Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
User Journal

Journal: I am NOT anonymous

Journal by Mathinker

http://yro.slashdot.org/comments.pl?sid=2319574&cid=36745572

% echo -n "I am Mathinker, my salt is UAeqTvlu" | md5sum
efb98ed34ba58ecd29b07b1909d21da3 -

User Journal

Journal: 2008: Linux privilege escalation bugs

Journal by Mathinker

Just want to store this research somewhere where I can link to it easily. (Original post).

If one analyzes the 10 Linux privilege escalation bugs reported for 2008 at Secunia one finds:

Of those, 5 were in proprietary software packages for Linux: Acrobat Reader, MaxDB, Avaya, SSH Tectia Client, and Red Hat Enterprise Linux. Not interesting for ordinary desktop users.

Of the other 5, 1 was in KDE, so that wouldn't affect 100% of Linux users, let's be generous (the most popular free distros use Gnome) and say that's 50% of users.

Of the other 4, 1 seems to work on general Linux systems (sys_remap_file_pages() bug).

Of the other 3, 1 requires the USBLCD driver to be used or only gives group privilege escalation, 1 requires Intel G33 series or newer chipset, and 1 requires that the kernel is running as VMI guest on a x86 system. How many boxes does that cover? Not many, except perhaps for the Intel chipsets --- let's say another 50% (because I have no idea what market share Intel has).

So that's something like 2, maybe 2.5 bugs in all of 2008. Is that "many"? Matter of opinion.

So, in summary, between 10% and 25% of the reported bugs were really mainstream.

He who has but four and spends five has no need for a wallet.

Working...