Critical Security Hole in Linux Wi-Fi

thisispurefud writes "A flaw has been found in a major Linux Wi-Fi driver that can allow an attacker to run malicious code and take control of a laptop, even when it is not on a Wi-Fi network."

patched already

[yagu]

So here is a Linux driver problem, a patch is available, though not widely dispersed. The news here is that even in a largely neglected (though it shouldn't be) slice of the Open Source technology, specifically the deadly difficult wi-fi landscape, bugs are found and fixed right away (at least that's the gist of part of the article).

I'm more afraid of the neglected patches MSFT deems behind closed doors as not important enough to reveal to the public. How many zero-day exploits is MSFT discussing behind those closed doors right now, and what are they deciding about the fate of security to my machines?

I know I'm spinning here, but I don't find it much of a stretch to interpret this as good PR for the Linux world -- they find problems, they fix them.

(It doesn't seem to fix the other problem... I'm so sad and tired of trying to get laptops running linux reliably with wi-fi, I barely even bother messing with it anymore... If I want wireless linux on a laptop, I'm doing via Vmware's bridge. It shouldn't be like this.)

Re:

[LinuxGeek]

Wireless support was one of my main requirements when picking my newest laptop. Good support for Atheros cards and as we know, they get patched quickly when flaws are found.

Re:patched already

[el americano]

Patched quickly, yes, but if the patched driver was released Dec. 7, 2006 then the news that "a flaw was found", is even older than that. On top of that I didn't see mention of an exploit, so the article is a little sensational, but for some reason wireless seems to do that to journalists.

Re:

[FauxPasIII]

While I echo your congratulations on a good response to this bug, I should point out that the driver in question is MadWifi; it's mostly closed source.

Re:patched already

[QuietLagoon]

MadWiFi source code can be found here [madwifi.org].

The module in question is found here [madwifi.org]. (slow to load)

Re:patched already

[FauxPasIII]

> MadWiFi source code can be found here.

Or rather, a small open-source Linux compatibility shim around the actual, binary only driver.

Look further into that link you pasted:

http://madwifi.org/browser/trunk/hal/public [madwifi.org]

Those .uu files are binary objects stored as text, and they make up the majority of the driver. This same binary driver is also used by some of the BSDs, with a different open-source shim.

> The module in question is found here. (slow to load)

Ah, so the flaw is in the open source shim part. Fooey. =/

As an aside, and as I suspect you might already know, there is an effort to replace the binary-only part of that driver with Free software, and the Madwifi people have cooperated as much as they're able. They even host the development in their own repository:

http://madwifi.org/browser/branches/madwifi-old-op enhal [madwifi.org]

Cheers!

Re:

[markov_chain]

The HAL is hardly the majority of the driver. The reasons for having the HAL are mostly regulatory, and they are not going away. We should be grateful that most of the Atheros cards don't have firmware, so the extent of the reverse engineering is the host-based HAL blob instead of some totally proprietary microcontroller architecture and RTOS. The bad news is, miniPCI is dying, and the industry is moving to USB modules, which unfortunately all use firmware-driven microcontrollers. Two examples I know ar

Re:

[Bretai]

a small open-source Linux compatibility shim around the actual, binary only driver.

So the binary HAL layer is less than half of my driver and doesn't include frame parsing and generation or rate control, yet you'd like to call it a small compatibility shim? I'd say the driver is mostly open source.

As for the effort to reverse engineer the HAL, I think the chip versions are revised too quickly for that to be widely successful. Seems like a lot of work for little return.

Re:

[FauxPasIII]

> So the binary HAL layer is less than half of my driver


root@Callooh ~ =) # lsmod | grep ^ath
ath_rate_sample 11776 1
ath_pci 87456 0
ath_hal 189584 3 ath_rate_sample,ath_pci
root@Callooh ~ =) #


-shrug- No disrespect. I like, use and recommend to others your driver. It's by far the most complete of the many wireless ethernet drivers I've used with Linux.

Granted, when there's a fully free-software driver that will run my card, even if it isn't as complete, I'll be swit

A Famous Binary Blob

[Erris]

I should point out that the driver in question is MadWifi; it's mostly closed source.

Indeed, we've been here before [wikipedia.org]. Stuff like this makes me feel better about the few inconveniences I've had to put up with to use Debian. It is difficult to find hardware that works, but that's nothing next to getting nailed like a Windoze user.

This is why it's important to distinguish between "Linux" and "Free Software". Sooner or later the message will get through over nonsense like the popularity argument and othe

Re:

[The Bungi]

Except that this particular driver is mostly open source, and the flaw happens to be in that portion, which is probably why Debian patched it so quickly (December). But either distros are not offering downstream updates or people are not patching. Kinda like "Windoze" update. I guess it doesn't really matter what OS you're using if you don't patch.

