December 11, 2009, 5:39 PM — While Windows has more security problem than a barn dog has fleas, Linux isn't immune to having its own security holes. Recently, two significant bugs were found, and then smashed. To make sure you don't get bit, you should patch your Linux system sooner rather than later.
Bug number one on the hit list is a remote DDoS (distributed denial-of-service) vulnerability that could potentially let an attacker crash your server by sending it an illegally fat IPv4 TCP/IP packet. Those of you who are network administrators may be going, "Wait, haven't I heard of this before?" Why, yes, yes you have.
It's the good old ping-of-death DDoS attack back again. What happened, according to the Linux kernel discussion list, was that somewhere between the Linux kernel 220.127.116.11 and 2.6.29 releases someone made a coding boo-boo and made it possible for this ancient attack to work again.
Fortunately--this is open source after all--the bug was quickly found and fixed before any bum got a chance to smash systems with a ping-of-death attack. If you're using any Linux kernel except 18.104.22.168x you're safe. Not sure what version you're running? The easy way to find out is to run the following command from a shell prompt:
The other bug is potentially more troublesome because it could be used to take a system over. On the other hand, you need to be a local user to pull it off, so personally, I don't consider it as important as an attack that can be made over the Internet.
This bug is with the Ext4 file system, which became an official part of Linux with the 2.6.28 kernel. The problem came from three smaller Ext4 problems, which added up to letting an ordinary local user overwrite files to which they should only have had read permission. With this a user with a grudge could over-write files, say the good old Unix/Linux user password file, '/etc/passwd' with whatever they wanted. Not good.
This problem has also been fixed. Your usual Linux update should take care of the problem.