Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Submission + - Exploit for Linux Kernel 2.6.30+ Published (theregister.co.uk)

Lorien_the_first_one writes: "The Register reports that "A recently published attack exploiting newer versions of the Linux kernel is getting plenty of notice because it works even when security enhancements are running and the bug is virtually impossible to detect in source code reviews."

The article points out that several areas of the kernel, in particular, the function "setuid", are involved in this new exploit. "The exploit code was released Friday by Brad Spengler of grsecurity, a developer of applications that enhance the security of the open-source OS. While it targets Linux versions that have yet to be adopted by most vendors, the bug has captured the attention of security researchers, who say it exposes overlooked weaknesses."

What I find interesting about the article is that although it focuses on newer versions of the kernel, near the end of the article, they offer the following food for thought: "Setuid is well-known as a chronic security hole," Rob Graham, CEO of Errata Security wrote in an email. "Torvalds is right, it's not a kernel issue, but it is a design 'flaw' that is inherited from Unix. There is no easy solution to the problem, though, so it's going to be with us for many years to come."

A chronic security hole? In Linux?"

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Exploit for Linux Kernel 2.6.30+ Published

Comments Filter:

Optimization hinders evolution.