Just Linux?
Aren't the other operating systems effectively even weaker against this because they haven't implemented RFC5961 at all? Couldn't you just send spoofed packets anyway without any of the initial setup?
A flaw in the Linux kernel lets hackers inject malware into downloads and webpages, smash Tor connections, launch denial-of-service attacks, and more. This is a troubling security headache because Linux is used widely across the internet, from web servers to Android smartphones, tablets and smart TVs. The TCP/IP networking …
This post has been deleted by its author
Aren't the other operating systems effectively even weaker against this because they haven't implemented RFC5961 at all?
Yes !
In effect, this isn't a new attack, it's just a way of disabling the mitigation for a very old attack - which as far as I can tell is a CVE from 2004. While I can see that a determined and well informed attacker could use the old attack against some types of traffic, in the general case I can't see it being that much use. You need to know that two IP addresses are communicating, and what ports they are using, and the sequence numbers they are using - AND exactly when they are doing it. Armed with all that knowledge, you can then inject packets - but if the traffic being passed is in any way checked (either explicitly or as a side effect of encryption such as SSL) then there's not much you can do other than terminate the connection.
So I think you can forget about attacks such as "changing the contents of an email or web page" simply because the requirements in terms of knowing exactly who is talking to who, using what ports, and when, are such as to make it impractical without the sort of access to information that would in reality make other ways of doing the same thing far more useful !
SSH sessions ? Tend to be quite long lived - but all you could do is terminate the session.
Torrent downloads ? Don't the clients checksum all the pieces anyway ?
"Aren't the other operating systems effectively even weaker against this because they haven't implemented RFC5961 at all?"
Sadly, not. The problem is that since the total number of challenges is rate limited, an attacker can deduce the number of challenges sent on attempts to spoof valid connections. So instead of having to guess port number tuples, the attacked system will now tell you.
In order to make blind guessing less effective, we will now let you know when you are getting close. Sadly, a small flaw in an attempt at hardening has made things worse.
"I think you need to be able to stop one side sending out ACK checks so you can anticipate the packet sequence numbers reliably."
"Aren't the other operating systems effectively even weaker against this because they haven't implemented RFC5961 at all?"
Something I'm not completely clear about after reading a few of these:
Does it only take one Linux computer (in the session) to push this exploit, or do both sides of the communication have to be Linux?