| 1 |
On Tue, Nov 7, 2017 at 11:08 PM, Dale <rdalek1967@×××××.com> wrote: |
| 2 |
> Howdy, |
| 3 |
> |
| 4 |
> I ran up on this link. Is there any truth to it and should any of us |
| 5 |
> Gentooers be worried about it? |
| 6 |
> |
| 7 |
> http://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/ |
| 8 |
> |
| 9 |
> Isn't Linux supposed to be more secure than this?? |
| 10 |
> |
| 11 |
|
| 12 |
In theory. There was no comment on the existence of such bugs in the |
| 13 |
Windows driver stack, but they likely exist. However, note: |
| 14 |
|
| 15 |
"The impact is quite limited, all the bugs require physical access to |
| 16 |
trigger," said Konovalov. "Most of them are denial-of-service, except |
| 17 |
for a few that might be potentially exploitable to execute code in the |
| 18 |
kernel." |
| 19 |
|
| 20 |
Which is typically what one should expect from bugs discovered by fuzzing. |
| 21 |
|
| 22 |
These are issues which should be fixed, but keep in mind that there |
| 23 |
has been (and still is) lots of kernel development that focuses on |
| 24 |
isolating the kernel from itself. The reporting of these bugs will |
| 25 |
likely be used to make those mechanisms even better. |
| 26 |
|
| 27 |
|
| 28 |
To compare, here is an "exploit" discovered in a monitor: |
| 29 |
https://github.com/RedBalloonShenanigans/MonitorDarkly. |
| 30 |
|
| 31 |
The prerequisites include having debug access to the monitor's |
| 32 |
controller. Personally I am surprised this was presented at DefCon as |
| 33 |
it does not really seem appropriate. At least the articles covering |
| 34 |
the code should be reworded - it's exploiting the monitor almost the |
| 35 |
same way you can exploit a car by driving it. |
| 36 |
|
| 37 |
More and more security releases are starting to look like the above, |
| 38 |
as the researchers and authors clamor for notability, which is |
| 39 |
increasingly hard to find. I think the article you found strikes a |
| 40 |
middle ground - the exploits are relevant in practice, but take a lot |
| 41 |
of work to use. |
| 42 |
|
| 43 |
Cheers, |
| 44 |
R0b0t1 |
Archives