A security vulnerability in the Linux kernel that could have allowed a hacker to gain control of the operating system on user machines has been patched by the open-source community and Linux suppliers.
The flaw, which was found last month by Paul Starzetz, a researcher with non-profit group iSEC Security Research in Poland, was in Linux kernel memory management code. It could have allowed an attacker to get into the system as a local user and then gain root, or administrator, privileges on the target system.
Starzetz said the bug affects all kernels from the 2.4 series to 2.4.24, all 2.2 kernels to 2.2.25 and the 2.6 kernel series including 2.6.2. The only kernels that are not vulnerable are 2.4.25 and 2.6.3.
Patches are being worked on for the 2.2 series kernel,. All the odd kernel releases including 2.3 and 2.5 are also vulnerable, but it is unlikely many people use them because they are development kernels, not release models.
On a scale of 0 to 10, with 0 being no bug at all, the vulnerability would be scored 10. "We decided to delay the release of the exploit code until the next week [so that people who care about their machines have enough time to update them]," said Starzetz.
The problem can only be corrected by upgrading a vulnerable machine to the latest kernel version.
Mark Cox, security response team leader at Red Hat, said iSEC researchers quickly notified Linux team leaders and suppliers of the problem after they discovered it, giving the open-source community time to create patches and get them posted for users.
"These are issues found by goods guys, reported responsibly and dealt with in the right way," Cox said. "It's just kind of a textbook example of how these things should work out."
Cox added that no reports of any attack using the vulnerability have been received.
Red Hat and SuSE Linux have posted patches for the problem.
Todd R Weiss writes for Computerworld