reporting a remotely exploitable bug 'in Linux' has raised the ire of
some in the Linux community for a few reasons, but inaccuracy probably
tops the list. The timeliness of the report is also in question as the
bug, in an out-of-tree Linux driver, was fixed four months
ago in December 2006. When the usual suspects, Slashdot and digg, linked to
the article, it became a rather visible 'failing' of Linux. The truth is
much less damning; there are some interesting wrinkles, though, which are
worth a look.
The bug was found by French security researchers when fuzzing the MadWifi
driver for Atheros Wireless LAN chipsets and was presented at Black Hat
Europe at the end of March. The techniques used are similar to those
used by David Maynor and johnny cache to find the MacOS wireless flaws that
they 'demonstrated' at
Black Hat USA last year. The only new information in the article
(and others like it) was the presentation given by Laurent Butti; the bug
had already been reported as
in version 0.9.2.1 of MadWifi.
MadWifi (which is an abbreviation for Multiband Atheros Driver for Wireless
Fidelity according to the project's website)
is a widely used driver for wireless cards, but
it is not part of the Linux kernel and is unlikely to ever be. The driver
relies on a 'Hardware Abstraction Layer' (HAL) that is only provided in binary
form. The belief is that because the Atheros chips can be instructed
to do various things that regulatory agencies (the FCC in the US for example)
oppose, the code for doing that must be closed source. Rather than make
the whole driver closed source, separating it into two pieces was done
specifically to avoid the closed source portion being considered a
derivative work of the kernel.
Because of the non-firmware binary blob, the driver will not be included in
some 'free' distributions and users will need to find it from other
non-official or less supported repositories. This could lead some users to
not update their driver because the package management system did not
alert them to the change. At some level, any publicity that makes more
people aware of the problem is probably a good thing.
The bug itself is a fairly run-of-the-mill buffer overflow that is
fixed in this changeset.
While the bug was rather straightforward, its result is catastrophically
bad. An attacker could run arbitrary code as root on a vulnerable machine
that has the driver loaded; being connected to a wireless network is not
required. This is the kind of 'drive by' laptop takeover that got so much
attention when Maynor and cache announced their proof of concept exploit.
It is a truly horrifying scenario for anyone worried about laptop or other
wireless device security.
At the time of the original release of information about the bug, the MadWifi
project and various distributions made announcements about it. But, perhaps
because of the impending Christmas holiday or because the seriousness of the
bug was not recognized, there was very little press about it at that time.
Though LWN did publish the announcements, one could certainly argue that a
more detailed look was in order. Coupled with the severity of any exploit,
the lack of coverage magnified the importance of the current articles. Had
there already been a round of articles describing the flaw back in December
(or even January), it is likely that the 'new' reports would have been ignored.
That does not, of course, excuse the inaccuracies in the article. MadWifi
is clearly not 'in' Linux though it will affect some Linux users. The lack
of earlier press coverage and linking from aggregation sites served to
elevate the visibility of the bug, which may have helped some users who
missed it earlier, but overall just fed the 'Linux is buggy' hype machine.
The headline and the way it was presented take an interesting event, the
presentation of some security research, and try to turn it into an
indictment of overall Linux security. This is the kind of article that
tends to make Linux advocates rather cynical about the 'mainstream' technical
to post comments)