SECURITY RESEARCHERS have released details of a significant flaw in Linux that could have left millions of phones, computers and servers' root directories open to intruders for the past three years.
Users of everything from the biggest server to the smallest Android phone are vulnerable, security experts say, including any device that runs Linux.
Perception Point researchers found that the OS keyring facility added in Linux kernel 3.8 could be exploited to hide a payload of malicious code. OS keyring was designed as a way to store legitimate credentials such as encryption keys, authentication tokens and so on. But a blog post has shown a proof-of-concept exploit in which a potentially harmful payload was added to the keyring using kernel executable memory.
There is no evidence of the exploit being used in the wild, and Linux kernel administrators have been informed privately.
Some would argue that the whole point of an open source kernel is that these things can be dealt with quietly and discreetly by the community, but sometimes a security firm wants to make it news and sometimes we let them.
In this case, the firm has concluded (spoiler alert): "The vulnerability affects any Linux kernel version 3.8 and higher. SMEP and SMAP will make it difficult to exploit as well as SELinux on android devices. Maybe we’ll talk about tricks to bypass those mitigation in upcoming blogs, anyway the most important thing for now is to patch it as soon as you can."
Red Hat, one of the biggest players in enterprise Linux, has been instrumental in resourcing a fix for the bug, which has been nicknamed CVE-2016-0728, and it's thought that the major kernel distributions are likely to have a patch in place as soon as you read this, or within hours afterwards. That really is the might of open source at work.
It was revealed earlier this week that Ubuntu Linux has been awarded a major contact with AT&T, outflanking Microsoft and IBM.
The UK government, meanwhile, is looking at ways to move to a more open source environment and recently announced that it will start working towards the use of LibreOffice rather than licensing Microsoft's Office suite. µ
Archaic prototype shows Redmond has come a long way in hardware design
And woe betide if you're called Mohammed too
Lack of proper comms gets a frosty reception from Project Zero's Travis Ormandy
Wine 3.0 brings support for Windows apps to Google's mobe OS