Interesting also that a flaw in a driver can cause the whole machine to be compromised. IIRC you've said yourself in the past that this is a "Windoze"-only "fea

Freedom matters.

[Erris]

"This is why it's important to distinguish between "Linux" and "Free Software". ... nonsense like the popularity argument and other FUD presented in PC World."

I don't see how this is relevant or even how it makes any sense at all.

That's because you have not gotten your head around the fact that peer review makes for better code.

Re:Freedom matters.

[The Bungi]

That's because you have not gotten your head around the fact that peer review makes for better code.

What part of "the flaw was in the open portion of the driver" did you manage to miss?

There's more to the world than Microsoft.

[Vellmont]

It's interesting that people start talking about Microsoft right away in reaction to this hole, as if the only thing that matters here is how this flaw relates to Microsoft.

What I see is more the horrible state of software security. A security model that relies on all the writers of driver code in your computer to do their job right is a poor security model.


I know I'm spinning here, but I don't find it much of a stretch to interpret this as good PR for the Linux world -- they find problems, they fix them.

Great.. I guess I'd rather have the Linux World where there aren't any serious problems to begin with. The larger picture here is that computer security kinda sucks, not that Microsoft is better/worse at it than Linux is.

I'm so sad and tired of trying to get laptops running linux reliably with wi-fi, I barely even bother messing with it anymore

Huh. I've had very good luck recently with Ubuntu. The built in wifi in my laptop worked out of the box with Ubuntu, and two other cards I own worked as well.

It hasn't always been like this of course. A couple years ago WiFi support was extremely lacking.

Re:There's more to the world than Microsoft.

[FooBarWidget]

I think the fact that computer security sucks implies that one of these is true:
1. It just isn't possible to make software ultra-secure and free of vulnerabilities. I.e. you cannot expect *any* piece to be 100% secure, ever.
2. It is possible, but the costs of making software ultra-secure is so high that it's not worth it. Customers would rather pay a lower price for a slightly less secure system than a much larger price for a 100% secure system.

Re:

[jimicus]

I suspect the latter is the case - but that suspicion is based mainly on computer science theory (which amongst other things holds that it's quite possible to mathematically verify that a function will behave as expected under all circumstances).

In the real world, there are just too many variables, both in software and hardware - OSs and hardware are much more complicated than they were 20 years ago - for that to be practical unless you're prepared to sacrifice a lot of functionality (ie. use a platform tha

Re:There's more to the world than Microsoft.

[IamTheRealMike]

3. C/C++ make it really easy to screw up.

Re:

[dkf]

3. It is possible. It's not trivial, but it's possible with reasonable effort. But doing so would require overturning ignorance, stupidity and laziness. That is, (most) programmers don't know that there are better alternatives, refuse to listen to those who tell them that they don't have to put up with this sort of thing, and even when they've heard that it might be so, can't be bothered to learn how to avoid these sorts of problems because that would take some actual effort. OK, these attributes are not in

Re:

[51mon]

2. It is possible, but the costs of making software ultra-secure is so high that it's not worth it. Customers would rather pay a lower price for a slightly less secure system than a much larger price for a 100% secure system.

I think it is somewhat more complex.

It is relatively easy to avoid the kind of problem reported. Almost trivially so. But it isn't the way the software industry generally writes kernels or device drivers, so we'd have to start again. Kind of like deciding petrol was a mistake, and we sh

Re:There's more to the world than Microsoft.

[TheRaven64]

The biggest problem with this kind of thing is not the operating system security model, it's the hardware. A device in most consumer machines can issue DMA requests that allow it to read or write arbitrary addresses in physical memory. No matter how isolated the driver is, the device itself can still poke at your memory. This can be addressed by adding an IOMMU, which allows the kernel to assign a virtual address range to the device, and prevents it from accessing random areas of memory. Once you have this, it's possible to isolate drivers more and impose a good security model on them, but without it, anything you do is a bit pointless.

The good news is that the rise of virtualisation means that IOMMUs are going to become a lot more common in the next few years.

Re:There's more to the world than Microsoft.

[Richard W.M. Jones]

What I see is more the horrible state of software security. A security model that relies on all the writers of driver code in your computer to do their job right is a poor security model.

