back to article Microsoft points at Linux and shouts: Look, look! Privilege-escalation flaws here, too!

Flaws in networkd-dispatcher, a service used in some parts of the Linux world, can be exploited by a rogue logged-in user or application to escalate their privileges to root level, allowing the box to be commandeered, Microsoft researchers said Wednnesday. It's nice of Redmond to point out these flaws and have them fixed in …

  1. Doctor Syntax Silver badge

    from the man page: "networkd-dispatcher - Dispatcher service for systemd-networkd connection status changes"

    Ah, systemd.

    1. jake Silver badge

      Please note.

      The systemd-cancer is not now, nor will it ever be, a necessary part of Linux.

      1. Doctor Syntax Silver badge

        Re: Please note.

        As a Devuan user I know that very well.

      2. VoiceOfTruth Silver badge

        Re: Please note.

        I agree, but its tentacles are everywhere now.

    2. AdamWill

      It's a third-party addon that sits on top of systemd-networkd, a network manager. It had a vulnerability because its author didn't think hard enough about the possibility of malicious strings being sent to it via DBus. None of this has anything to do with systemd, per se. The same vulnerability could equally well have existed in the NetworkManager equivalent, NetworkManager-dispatcher, which does the same thing on top of NetworkManager; it just doesn't happen to because it wasn't written the same way.

      1. Anonymous Coward
        Anonymous Coward

        Ah yes

        Ah yes, NetworkManager, because even systemd needs something to look down on.

    3. Anonymous Coward
      Anonymous Coward

      lol.

      it would seem that fragmentation saved linux this time. there are ungodly amount of ways managing networking in linux. afaict no big big distro uses systemd-networkd, most of them use networkmanager, another work of the devil but at least it's not affected by this bug

      1. NATTtrash

        Which makes you think. Isn't it more about:

        "The growing number of vulnerabilities on Linux environments emphasize the need for strong monitoring of the platform's operating system and its components," wrote Jonathan Bar Or of the Microsoft 365 Defender Research Team".

        Maybe an obligatory MS account login when you boot, continuous monitoring when you use the OS, and forced updates without pesky user interaction or interruption?

        1. captain veg Silver badge

          growing number of vulnerabilities

          Is there, in fact, a "growing number of vulnerabilities" (which is certainly conceivable, given the massively inflating amount of code), or is it really a growing number of attempts to find such vulnerabilities, including by Microsoft?

          MS possibly missed a trick by not exploiting this opening on the "[t]ens of thousands of Google employees [using] a derivative of Debian as their desktop OS". If, indeed, they didn't.

          -A.

      2. Manolo

        Well, I applied the patch one minute ago, so at least Kubuntu uses it.

        (And happy to see it's been fixed so quickly)

  2. jake Silver badge

    Hey Microsoft ...

    ... whataboutitis is not becoming.

    1. Benegesserict Cumbersomberbatch Silver badge

      Re: Hey Microsoft ...

      ...and when world+dog can see Micros~1's source code, I suspect more than one security hole will be found.

      1. A.P. Veening Silver badge

        Re: Hey Microsoft ...

        ...and when world+dog can see Micros~1's source code, I suspect more than one security hole will be found.

        I respectfully have to disagree with you, it is one giant security hole.

        1. Benegesserict Cumbersomberbatch Silver badge

          Re: Hey Microsoft ...

          OSteoporosis: when all the little holes in what should be a strong, secure mesh get so big they fillet it from the inside.

    2. MyffyW Silver badge

      Re: Hey Microsoft ...

      updated three weeks ago

      The word "print spooler" comes to mind, MS. You could learn something from the Penguins.

      1. MrDamage Silver badge

        Re: Hey Microsoft ...

        Not to mention Microsoft Outbreak, Office macros, file preview, autoplay and the many, many more.

        1. Anonymous Coward
          Anonymous Coward

          Re: Hey Microsoft ...

          At least they seem to be phasing out Internet Exploder. Mind you they've placed with the Sludge browser.

