- Google Earth used to predict electrical problems
- Kaminsky: Many ways to attack with DNS
- Tools to evade China's Web censorship
- Procter & Gamble's Cisco TelePresence experience
- Adobe warns of fake Flash installers
News | Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
A serious vulnerability in the Linux 2.4 kernel that allows users on a Linux machine to gain unlimited access privileges has been discovered, according to a security advisory posted by developers of the noncommercial Debian Linux distribution.
The bug affects versions of the Linux kernel prior to 2.4.23, and was the method used during a recent attack on Debian's servers, according to the advisory. In that attack four Linux servers that hosted Debian's bug tracking system, mailing lists and various Web pages were compromised.
The vulnerability can only be exploited by someone who has already been given a user account on the Linux machine, and does not affect users of every Linux system, said Linux creator Linus Torvalds in an e-mail interview. "It's a local-only compromise that you can't trigger from the outside," he said. "To most people, it would thus become serious only after you had some account hacked into - the bug then allows elevation of privileges."
The bug does not only affect Debian users, however. Any Linux user running a version of the kernel prior to 2.4.23 should contact their distribution provider to see whether a patch for the exploit has been made available, Torvalds said.
The problem was discovered by Linux kernel developer Andrew Morton in September, and was fixed in the 2.4.23 version of the kernel, but Linux distributors had been working to coordinate a release of a fix for the problem, said Dave Wreski, chief executive officer with Guardian Digital, the vendor of a secure Linux distribution.
"What all the hoopla is about is that Debian somehow let this patch that's been available for a month or two slip and got bitten by it," Wreski said.
As of Monday, patches that corrected the kernel bug had been issued for a number of Linux distributions, including Red Hat, Debian and Mandrake Linux.
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask to prospective vendors to get the right endpoint solution.
Download the white paper.
Unauthorized applications: Taking back control
Employees installing and using unauthorized applications like IM, VoIP, games and peer-to-peer file-sharing applications cause many businesses serious concern. How do you control these applications?
Download the white paper.
Comment