You're right. Unfortunately with the current design of PC hardware it's difficult to provide protection from poorly written drivers. For example, it's very common for drivers to be able to (a) initiate DMA transfers to/from any part of physical memory, and (b) lock the PCI bus by messing with the bus arbitration. You can do things like having an exokernel [wikipedia.org] -- small trusted multiplexers go in the kernel and the larger parts of your drivers sit (untrusted) in userspace, but performance generally sucks. Some hardware (eg. graphics cards) makes it hard even to do this.

Luckily virtualisation is driving better solutions, and they're coming to a PC near you soon (in fact, they've already come to the PCs I'm using daily, but those are test articles). Primarily with virtualisation we want to be able to hand off devices to untrusted guest operating systems. For example give each guest its own physical network card. That won't work too well if guests can stomp on each others memory using DMA transfers. The new hardware actually has hardware support to stop the guests doing bad things.

Look at Intel's VT-d [intel.com] for example.

Rich.

Re:

[fuzz6y]

Great.. I guess I'd rather have the Linux World where there aren't any serious problems to begin with.

and I'd like to be able to drive my car to Jupiter.

MicroKernel security

[goombah99]

Isn't one of the selling points of the MicroKernel (like mac OSX) supposed to be higher driver security since everything is walled apart?

Re:patched already

[delire]

Wireless support on Linux is great if you simply do a little research and don't pick a card that doesn't work. [leenooks.com] You can't take a Linux unfriendly wireless adapter to water and make it drink, so don't waste your time.

Wireless works out-of-the-box (or soon after) - with a recent distribution of Linux - on most laptops these days.

Re:Mod parent down

[j35ter]

Sorry chap, people start bashing on linux (and its users) as soon as any kind of vulnerability is found.
In this case, the vulnerability is in a 3rd party driver and not in the kernel itself. Nevertheless the not-so-techie reader just reads "Linux vulnerability".

Btw. Dont forget that the public is used to hear about Windows vulnerabilities, they dont notice them anymore.

Re:

[j35ter]

True, but in the noise, of corporate sponsored voices, the truth has to be yelled out fiercely in order to be heard

You see, most tech journalists couldn't tell the difference between madwifi or the kernel. To them all of this means that the oh-so-secure linux is not so secure anymore.

So, scream my children and be heard; scream louder perchance to be heard by some serious journalist passing by our OSTG gutter....scream my children! :)

Re:

[heinousjay]

It doesn't seem like a campaign to me. From my vantage point (obsessively neutral about tools) it looks like insecurity masquerading as a big community hug and wank session.

People who are secure in the choices they've made don't need to trumpet them all over the place. In particular, they don't segue any possible (tenuous) link into a rant about the superiority of their choice.

Re:

[poopdeville]

You wouldn't have to test for longer than hours or a few days if you had a comprehensive suite of unit tests. This is just a buffer overflow, not a feature addition. QA/acceptance testing should consist of checking that only code relevant to the bug was modified, and that the modification actually addresses the bug.

I can't blame Microsoft for having to use a longer term testing plan. Many developers have abused the APIs, and Microsoft has shown themselves to be committed to making Windows backwards compa

Patched!

[LinuxGeek]

Already been patched, read TFA. My laptop has been patched for a while already, so have most people that actually pay attention to security posts.

Fixed!

[tjwhaynes]

My concern is that you are right - "so have most people that actually pay attention to security posts." The strong benefit of Linux vis-a-vis MSFT (and its not price) is that as an open system you have an nearly unlimited pool of the best computer code writing minds constantly updating and improving upon one another's kernel code around the world.But, if when errors are uncovered and corrections made, patches are only known to that pool of people then mass users will be exposed to significant security risk. The average Joe running Linux will suffer and that hurts the entire community in both reputation and user adoption rates.

You are overlooking the way that most Joe Linux users get their updates - automatically. When security flaws are found and patches are delivered, you can guarantee that the people who package that software at Redhat, Ubuntu, Debian and other major distributions are aware of the update. Those security patches will be tested and rolled out into the main update repositories, probably within 24 hours to all the mirrors worldwide. The automatic update daemon on Joe User's modern Linux distro will be downloading the update within the next 24 hours or sooner. From security patch being announced to patched home computer in 48 hours in the worst-case scenario.

One of the nicest things about the distro's automatic updates is that this applies to ALL packages in the distro. I don't need to worry about Apache needing it's own updater. So no - the average Joe running Linux does not suffer - he gets informed about the update or even has it applied without manual intervention depending on the settings. Joe benefits and so does the community who recognise that fixing security flaws promptly is key.

Cheers,
Toby Haynes

Re:Fixed! -not!