    3. werdsmith Silver badge

      Re: Hey Microsoft ...

      Nothing to do with whatabout. Major funders of the linux foundation, major linux users and contributors Microsoft, their research teams doing their jobs.

    4. bombastic bob Silver badge
      Angel

      Re: Hey Microsoft ...

      Micros~1: Hey Linux, let me get that spec of sawdust out of your eye

      Linux: How can you even SEE it with that LOG in your OWN eye?

      (obligatory bible reference)

      1. captain veg Silver badge

        Re: Hey Microsoft ...

        Er, mote. Beam.

        Why is it obligatory?

        -A.

  3. Chris Gray 1
    Mushroom

    Ugh! Scripts.

    Linux has far far too many scripts. They are pretty much vulnerable to timing problems by definition.

    Seems to me that for anything important, you should not use:

    check file properties; open file; trust file data.

    but rather should use:

    open file; using only the yielded fd, check file properties; using only the yielded fd, trust file data.

    but, I'm not sure that all of the properties of interest are available via just the fd.

    1. jake Silver badge

      Re: Ugh! Scripts.

      "Linux has far far too many scripts."

      Talk about unclear on the concept ...

    2. Flocke Kroes Silver badge

      Re: Ugh! Scripts.

      fstat and fexecve do what is required via file descriptors but I could not find a direct way to do fexecve in python. The indirect way is:

      with open(x_path) as x:

      ___ x_fd = '/proc/self/fd/'+str(x.fileno())

      ___ subprocess.Popen([x_path], executable=x_fd, close_fds=False)

      (Replace ___ with spaces because comments do not support the pre tag.)

      1. Chris Gray 1
        Facepalm

        Re: Ugh! Scripts.

        Cool, thanks. I don't think I'd known about fexecve.

        My point on how one should do things, and on scripts being problematic is based on the thought that anything which does something with or to a file in ways which re-lookup the file are vulnerable to timing holes - things can change between the lookups.

        I also just found "flock", which allows file locking from scripts. I definitely haven't seen that before. So, it appears the downvotes are valid. Assuming of course that they are from folks who are aware of this stuff, and know that everyone who writes critical scripts uses this stuff....

      2. MrBanana

        Re: Ugh! Scripts.

        (Replace ___ with spaces because python is stupidly tied to the idea that whitespace is a syntax element, not a token delimiter.)

        FTFY

    3. bombastic bob Silver badge
      Facepalm

      Re: Ugh! Scripts.

      have you even USED Linux?

      icon, because, facepalm

    4. Anonymous Coward
      WTF?

      Re: Ugh! Scripts.

      > Linux has far far too many scripts.

      Compared to what? A Bratwurst?

      1. captain veg Silver badge

        Re: Ugh! Scripts.

        Hollywood?

        -A.

  4. Jan K.

    But that app has nothing to do with Linux as in not-in-kernel. Go to Red Hat...

    And re. bugs, then one of the things, I enjoy in the Linux world, is how finding bugs are welcomed.

    That is so far from my previous +30 years with MicroSoft, where it's refusal, denial or "it's a feature".

    1. alisonken1
      Angel

      Let's not forget AntennaGate: "You're holding it wrong"

      1. Anonymous Coward
        Anonymous Coward

        That's another company which, however, has been a lot better at keeping things moderately secure than Microsoft.

        MS kinda sits at the bottom of the heap when you talk about security: it's not impossible to keep it reasonably secure, but it demands substantially more resources for achieve a reasonable state as compared to the alternatives, and more frequently too.

        But hey, as long as their sales people can ensure decisions are made on the golf course instead of where the knowledge resides it'll keep on selling.

        And leaking.

        1. UCAP Silver badge

          MS kinda sits at the bottom of the heap when you talk about security

          Which is why MS is trumpeting so much about finding this problem.

        2. Anonymous Coward
          Anonymous Coward

          Where’s your evidence and comparison to AWS and Google from a security POV?

