"All the boring bugs are way more important" is misleading

Question

"All the boring bugs are way more important" is misleading

Karunamon opened this issue 8 years ago · 7 comments

In fact, all the boring normal bugs are way more important, just because there's a lot more of them. I don't think some spectacular security hole should be glorified or cared about as being any more "special" than a random spectacular crash due to bad locking.

This is... wrong. Really, horribly, terribly, dangerously wrong.

While I share no love for this new meme of cute sites and marketing names for security bugs, privilege escalation > denial of service, and that goes double at the kernel level. It's the difference between having your website defaced and having your customer data leaked or your machine joined to a botnet.

This is not equivalent to the other 5,000 bugs on CVE this year because:

It's kernel level
It's privilege escalation
It's been around for nine years
It's being exploited in the wild
Every OS vendor is treating this as deadly serious.

Please consider treating this bug with the respect it deserves. Your site, as written, could lead someone to believe that it's a non issue.

Answer 1 · 2016-10-20T22:52:55.000Z

This is a quote from Linus Torvalds. http://yarchive.net/comp/linux/security_bugs.html

Answer 2 · 2016-10-21T14:59:22.000Z

I know, but this is still wrong. Your page is now coming up in google results for this bug, and as written, someone who doesn't follow Linus Torvalds quotes would think this is a trivial thing.

Answer 3 · 2016-10-22T07:49:05.000Z

Dunno, kinda feel it's a bit early to jump the gun on this one. It's not really privilege escalation, and relying on read-only file protection as a means of opsec access control isn't smart for any organization or user.

Answer 4 · 2016-10-22T14:20:56.000Z

Are you joking around? You can probably get root just by writing over a password field in /etc/passwd, and probably in a dozen other ways.

Answer 5 · 2016-10-22T14:27:40.000Z

See rapid7/metasploit-framework#7476 which seems to replace a setuid root binary.

Answer 6 · 2016-10-22T14:37:30.000Z

Cheer up, Ivan. You know what they say. Some things in life are bad, they can really make you mad.
Other things just make you swear and curse. When you're chewing on life's gristle, don't grumble, give a whistle! And this'll help things turn out for the best

Answer 7 · 2016-10-22T14:40:18.000Z

I actually did try testing out exactly that this morning except it was /etc/shadow, couldn't get it to add anything, but yes you could craft a sudo user or something I'd guess.