[quixote9]

Um, "Joe Linux" here, chiming in. I run Fedora, which was pre-installed on oddball hardware. If Fedora has automatic updates like Ubuntu, and if they just work, I sure as hell haven't heard about them. The Fedora repository is about 10% of the way to useful. 15%, when I'm feeling charitable. I'm on Core 3 because I haven't found a distro that can deal with my system, and, since I'm a biology geek not a computer geek, I have no idea what to do or the time to spend finding out.

It gets worse. I don't even know if I'm running a madwifi driver or not. I looked at the running processes, but there's nothing obvious there. I don't know if madwifi is called something else in the process list. I do know I have a Atheros chip.

The point I'm trying to make is more than just displaying ignorance. The point is that it may be hard for those of you who are close to the subject to realize just how opaque it is to those of us who aren't. If you're in the know, share their knowledge. It's kind of frustrating, from my perspective, to hear, "It's all automatic, and if it's not, you're just too hopeless to deal with."

(All that said, you're quite right that when updates are applied automatically and effectively, both the clueless and the clued benefit. That's why I'm getting my next system with Ubuntu on it!)

Re:

[PitaBred]

https://www.scientificlinux.org/ [scientificlinux.org]

Might be worth a look for you at least ;) I've never used it, I just know about it.

Re:Fixed! -not!

[LibertarianWackJob]

Hi "Joe"
You won't be getting any updates for FC3 since the Fedora Project has dropped support for that. If you like the Fedora distribution you can go with FC6 or wait for May 24 when FC7 is due to be released. Otherwise, Ubuntu is a fine distribution.

Try this:

su -

crontab -e

# cron for root
# update system at 4AM daily
0 4 * * * /usr/bin/yum update

Re:

[muszek]

Last time I used Fedora was over 2 years ago. At that time, there was no decent gui font-end to yum. Anyways, all you need to do is to type yum equivalent of apt-get update && apt-get upgrade.

Another important thing is your release being supported. I know the fedora legacy project [fedoralegacy.org] was introduced to support older releases, but they're being shut down now. Last update [fedoralegacy.org] to FC3 was made almost half a year ago.

If you don't want to upgrade your distro often, Ubuntu LTS (long term support) might b

Re:

[IamTheRealMike]

Linux is fucked by this kind of thing because (unless a lot changed in the last 12 months) there are no distros that silently install updates without any user intervention being required. Even distros like Ubuntu will pop up a balloon and require you to type in a password to install the updates. But we already know from experience with Windows that nothing short of a fully automatic system will do. If Linux had the popularity of Windows today, this exploit would still be being used 3 years from now.

Re:

[LinuxGeek]

I shouldn't reply to your trolling comment, but you may be half serious. To get this important security patch, I only had to click a button called Install Updates. Yup, that took me away from important duties for quite some time.

Re:

[nagora]

Mother Theresa was a monster.

Well said. Theresa caused untold suffering and death wherever she went; there have been few more disgusting humans alive in my lifetime.

TWW

Any clue on the extent?

[pcmanjon]

What if you ifdown the wireless interface when not in use, can this prevent an exploit? It seems like it would unload the interface, but the kernel drivers would still be present. Does the kernel still monitor the wireless signals regardless of the ifup status?

I'm lucky my laptop has a switch on the side, when switched OFF wireless networking seems to be disabled. It seems to be a hardware disconnect for the antenna.

Re: Any clue on the extent?

[Dolda2000]

It's pretty much up to the module in question, but most wireless (and wired) NIC driver modules that I've been dealing physically turn off the transceiver hardware when you ifdown the interface. I'm fairly sure (though I wouldn't bet it) that madwifi does that too.

PC World Article?!

[Rufus211]

Thanks for the useless link. Anyone with a link to an actual advisory, LKML post, lwn, etc that might have some actual information in it?

Re:

[ThisNukes4u]

Pretty sure this is the vuln talked about in TFA:http://lwn.net/Vulnerabilities/230286/

madwifi links.

[Erris]

The madwifi howto is here [madwifi.org]. It seems that you can type, "lsmod | grep ath_pci" to find out if you are running the supposedly exploited module. My simple Etch system does not have this or wlanconfig tools by default, though those tools look very nice and I'm sure this little problem will be fixed quickly.

I have to agree with you about the uselessness of the PC World article. Besides not having any useful information, it's filled with FUD about free software wifi and confused "popularity argument" babble. In short it's more of a, "everyone else has these problems too, so Windoze away," pacifier than it is a news article.

