Critical Security Hole in Linux Wi-Fi

thisispurefud writes "A flaw has been found in a major Linux Wi-Fi driver that can allow an attacker to run malicious code and take control of a laptop, even when it is not on a Wi-Fi network."

patched already

[yagu]

So here is a Linux driver problem, a patch is available, though not widely dispersed. The news here is that even in a largely neglected (though it shouldn't be) slice of the Open Source technology, specifically the deadly difficult wi-fi landscape, bugs are found and fixed right away (at least that's the gist of part of the article).

I'm more afraid of the neglected patches MSFT deems behind closed doors as not important enough to reveal to the public. How many zero-day exploits is MSFT discussing behind those closed doors right now, and what are they deciding about the fate of security to my machines?

I know I'm spinning here, but I don't find it much of a stretch to interpret this as good PR for the Linux world -- they find problems, they fix them.

(It doesn't seem to fix the other problem... I'm so sad and tired of trying to get laptops running linux reliably with wi-fi, I barely even bother messing with it anymore... If I want wireless linux on a laptop, I'm doing via Vmware's bridge. It shouldn't be like this.)

In other news..

[Ckwop]

... take a look at Microsoft's patches this month. [bbc.co.uk]

It doesn't matter which operating system you use - they all contains buffer overflows. In a way, the consumer is to blame for this. BSD has been whiling with little to no market-share despite the fact it's free. Nobody it seems wants software that's secure out of the box and stays secure.

People want features and features are the enemy of security. So the status-quo continues even though we've known how to fix these issues for forty years.

Simon

Mod parent down

[Anonymous Coward]

It is pathetic how anything negative found against linux is turned into a flamefest against Microsoft. Vulnerabilities like this just show that the more usage an application has the more holes will be found.

The parent should be modded flamebait, Microsoft has nothing to do with this discussion and bringing it up with the intention of only criticizing it is obvious flamebait.

There's more to the world than Microsoft.

[Vellmont]

It's interesting that people start talking about Microsoft right away in reaction to this hole, as if the only thing that matters here is how this flaw relates to Microsoft.

What I see is more the horrible state of software security. A security model that relies on all the writers of driver code in your computer to do their job right is a poor security model.


I know I'm spinning here, but I don't find it much of a stretch to interpret this as good PR for the Linux world -- they find problems, they fix them.

Great.. I guess I'd rather have the Linux World where there aren't any serious problems to begin with. The larger picture here is that computer security kinda sucks, not that Microsoft is better/worse at it than Linux is.

I'm so sad and tired of trying to get laptops running linux reliably with wi-fi, I barely even bother messing with it anymore

Huh. I've had very good luck recently with Ubuntu. The built in wifi in my laptop worked out of the box with Ubuntu, and two other cards I own worked as well.

It hasn't always been like this of course. A couple years ago WiFi support was extremely lacking.

Oh, madwifi. Surprise! Closed source still sucks!

[the COW OF DOOM (tm)]

This bug is in the "madwifi" atheros driver, which is:

1. dependent on a closed-source kernel module
2. not in the upstream kernel
3. not included by default in most distributions (e.g. Fedora/RHEL, SuSE, Debian).

It *is* in Ubuntu, but has been fixed in Edgy [ubuntu.com] since February 1.

So here's what the headline should have been:

Closed-Source Drivers Harder To Maintain, Less Secure

Fixed!

[tjwhaynes]

My concern is that you are right - "so have most people that actually pay attention to security posts." The strong benefit of Linux vis-a-vis MSFT (and its not price) is that as an open system you have an nearly unlimited pool of the best computer code writing minds constantly updating and improving upon one another's kernel code around the world.But, if when errors are uncovered and corrections made, patches are only known to that pool of people then mass users will be exposed to significant security risk. The average Joe running Linux will suffer and that hurts the entire community in both reputation and user adoption rates.