          1. Anonymous Coward
            Anonymous Coward

            Any honest count of CVEs against level of risk exposure and time to fix, basically.

        3. teknopaul

          Apple/iPhone security is all about not letting the user get root. (Macos is a different story.)

          Linux security is always about letting the right people have root. (even tho Google abuses that)

          Not sure the former really even counts as security, it's just lock out.

          I am a firm believer that the functionality of your device is required for security, if you are locked out you can't use it which leads to real world insecurity. Being locked out of your own house leaves you vulnerable to the weather.

          Using this definition, Linux has much better security than and apple/google device will ever have until full right to repair.

          1. nematoad

            "Linux security is always about letting the right people have root."

            So what happens when most distros use sudo?

            Is that not an invitation to abuse the system, open security holes and basically let the ordinary user do what ever they want?

            PCLinuxOS is one of the few distros that stick to using su and surely that must be a better way of keeping things under control.

            Does anyone have a list of other distros not using sudo by default?

            1. Jay 2

              Admittedly the fact that a lot of the (desktop) Linux distros will enable sudo by default for a local user is not ideal. But at least it gets people into the habit of separating what they can do and what root can do. The catch with su is that suddenly you're in that root shell and the world is your oyster, so don't make any mistakes/typos!.

              Though the real power of sudo is that you can configure it to give as much or as little root access as is required. Possibly overkill on a single user desktop system, not on a multi-user server. If needs be you can narrow it down to a single command and specific command line options. And every time that's used, it's logged.

  5. Lorribot

    Auto update and reboot anyone?

    "these should be filtering their way down to endpoints as they update their packages."

    This is why Linux is more vulnerable than something like Windows, These patches are advertised why before they are available due to the end user, so teh bad guys are handed a window of opportunity on a plate. There is nothing like advertising.

    Open source developers and users need to get a handle on this stuff so they can manage it a lot better so you those windows do not open.

    The flip of this is that most normal people (should Linux go to great unwashed by one of those 600 distributions) would not have a clue if their distro had this or some other (if they even cared) component/library/plugin/widget and really should just set their OS to automatically (if that is an option they can find) update everything as soon as anything is released....er just like Windows does with a little pop up to tell you reboot would be good. I am sure the Linux community would be supportive of this.

    1. jake Silver badge

      Re: Auto update and reboot anyone?

      Yet another person unclear on the concept.

      1. Stuart Castle Silver badge

        Re: Auto update and reboot anyone?

        The problem is, for the average punter, you really need the updates to be automatic, or at least bundle them together under a (admittedly vague) name like Security update 2022-001, or even a version number.. The package managers updating the Linuxs I've used tend to list the individual libraries and applications being updated. You may want that. I do want that, but it might terrify the average user, who suddenly finds themselves wanting to know what libssl means.

        1. Ben Tasker

          Re: Auto update and reboot anyone?

          So enable unattended-upgrades and users wont need to look at a list of packages again?

    2. Anonymous Coward
      Anonymous Coward

      Re: Auto update and reboot anyone?

      This is why Linux is more vulnerable than something like Windows, These patches are advertised why before they are available due to the end user, so the bad guys are handed a window of opportunity on a plate. There is nothing like advertising.

      Welcome to the planet. Let's talk again after 10 years when you have grown a clue about fun things like responsible disclosure and OFTF ("oh f*ck - to - fix") time of the various platforms. Yes, I just made up that term, I'm trying to keep it at beginner's level here.

      And yes, I think you'll need that long.

      1. Dazed and Confused

        Re: OFTF

        > Yes, I just made up that term

        You might have just invented but it has now been adopted as the official term for the period

        1. JamesTGrant

          Re: OFTF

          I second that motion Your Honour

    3. Totally not a Cylon
      Linux

      Re: Auto update and reboot anyone?

      My main PC is running Ubuntu, not heavily customised just basically an 'out of the box' install.

      I get small notifications; 'this' has been updated would you like to update?