Re:

[The Bungi]

supposedly exploited module ... I'm sure this little problem

We've entered the spin zone!

will be fixed quickly

Just like any problem with "Windoze", if you bother to patch.

it's filled with FUD about free software

Of course, all this is "FUD"

so Windoze away

Yes, do the "oooh, look over there M$ Windoze sux!" routine. Better get it polished up though - you better get used to this being more and more prevalent and you'll have to do a lot better than these [slashdot.org]. It shouldn't detract from the quality of Lin

Re:

[Bretai]

you can type, "lsmod | grep ath_pci" to find out if you are running the supposedly exploited module

You can also type "modinfo ath_pci | grep version" to find which version you have.

The patched driver is 0.9.2.1 [madwifi.org] or newer.

List of devices.

[Erris]

For further peace of mind, you can check this list of devices [passys.nl] and "lspci" to see if further action is required.

Non Free and Binary Blobs Strike Again.

[Erris]

Finally, note that free software distributions like Debian, clearly label n binary blobs [wikipedia.org] required by the Madwifi drivers as non free [debian.org] and these are not included by default.

The point that PC World misses is that non free has problems in both the Linux and Windoze world. The magic of GNU/Linux is that it's Free Software [fsf.org]. When you mix in binary blobs, you are once again a helpless user. Others have noticed [wikipedia.org] that Atheros does not release specifications required to build drivers. That's too bad, but they ar

In other news..

[Ckwop]

... take a look at Microsoft's patches this month. [bbc.co.uk]

It doesn't matter which operating system you use - they all contains buffer overflows. In a way, the consumer is to blame for this. BSD has been whiling with little to no market-share despite the fact it's free. Nobody it seems wants software that's secure out of the box and stays secure.

People want features and features are the enemy of security. So the status-quo continues even though we've known how to fix these issues for forty years.

Simon

Re:

[jeevesbond]

People want features and features are the enemy of security.

But isn't an OS without features a brick? I can understand not using the features we don't need, but wireless is sought after and really useful. Moaning about people using it is not going to help, following that argument to its logical conclusion would have us all back working with pen and paper. That's not an idea I relish since my typing is far better than my handwriting. :)

BSD has been whiling with little to no market-share despite the fact

I don't know about the FreeBSD lead...

[BitwizeGHC]

but if he is a total git I bet he's got nothing on Theo de Raadt (OpenBSD projet lead). OpenBSD itself is a tank, however.

Re:

[Glytch]

Perhaps you're thinking of OpenBSD's Theo de Raadt? He's a confirmed git. Smart and dedicated, but definitely lacking interpersonal skills.

Re:

[jeevesbond]

Ah yes, sorry. That's who I was thinking of.

Re:

[Nezer]

In a way, the consumer is to blame for this.

Hmm... And here I am thinking the developers should take the blame for bugs.

Thanks for clearing this up. ;-)

Re:

[Ant P.]

OpenBSD had an remote exploit in the IPv6 stack a few weeks ago, does that make it worthless for security too?

Re:In other news..

[TheRealMindChild]

they all contains buffer overflows

Actually, this kind of crap goes away when you stop using NULL terminated strings and put in size checks.

• Start using a BSTR or std::string or christ, even CString.
• If you're going to use a char * as a string, stop using strcpy/strcat/sprintf/strfindthelawngnome and start using strncpy/strncat/snprintf/strfoundthelawngnome
• If you have to pass a char * as a parameter of some function, also add a parameter that indicates the size of the memory (EX: 'bool IsStringSexy(char *mystring, ULONG mystringlen)')
• Don't rely that a setting read from some arbitrary place (registry, file) is undeniably correct to laying out structures of memory [LOOKING AT YOU IE AND FIREFOX AND WORD AND EVERY OTHER APP THAT CRASHED DUE TO A MALFORMED DOCUMENT]

Re:

[The_Wilschon]

Or how about this: DON'T USE C. Have a small interpreter for a (provably) safe, high-level language, written in C or something else that you can compile to machine code. Keep the interpreter small enough that you can actually check it over quite thoroughly for all kinds of security holes and bugs. Then write everything else in that high-level language.

The cause of an awful lot of security holes is just the simple fact that people write in a language which is much lower level than what they really need.

Re:In other news..

[alphamugwump]

I see this "X language is magically secure" stuff all the time. No, it isn't. The fact that your language is higher-level does not make it more secure. Look at PHP. It's horrible, far worse than C.

Or perhaps you prefer Java, and think that running your code in a VM is a silver bullet. Think again. If you want that code to actually do anything, you're going to have to give it access to the outside world. Your web app can still let people do things they shouldn't. Security is not just about buffer overflows and SQL injection; it's about anything that could let someone get access they shouldn't have. Which can happen from plain old bad logic.