You are overlooking the way that most Joe Linux users get their updates - automatically. When security flaws are found and patches are delivered, you can guarantee that the people who package that software at Redhat, Ubuntu, Debian and other major distributions are aware of the update. Those security patches will be tested and rolled out into the main update repositories, probably within 24 hours to all the mirrors worldwide. The automatic update daemon on Joe User's modern Linux distro will be downloading the update within the next 24 hours or sooner. From security patch being announced to patched home computer in 48 hours in the worst-case scenario.

One of the nicest things about the distro's automatic updates is that this applies to ALL packages in the distro. I don't need to worry about Apache needing it's own updater. So no - the average Joe running Linux does not suffer - he gets informed about the update or even has it applied without manual intervention depending on the settings. Joe benefits and so does the community who recognise that fixing security flaws promptly is key.

Cheers,
Toby Haynes

Re:There's more to the world than Microsoft.

[FooBarWidget]

I think the fact that computer security sucks implies that one of these is true:
1. It just isn't possible to make software ultra-secure and free of vulnerabilities. I.e. you cannot expect *any* piece to be 100% secure, ever.
2. It is possible, but the costs of making software ultra-secure is so high that it's not worth it. Customers would rather pay a lower price for a slightly less secure system than a much larger price for a 100% secure system.

Re:Patched!

[Anonymous Coward]

Your signature is a fucking disgrace. Mother Theresa was a monster. Instead of setting up real hospitals with real facilities, she just set up massive death houses. She thought that people's suffering in their final hours would bring them closer to God.

Change your sig, for the love of Christ.

Not very helpful FA....

[Arkaic]

Of course, it would have been too much trouble for PC World to mention exactly which version of the madwifi driver was susceptible to this particular flaw. So much better to let people dig through changelogs which might address any number of past vulnerabilities.

I patch and update regularly, so I just wasted some time double checking on a flaw that had been fixed on my system a long time ago.

Re:Mod parent down

[j35ter]

Sorry chap, people start bashing on linux (and its users) as soon as any kind of vulnerability is found.
In this case, the vulnerability is in a 3rd party driver and not in the kernel itself. Nevertheless the not-so-techie reader just reads "Linux vulnerability".

Btw. Dont forget that the public is used to hear about Windows vulnerabilities, they dont notice them anymore.

Re:patched already

[delire]

Wireless support on Linux is great if you simply do a little research and don't pick a card that doesn't work. [leenooks.com] You can't take a Linux unfriendly wireless adapter to water and make it drink, so don't waste your time.

Wireless works out-of-the-box (or soon after) - with a recent distribution of Linux - on most laptops these days.

Re:Flaw? Patched? Microsoft? Linux?

[eli pabst]

Mac, Linux, Solaris, etc. have had many more security advisories than MS Windows has had to endure
I'm not sure where you are getting that idea, but according to secunia, Microsoft and Redhat have had exactly 3 vulnerabilities this month, with Microsoft vulns being more critical. Sure there was the Solaris telnetd vuln that made headlines, but I think it's just your perception. Plus I also think you're failing to take into account the ANI cursor overflow at the end of March which was a big deal.

Sure, exploits exist, but you have to DO something.
That's not true. Look at the ANI bug, it was actively being exploited in the wild on web pages that injected the overflow using the iframe tag. All you had to do was visit a website, no clicking required.

How many "users" running Linux are even going to know about this vulnerability, let alone patch it.
Again this seems like a case of selective memory to me. Remember the Intel wireless vulnerability that came out just before the Maynor-Apple announcement? Well if you have a Intel wireless chipset on your windows PC, you have to manually install a new driver from Intel, there is no Microsoft patch and it will *not* appear in windows update even if you have auto-updates turned on. So I fail to see how that's any different. In fact a number of Linux distros actually do have updates available for this Madwifi vuln.

Re:There's more to the world than Microsoft.

[jimicus]

I suspect the latter is the case - but that suspicion is based mainly on computer science theory (which amongst other things holds that it's quite possible to mathematically verify that a function will behave as expected under all circumstances).

In the real world, there are just too many variables, both in software and hardware - OSs and hardware are much more complicated than they were 20 years ago - for that to be practical unless you're prepared to sacrifice a lot of functionality (ie. use a platform that's 20 years old in design terms). And as soon as you have to exchange data with some other organisation, your data is subject to their vulnerabilities.

