Posted on 01/20/2016 6:32:48 PM PST by Swordmaker
The flaw is said to affect "tens of millions" of Linux PCs and servers, and most modern devices running the latest Android KitKat 4.4 software and later.
A new, previously undiscovered flaw that allows an attacker to escalate local user privileges to the highest "root" level is said to hit "tens of millions" of Linux PCs and servers.
Because some of the code is shared, the zero-day flaw also affects more than two-thirds of all Android devices.
Israeli security firm Perception Point disclosed the flaw in a blog post Tuesday, but it wasn't immediately clear if the bug had been privately reported to Google, which develops the Android software.
Perception Point said in an email that it has released a proof-of-concept exploit following collaboration with a number of Linux distribution teams.
The flaw, said to date back to 2012, affects Linux kernel versions 3.8 and higher, which extends to devices running Android KitKat 4.4 and higher. The vulnerability is in the keyring facility, baked into the core of the Linux software. If exploited, an attacker would be able to execute code on the Linux kernel, and extract cached security data, which can include in some cases encryption and authentication keys.
The Israeli security firm said it had no evidence to suggest the flaw had been exploited in the wild.
A patch is expected to be released on January 19 for most Linux machines.
Red Hat has already patched its systems, according to a security advisory, with other distributions expected to follow up in the coming day.
It is not known if Google was aware of the bug before Perception Point published its findings. The Android maker will likely fix the bug as part of its scheduled monthly security updates in February.
A Google spokesperson did not comment.
Obviously you have never worked in software development.
I develop daily. It’s complicated tying a lot of functionality together in a single entity. Exploiting one of these exploits hard! The code and who wrote it is all tracked. Most of these exploits are good intentioned code...with a blindspot.
The Linux kernel, as an example, has almost 20,000,000 lines of code and 14,000 authors, most of them volunteers. A lot of room there for exploits. Especially if the back door code or purposely flawed code is developed elsewhere (govt think tank) and designed to be stealthy. Wake up people.
Also, Tor, the so called underground internet, was funded, designed and developed by the U.S. government.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.