Insecurity News

Insecurity News

Article from Issue 90/2008
Author(s):

copy_from_user_mmap_sem()

We've all been there; in fact, many of us have been there recently. You wake up to find email from Bugtraq or Full-Disclosure, or perhaps a notification from your vendor about a security update – a security update that affects almost all your systems, and for which exploit code has been publicly available for several days [1]. Of course, I easily could launch into the power of open source and talk about how quickly the Linux kernel team fixed the vulnerability, allowing vendors to push out updates in a timely manner. Or I could talk about the importance of inventorying your systems and having a patch-management system in place so that they can be patched promptly. But the point is this: All systems are vulnerable, all the time. Let me repeat that just to make sure you don't think I made a mistake: All systems are vulnerable, all the time.

Security flaws are a lot like Schrödinger's cat: neither dead nor alive until you look [2] (Figure 1). Do security vulnerabilities appear out of the ether as if by magic when someone observes them, in effect collapsing the quantum probability state of the vulnerability in question to a known state? That is to say, as long as no entity recognizes the security vulnerability (and more importantly, as long as no one has exploit code for it), the vulnerability doesn't really exist. This also is known as the "tree falling in a forest" theory of information security.

Figure 1: The cat is neither dead nor alive, until you look in the box.

[...]

Use Express-Checkout link below to read the full article (PDF).

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Securing Your Systems

    We'll show you how the lessons learned in the 1980s movie "The Karate Kid" can be applied to securing your systems.

  • Security Lessons

    Although you give up control of the underlying infrastructure when you use cloud computing, you can still maintain some control over security.

  • Security Lessons

    Are your systems secure against DNS attacks? We'll show you why they matter and help you determine whether you are vulnerable.

  • Security Lessons

    We look at the history of the rootkit, including its newest incarnation, the DR RootKit.

  • Security Lessons

    Researchers set out to compromise MD5 in an effort to convince people to stop using it. We explain how the attack worked and what this means for you.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News