Admittedly, it is easy to make mistakes with C. But C is pretty much the only thing to write a kernel in. In a device driver, you have to mess around with real memory, and real IO, and that sort of thing. More importantly, C is old enough so that its common security mistakes are already known. You'd have a much harder time with some random language.

Basically, a "secure" language is not one that prevents you from doing things you shouldn't. What you want is a language that makes it easier to write secure code than to write insecure code.

Re:In other news..

[Aoreias]

Actually, this kind of crap goes away when you stop using NULL terminated strings and put in size checks.

It's a much more complex problem than simply using 'safe' functions. People don't always put the correct size into the size field, and there are entire classes of exploits, e.g. format string vulnerabilities [wikipedia.org], that don't use the traditional buffer overflow mechanism at all.

I've heard that the BSD folks have a saying that a bug is just an attack nobody has the intelligence to turn into an exploit yet. I take it you've never written code that crashes?

Re:

[DeafByBeheading]

Mod parent up. It's not easy to fix this problem in an idiot-proof way.

No, they don't all have buffer overflows...

[raftpeople]

It doesn't matter which operating system you use - they all contains buffer overflows.

I've worked on at least one system with hardware/firmware/OS protection against buffer overflow and other memory access issues. I'm certain there are others.

Re:

[DeadChobi]

Netcraft confirms it.

Complex Hack

[dekkerdreyer]

Luckily this hack isn't for the ordinary Linux user. The hack requires WPA encryption to be activated. As anyone who uses Linux knows, WPA requires recompiling the kernel, compiling wireless tools, compiling wpasupplicant, recompiling both when you find that the default configuration for wpasupplicant is to not use WPA (wtf?), and finally modifying a handful of cryptic configuration files. Once that's done, WPA is still not likely to work with a particular kernel, hardware, and wireless card combination.

Once again, Linux is safe from such a common attack because only seven people have successfully set up WPA. If this had been a Windows flaw, where every machine natively understands WPA and no work at the command prompt is needed, this would be disastrous.

This shows that Linux has been taking the right stand. By making the machine difficult to get running, it's unlikely that the machine will be able to connect to anything and become infected. Windows made the mistake of making the machine easy to use, allowing for simply network connection and ease of ownership (OWN3D).

Not Overly Complex Hack

[LinuxGeek]

Humorous, but if someone wants a quick and painless route, check out Ubuntu. I running 7.04 beta on my laptop and wifi works well with my two very different APs in WPA(psk) mode. Installed and working, no tweaking, no manual compiling, no config file fiddling required. After running Linux for 12+ years I am quite happy with the state of Ubuntu.

Re:

[pizpot]

my experience this weekend
1. buy $30 retailplus wireless usb dongle with zd1211 chipset
2. install ubuntu7.04 (or fedora core 7 worked same way)
3. install zd1211 driver module by checking it off in Synaptic Installer
4. install updates by saying yes to update manager
5. reboot
6. bliss

Re:

[pizpot]

oh yeah, the laptop had no working wired card due to borken...

step -1: plug usb printer-style cable from cable modem to usb port
step 0: get online for updates and even while installing from cd!!

who knew that usb port on my cable modem was for anything?

Tag..

[Anonymous Coward]

DefectiveByDesign? Oh wait ... wrong OS.

Re:

[Dachannien]

Not to mention wrong concept. "Defective by Design" refers to systems intentionally created with defects such as DRM that make them less functional, and then have those defects touted as features.

Re:

[jrumney]

"Defective by Design" refers to systems intentionally created with defects such as DRM

...or kernel modules that taint the kernel by loading binary blobs, supposedly to keep the FCC happy by limiting the frequencies the wireless card can transmit on.

First reported December 2006

[QuietLagoon]

Here [mitre.org] is a reference to a more informative report.

I am a bit confused...

[Skiron]

... this was fixed 4 months ago?

http://madwifi.org/changeset/1842 [madwifi.org]

Fixed Dec 15th on my box

[swillden]

... this was fixed 4 months ago?

It looks that way to me.

Unless this is a different vulnerability, Debian applied the fix [debian.org] over four months ago, two days after the patch was available, and eight days after the vulnerability was first reported [grok.org.uk]

I saw the article and immediately started aptitude to get the fix, only to discover that I already got it, two weeks before Christmas. Nice.

Re:Fixed Dec 15th on my box

[Kjella]

Slashdot: Last year's news for nerds, stuff that mattered

Re:

[jrumney]

You may have got the bugfix via aptitude, but did you build it and install it? Because it's a kernel module, because the kernel ABI is not stable, and because it taints the kernel due to the binary blob radio firmware, the madwifi module is distributed as source only by Debian. This means aptitude will NOT update your running copy for you, only a source tarball which you then need to unpack, build against your running kernel and install.

