News

Linux users under threat

Arif Mohammed
A newly discovered security hole in Linux, published on an open source website, has raised questions about how Linux security issues should be handled.

The vulnerability could allow malicious users to bring down Linux machines with just 24 lines of code, which are available from several open source websites and internet news groups.

The lines of C code, dubbed "evil.c", can crash several versions of the Linux kernel, including 2.4.2 and 2.6 variations, locking whole systems, said a bulletin by ¯yvind S¾ther of linuxreviews .org, one of the websites that has published the code.

The availability of the source code will focus attention on how open source security should be co-ordinated, according to Graham Taylor, principal analyst at Ovum.

"At the moment there is no central point of co-ordination for Linux security, which could lead to anarchic support," he said.

Linux distributor SuSE released a kernel patch on 16 June to fix the problem. The Linux distributor downplayed the significance of the exploit, giving it a "low risk" rating, since it said a hacker would need access to the Linux machine in order to run an attack.

The malicious user would require shell access, or other means of uploading and running the program, for example cgi-bin or FTP access. Such access is readily available to users of hosted Linux services, such as those provided by internet service providers.

Mike Davis, senior research analyst at Butler Group, said users would generally configure their Linux systems in a way that should limit damage.

He said, "Most professional organisations would not allow FTP access outside their organisations, so it is down to the internal threat."

Davis commented that threats like this were helping to put Linux on a par with Microsoft in the enterprise.

"One could take this as an indicator that Linux is getting more popular - it is attacked because it is getting bigger," he said.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy