. ;-p

  7. Anonymous Coward
    Anonymous Coward

    Many eyes make all bugs shallow

    But so what?

  8. asdf
    Trollface

    long live Theo

    If you really care about security you aren't running linux or windows. You are running OpenBSD. Unless of course you need performance, hardware support, software compatibility, or even a modern functional desktop.

This topic is closed for new posts.

Other stories you might like