Linux vendors urgently patch a security flaw

OPEN SOURCE Linux distributors are quickly patching a security flaw recently found in the Linux kernel.

A local attacker can gain root access to the system via a privilege escalation vulnerability. The security hole involves the kernel failing to restrict access to the "/proc/<pid>/mem" file, according to Techworld, and the security advisory is CVE-2012-0056.

The flaw effects Linux versions 2.6.39 and higher. Linux creator Linus Torvalds posted a patch for the issue on 17 January, but before vendors could apply it to their distributions some proof of concept exploit code made its way onto the internet.

Leading distributors Ubuntu and Red Hat have already released patches to fix the flaw but others are yet to do so.

A detailed exploit for the fault is called 'mempodipper' by security researcher Jason Donenfeld. Jay Freeman, creator of the Cydia app store for jailbroken Ipads and Iphones then used it to create a local root exploit for Android 4.0 Ice Cream Sandwich (ICS), which he has called 'mempodroid'.

Freeman said, "While Android itself is open, many of the devices that use it are not, and the Transformer Prime has a locked bootloader, making exploits such as this required to install custom software."

Android 4.0 ICS is on only a couple of devices that actually can be purchased in the shops but 'mempodroid' could be used to root future and upgradable devices using Google's operating system. µ