Posted on 05/27/2005 10:47:10 PM PDT by Panerai
Operating system vendors were given two months' notice before a security flaw was made public, but some have yet to resolve the issue, a security researcher has claimed.
Colin Percival detailed the vulnerability--which affects versions of Intel's CPU that use a technology called hyperthreading--at a conference on May 13.
The vulnerability could allow a local hacker to steal sensitive information, such as passwords, held on servers configured to allow multiple users to log in simultaneously.
FreeBSD security team member Percival has received formal responses to the issue from the makers of the BSD family of open-source operating systems, as well as SCO and Ubuntu Linux. However, Linux vendors Red Hat, Novell and Mandriva have been slow to act, as has Microsoft, he said.
"Given that I reported this problem in early March, I really think that they should have had a patch over a month ago--in time to test it extensively before releasing it on May 13," Percival said.
"I made it quite clear to everyone that I would be releasing my paper on that date and that they should make sure they were ready by then," he added.
A representative from Red Hat said its security team rated the issue as having "a moderate security impact," and that it was working with the creators of the OpenSSL toolkit--which is used to exploit the vulnerability--on a fix.
(Excerpt) Read more at news.com.com ...
So there is as yet no published fix for this vulnerability? I just bought a new computer with "hyperthreading" 2 days ago.
Macs don't have hyperthreading :-)
No fix yet. In a home computing setting the impact is minimal. Just my opinion, I could be wrong.
If you're even asking the question, you're not affected at all. In practice, this vulnerability only affects web servers that are serving SSL pages while permitting non-admins to run arbtirary code on the server. I can't imagine such a circumstance actually happening in the real world, except in a data center so sloppily run that this vulnerability would be the very least of the problems.
Thanks, I sort of felt like it wouldn't affect non-networked users.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.