In the latest bout of alarmist frenzy to sweep the security world, researchers disclosed a vulnerability in the Linux kernel’s open source code last week. It turns out the vulnerability poses little real threat.
The flaw, which has existed in Linux since 2012 but remained unknown, was reported by the Israeli security company Perception Point. It allows attackers to gain root access to computers running affected versions of the kernel. With root access, they can do anything they want to the system.
Perception Point ominously warned that the vulnerability affects “tens of millions” of Linux PCs and servers, as well as some Android devices (since Android is based on a version of the Linux kernel). The company urged administrators and users to upgrade their systems as soon as possible in order to apply the fix that the Linux kernel developers created after Perception Point notified them of the flaw.
Theoretically, the vulnerability does threaten tens of millions of machines. And there is no reason not to apply the patch as soon as possible. Yet in this case, the frenzied warnings about computers being compromised in droves seem over the top for a couple of reasons.
First, Perception Point itself admits that there is no evidence of “any exploit targeting this vulnerability in the wild.” In fact, the only known exploit for this is the “proof of concept” attack that Perception Point itself created in order to show that the flaw actually existed. So, for now, there is no reason to believe that any machines are under attack from this error.
Second and more important, the time and conditions required to execute the exploit mean that, in reality, only a minority of PCs and servers — and probably no Android devices — can be attacked through this flaw. As Steven Vaughan-Nichols and others have noted, the attack takes many hours to complete, even on high-end hardware. It also requires gobs of memory — apparently more than 8 gigabytes in some cases. That excludes my trusty laptop, with its 4-gigabytes of RAM, from a successful attack, along with plenty of other PCs and almost certainly every Android phone or tablet in existence.
To be sure, servers are likely to have more memory and therefore be vulnerable. But there are still plenty of servers that lack lots of RAM.
Beyond all this, kernels with certain security hardening features enabled also seem to not be vulnerable to the attack.
The open source community has seen its share of truly worrisome security threats in the past couple of years, chief among them Heartbleed. And Linus Torvalds’s unorthdox attitudes toward security in the Linux kernel may not sit well with everyone (though they are arguably healthier than the illusional norm of pretending that perfect security is a real possibility). But in this case, the hype suggesting the imminent demise of millions of Linux computers stop far short of living up to reality.