May 18th, 2005
Is the Linux process insecure?
Time for me to play devil’s advocate again.
The Schneier Wave graph to the right may be the most famous diagram in computer security. It’s named for Bruce Schneier of Counterpane, a leading computer security expert.
As Schneier explained back in 2001, vulnerability to a security bug is highest between the moment the problem is revealed and the moment a patch is made available. After that the risk goes down, but never to zero, because there are always some fools who don’t patch.
A few months after publishing the graph he expounded on this, suggesting that while it’s generally best to disclose a vulnerability as soon as it’s found, it might be better if vendors were notified of them first, and given a fixed time limit on solving each problem, in order to minimize the time between the announcement of a bug and delivery of a fix.
Well, due to the nature of Linux this can’t happen. We’re all responsible for finding exploits and for fixing them. Thus we must have open commuication. Virtually any limit on who can see something, or any delay in letting everyone see something, can mean a delay in implementing a fix.
So yesterday I come across this. It’s a Linux 2.6 security bug, reported on the French Security Information Response Team Web site. I did not get this because I’m clever. It was part of my regular RSS feed. I use this example mainly because it’s a local bug. The announcement notes it can’t be exploited remotely.
It lets users of local systems gain elevated privileges, even institute a local denial of service attack. Pretty nasty. But if I could use this bug to attack a French computer the risk would be much greater, and I wouldn’t be providing the links in the above paragraph, never mind how I got them.
The point is should access to bug information and exploit code be limited at all, and if so, how would you do it? I don’t want the bad guys seeing exploits either, but it’s impossible on the Internet for me to know who the bad guys are.
Microsoft has theoretical control of this situation. Open source does not. Leave your answers at TalkBack.
Dana Blankenhorn has been a business journalist for 30 years, a tech freelancer since 1983. You can follow Dana on Twitter. See his full profile and disclosure of his industry affiliations.
Subscribe to Linux and Open Source via Email alerts or RSS.