For a real-world example of what can be done to make software reliable (security and reliability arguably being two sides of the same coin), see NASA's development process. They're well known for using hardware that's antiquated by modern standards, and they spend ages on designing and testing their software to death - but the sheer cost attached must be astronomical (pun fully intended).

Re:There's more to the world than Microsoft.

[IamTheRealMike]

3. C/C++ make it really easy to screw up.

Re:Mod parent down

[ticklish2day]

Good point. However, most Windows vulnerabilities affect Office or IIS or libraries that are not part of the Windows kernel. Still talked about as Windows vulnerabilities. Sounds like there are two yardsticks. A Linux vulnerability is anything that affects only the kernel. A Windows vulnerability is anything that affects anything that runs on Windows.

Re:patched already

[el americano]

Patched quickly, yes, but if the patched driver was released Dec. 7, 2006 then the news that "a flaw was found", is even older than that. On top of that I didn't see mention of an exploit, so the article is a little sensational, but for some reason wireless seems to do that to journalists.

Re:In other news..

[alphamugwump]

I see this "X language is magically secure" stuff all the time. No, it isn't. The fact that your language is higher-level does not make it more secure. Look at PHP. It's horrible, far worse than C.

Or perhaps you prefer Java, and think that running your code in a VM is a silver bullet. Think again. If you want that code to actually do anything, you're going to have to give it access to the outside world. Your web app can still let people do things they shouldn't. Security is not just about buffer overflows and SQL injection; it's about anything that could let someone get access they shouldn't have. Which can happen from plain old bad logic.

Admittedly, it is easy to make mistakes with C. But C is pretty much the only thing to write a kernel in. In a device driver, you have to mess around with real memory, and real IO, and that sort of thing. More importantly, C is old enough so that its common security mistakes are already known. You'd have a much harder time with some random language.

Basically, a "secure" language is not one that prevents you from doing things you shouldn't. What you want is a language that makes it easier to write secure code than to write insecure code.

Re:In other news..

[Aoreias]

Actually, this kind of crap goes away when you stop using NULL terminated strings and put in size checks.

It's a much more complex problem than simply using 'safe' functions. People don't always put the correct size into the size field, and there are entire classes of exploits, e.g. format string vulnerabilities [wikipedia.org], that don't use the traditional buffer overflow mechanism at all.

I've heard that the BSD folks have a saying that a bug is just an attack nobody has the intelligence to turn into an exploit yet. I take it you've never written code that crashes?

Re:Mod parent down

[heinousjay]

It doesn't seem like a campaign to me. From my vantage point (obsessively neutral about tools) it looks like insecurity masquerading as a big community hug and wank session.

People who are secure in the choices they've made don't need to trumpet them all over the place. In particular, they don't segue any possible (tenuous) link into a rant about the superiority of their choice.

Re:Mod parent down

[poopdeville]

You wouldn't have to test for longer than hours or a few days if you had a comprehensive suite of unit tests. This is just a buffer overflow, not a feature addition. QA/acceptance testing should consist of checking that only code relevant to the bug was modified, and that the modification actually addresses the bug.

I can't blame Microsoft for having to use a longer term testing plan. Many developers have abused the APIs, and Microsoft has shown themselves to be committed to making Windows backwards compatible, to a fault.

If Linux developers abused the APIs this way, the API maintainers would tell them to get stuffed. Everyone involved knows it, so API abuse isn't much of an issue, and so smarter testing strategies can work.

In short, Microsoft screwed themselves out of doing things the "right" (expedient) way by holding developer's hands. Of course, holding developer's hands made it a very attractive platform to work with -- the strategy has obviously worked to their financial advantage.

FUD Template

[Orochimaru]

I use [linuxdistro] and am a firm believer in open source software, but we just can't pretend that [securityflawfixedmonthsago] isn't a big deal. Your average Joe user isn't able to install a patch and this just proves that Linux is not ready for the desktop.

Re:What!?

[smash]

Wireless works by default on my box with Ubuntu. XP+vista both require a driver download.