The Eee PC has garnered a lot of press
for its small form factor, low weight, and solid-state disk, but it has
also made a poor showing with security researchers. RISE Security released
a report on the security of
the Eee last week, showing that it can be subverted ("rooted") right out of
the box from ASUS. Unfortunately, it is even worse than that as, even after
updating an Eee using the standard mechanism, the hole is not patched.
The vulnerability identified by RISE is in the Samba daemon (smbd), version
3.0.24, which is installed and runs on stock Eee PCs. The vulnerability, CVE-2007-2446
was identified and patched last May, so the Eee is shipping with a version
of Samba known to be vulnerable to an arbitrary code execution flaw for
nine months or so. In itself, that is not completely surprising.
When hardware vendors install a distribution—or commercial OS like
Windows—they tend to install the latest released version, which is likely to be out of date with respect to security
issues. A vendor installing Fedora 8 or Debian etch today will be behind
on countless security updates. But, unlike the Samba problem discovered on
the Eee, updates do exist in the standard places. If the new user updates
their system immediately, there is a fairly small window of vulnerability.
Unfortunately for Eee owners, the modified Xandros distribution that comes
with it does not yet have an update for Samba. This leaves all Eee PCs
vulnerable to being rooted by anyone on the same network. Since the Eee is
meant as a mobile device, it likely spends a lot of its time connected to
various public networks, especially wireless networks. The Eee makes an
interesting target for attackers because it very well might have
authentication information for banks or brokerages as well as other private
or confidential files.
Some have seriously
downplayed the threat but it is clear they don't understand it:
The root attack performed was relatively easy to do, if you like command
lines. Maybe Asus or Xandros could work on a patch for this. It almost
makes one wonder how many other exploits are lying under the surface just
waiting to be found. But, it's not like this actually puts you in danger,
just how many hackers are going to be looking for the Asus EeePC or even
Xandros based system online and attack them? Probably not many.
Sales of the Eee last year was around 300,000 units; large
enough to be an attractive target for the malicious. Because there is not an
update to close the hole, Eee users have to rely on other means to protect
themselves. This eeeuser.com
comment thread provides some of the better advice for dealing with the
problem. Removing the Samba package seems to be the simplest, but fairly
heavy handed, way to avoid the hole—but many folks need a working
Samba. There is no way to disable Samba from the Eee GUI which is the way
most owners plan to interact with the machine. This whole incident makes
it seem like ASUS (and perhaps Xandros) are not terribly interested in the
security of the machines that they sell.
There is a larger issue here. When the normal means of getting security
patches comes from the same medium that is also the biggest security
threat, there will always be windows of vulnerability. Even if hardware vendors
diligently update the distribution they install, there is still some
shelf-life and shipping time where security updates can be
released. Various studies have shown that
there may not be enough time to download patches before an unpatched
system succumbs to an attack.
It is a difficult problem to solve completely. Any solution must be very
straightforward and consistent so that unsophisticated users can be trained
to do it as a matter of course. News about security issues needs to get
more widespread attention as well, so that those same users know
when the procedure needs to be followed. Firewalls and other
network protections only go so far if the machine needs to reach out to the
internet to pick up its updates.
If distributions provided some kind of blob (tar file, .deb, .rpm,
etc.) that contained all of the security updates since the release, users
could grab that from a different (presumably patched or not vulnerable)
machine, put it on a USB stick or some other removable media and get it to
the new machine. A utility provided by the distribution could then process
that blob to apply all the relevant patches—all while the vulnerable
machine stayed off the net. As the world domination plan continues,
threats against Linux will become more commonplace; we need to try and
ensure that users, especially the unsophisticated ones, can be secure in
their choice of Linux.
to post comments)