Re:

[strider44]

Yes that is the case. It wasn't presented publicly before now because the researcher was using "responsible disclosure", trying to make sure as many people are patched before it becomes general knowledge. That's why you only hear about many Microsoft flaws after they've been actually patched.

Re:

[strider44]

May I point out, however, that it is actually oldish news - last month's Black Hat in Amsterdam was quite obviously over two weeks ago.

Madwifi?

[Zarhan]

AFAIK, Atheros drivers aren't even in main kernel tree yet. For the last few years they have seemed to be in perpetual pre-release (0.xx) versions..

Article Tagging: "haha"????

[Anonymous Coward]

Why is a tagging keyword 'haha'?

Re:

[soliptic]

Why is a tagging keyword 'haha'?

Probably because the more childish contingent of Linux zealots who frequent this site unfailingly tag every article relating to a Microsoft/Apple/BSD/whatever security flaw or bug "haha". So now users of all those systems are 'getting their own back'. Pretty juvenile all round really.

Not very helpful FA....

[Arkaic]

Of course, it would have been too much trouble for PC World to mention exactly which version of the madwifi driver was susceptible to this particular flaw. So much better to let people dig through changelogs which might address any number of past vulnerabilities.

I patch and update regularly, so I just wasted some time double checking on a flaw that had been fixed on my system a long time ago.

Here's an idea:

[The Cisco Kid]

Get rid of wifi cards (PCI as well as PCMCIA), and instead implement the wifi 'client' side with an ETHERNET jack to connect .. well, anything that has or can have an ethernet port. Have a 'router' build in that is accesible and configurable via HTTP and/or telnet. Include a 'bridge mode' where, once configured, the router steps out of the way for cases where you are on a known network where you trust its security, or for 'public' untrusted networks you leave the build-in router enabled, isolating you from unexpected inbound connections.

Then, you dont need specific 'drivers' for wifi hardware (you just need to support ethernet)

Re:

[jimicus]

Excellent idea, with only 3 minor problems:

1. Adds complication and hence cost. Bit of a problem in a cost-sensitive world.
2. Doesn't solve the problem - the security risk now moves to a box plugged into your ethernet card. With the added bonus that the only way you'll be able to fix it is via a firmware upgrade - so it's quite possible to brick the box when you upgrade. (Granted, this can be designed around - but I've yet to see a set of "rescue damaged firmware" instructions which were easy for my

Re:

[evilviper]

Get rid of wifi cards (PCI as well as PCMCIA), and instead implement the wifi 'client' side with an ETHERNET jack to connect

You might as well say we should have one driver to allow communication with an external device, and let it handle all the drivers...

You've merely MOVED the problem, not eliminated it. That external (Ethernet) device can be exploited if it's drivers are equally buggy, and when it is, they've got a direct line to your computer.

You're also depending on your Ethernet driver to not have an

Re:

[adolf]

The other issues:

It requires power, and probably won't be happy with the 500mA of 5 Volt DC that the USB ports on my laptop provide. So my "portable computer" is required to be near a wall outlet if I want to use the network -- which is, of course, a stupid idea.

Also, too: Just because it's an external device does not mean that it's secure. Almost universally, these days, small "dedicated" devices like this are made using general-purpose computers and general-purpose operating systems, replete with hardw

Re:

[The Cisco Kid]

Interesting. I wasnt aware anything like this existed. However, I looked at the Linksys one, and I dont understand why its so physically big. If they can fit a wifi device in a PCMCI card 3/8" thick, why cant they fit one in an enclosure the size of a USB flash drive/key (or comparable), only with an ethernet plug instead of USB? (And it isnt the power supply - it looks like it comes with the typical 'brick' that other Linksys gear uses, although it can optionally do POE as well)

Apply the same consideration

[Durzel]

If this was a Microsoft flaw there wouldn't be any talk of "good PR" in releasing a patch quickly, or any other positive angle. There would be reply after reply about Microsofts' code being bloated, the evils of closed-source, monopolistic tactics, that one time when Bill Gates stood on a cats tail by mistake, etc. Linux isn't the only golden boy, Firefox (vs IE), Google (vs big nasty corporations), etc get just as much ridiculously transparent partisan treatment.

Vulnerabilities, particularly serious ones, are never good news. At the very least it would cost businesses who have deployed Linux engineer time in fixing (applying patch(es)) the problem, it generates uncertainty in the market - it creates the potential for business managers who just scan the IT news pages to say "didn't Linux have that serious problem not long ago?". This much is true of any OS, particularly one that businesses need to rely on.

I'm a firm believer in open-source, and I use both Windows and Linux in equal measure both at work and at home. I don't however believe fundamentally that the fact Windows and IE are closed-source automatically make them "poorly written". As has already been remarked a lot of this comes down to usage statistics... with a 90%+ market share you can guarantee that every hacker out there is trying to find fault in every single DLL that Windows ships with. As Linux gains more traction in the desktop & server markets as time goes on you can be sure that there will be most vulnerabilities like this being found. Programmers make mistakes, and there is no such thing as bug-free software.

I really wish Slashdot could dispense with the hidden agendas, partisan attitudes and blatent fanboyism and not sweep serious vulnerabilities like this under the carpet as if they aren't a big deal. Dimissing them as trivial is - if anything - more damaging than giving them the proper attention.

Re:

[gad_zuki!]

>I really wish Slashdot could dispense with the hidden agendas, partisan attitudes and blatent fanboyism

Then it wouldnt be slashdot anymore. I sometimes think slashdot is a parody of a real tech site. Its kinda funny if you pretend you're reading the onion.

Re:

[commodoresloat]

Vulnerabilities, particularly serious ones, are never good news.

But vulnerabilities that have been patched four months ago are never news.

What!?

[jav1231]

Wait! Someone got WiFi to work in Linux!?
Okay, easy...just saying this is one area that's always been behind in Linux.

Re:What!?

[smash]

Wireless works by default on my box with Ubuntu. XP+vista both require a driver download.

FUD Template

[Orochimaru]

I use [linuxdistro] and am a firm believer in open source software, but we just can't pretend that [securityflawfixedmonthsago] isn't a big deal. Your average Joe user isn't able to install a patch and this just proves that Linux is not ready for the desktop.

Re:

[FauxPasIII]

That's the guy's name, you ninnyhammer.

Re:Oh, madwifi. Surprise! Closed source still suck

[Anonymous Coward]

The bug was in the open source portion of the driver, the closed-source HAL merely locks the range of radio frequencies and transmit powers allowed.

Re:

[cortana]

Which is not, a part of Linux, nor will it ever be while the driver relies on proprietary firmware.

Re:

[DeadChobi]

Just to continue on in the stereotypical "not ready for primetime exchange" my mother uses Ubuntu.

Re:

[eli pabst]

Mac, Linux, Solaris, etc. have had many more security advisories than MS Windows has had to endure
I'm not sure where you are getting that idea, but according to secunia, Microsoft and Redhat have had exactly 3 vulnerabilities this month, with Microsoft vulns being more critical. Sure there was the Solaris telnetd vuln that made headlines, but I think it's just your perception. Plus I also think you're failing to take into account the ANI cursor overflow at the end of March which was a big deal.

Sure,

Ummmm, no.

[khasim]

First off, I'm posting this from Ubuntu (Feisty Fawn).

But it's not ready for primetime just because of the average user.

Okay, what is it about the "average user" that makes Linux not ready for prime time?

Windows has a tough enough time with security because of the user (let's face it, 90% of problems are the user's fault).

Okay, now you're talking about Windows. And I'll disagree about 90% of Microsoft's security problems being the fault of the users. The default install of a system should be secure enough W

Re:

[PixieDust]

Okay, what is it about the "average user" that makes Linux not ready for prime time?

Think people, the AVERAGE user. You know the ones. The ones that think user@machinename# is their email, and they want into their system, but after they log in it takes them to their email. (Yea, got that one a few times, user logged in and X crashed, matter of fact, that was Ubuntu).

We all know the ones. We all poke fun at them. We all laugh about what they do. The people who are barely able to operate Windows, or Macs

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Bert64]

The number of security advisories has very little bearing on OS's tho...
An issue with madwifi is an issue which can affect linux, but is not a bug in linux per se (since its not in the default kernel).
It may be a bug with a particular distribution of linux, if that distribution were to include these drivers.

Similarly, a bug in firefox or apache could also affect windows users if they chose to install it, but it won't be flagged as a windows bug because it's not present by default. Conversely, it will be fla

Re:

[xenocide2]

Actually, I had more trouble getting my wireless card to work in Windows XP than Ubuntu 5.10. Turns out not every wireless card supports Windows' wifi config tool, and mine was one of them. For some reason, nobody seems to tell hardware vendors that their Value-add software feels more like value subtract.

Of course, I did have the foresight to ask my friends about what works on Linux, which I'm sure helped tremendously. However the laptop I bought didn't really let me choose a wifi card, and it still works w

Re:

[colinrichardday]

The Atheros chip set is well supported in Linux. In fact, I'm using it right now.