      Yesterday I got a notification 'Ubuntu 22.04 LTS is available, would you like to upgrade?'

      I left it alone until I'd finished what I was doing and then clicked OK.

      about half an hour later it had finished and my PC looked exactly the same. Compare that to the Windows 10 to 11 upgrade.....

      tl;dr: Linux auto patches itself better than Windows, rarely needs a restart after.

      Basically Linux does what an OS should do whereas Windows is always making a Song & Dance 'hey look I have an update, you need to stop working and pay attention to me!'

      1. Anonymous Coward
        Anonymous Coward

        Re: Auto update and reboot anyone?

        Yes, Windows 10 / 11 updates are much faster than that. Annoyingly slow on Linux.

        1. bombastic bob Silver badge
          Stop

          Re: Auto update and reboot anyone?

          ahem - re-read, it was a DISTRIBUTION upgrade, similar to going from Windows 8 to Windows 10.

          How long would THAT have taken, Win "Ape" to Win-10-nic, I wonder... WAY longer than half an hour or so, In My Bombastic Opinion!

          1. Anonymous Coward
            Anonymous Coward

            Re: Auto update and reboot anyone?

            It's even more than that, the Windows equivalent would be AND Windowd AND MS Office AND all the other applications you have on the machine, all in one go.

            Given how long a simple security patch takes I think the MS equivalent would have to be measured in days..

          2. Anonymous Coward
            Anonymous Coward

            Re: Auto update and reboot anyone?

            Windows 10 to Windows 11 is about 5 minutes. vs 30 minutes you say?

    4. Joe W Silver badge

      Re: Auto update and reboot anyone?

      1. Reboot? A Linux machine? Has not been strictly neccessary for a decade or two, except for replacing the kernel (and even that can apparently be done on the fly, though I prefer not to, feels still weird to me)... (don't get me started on Windows and reboots when chaging network / printer / mouse settings, though this has substantially improved)

      2. Auto-update tools exist. They are installed automatically by many distros. Yes, this assumes the distros do act quickly and package the updated software, which is true for the bigger distros and the derived ones, since they mostly use the same packages. (and do not get me started on Windows, auto-updates, reboots, and jobs that take a few days to finish and then are interrupted by the auto reboot).

      Hope this helps clearing up some misconceptions

      1. nematoad
        Joke

        Re: Auto update and reboot anyone?

        "Has not been strictly neccessary for a decade or two..."

        True, if you are not using Pulseaudio. Another brainwave from that master of reboots Lennart Poettering. There if you install it, uninstall it or just change things you have to reboot. No ifs no buts.

        I have no idea if you have to do the reboot shuffle with systemd, being fortunate to use a distro (PCLinuxOS) that will not touch it with a barge-pole.

        So yes, mostly you can do things without having to reboot all the time but look out! There are forces conspiring to get you into the habit, just like Windows. :-(

        1. RichardBarrell

          Re: Auto update and reboot anyone?

          I have very definitely reconfigured pulseaudio without rebooting.

          1. jake Silver badge

            Re: Auto update and reboot anyone?

            I have very definitely removed pulseaudio without rebooting.

            1. David 132 Silver badge
              Thumb Up

              Re: Auto update and reboot anyone?

              I have very definitely removed pulseaudio without regretting.

      2. bombastic bob Silver badge
        Linux

        Re: Auto update and reboot anyone?

        occasionally a boot might seem cleaner but normally you just stop and restart the various daemons and/or applications. Re-start of desktop might be a good idea, though.

        Recently did fix for customer embedded system after I had fixed an irritating bug in lightdm (source is published on product's GPL page). The updater has to jump through some hoops but no reboot is necessary. however, re-starting the GUI is. Takes about a minute.

        1. Anonymous Coward
          Anonymous Coward

          Re: Auto update and reboot anyone?

          I do a reboot mainly to make sure I haven't nuked any processes I may need later. In other words, I reboot just to check that everything starts up as it should, not because I really need it.

          On the flipside, I once kept a server online for a week longer than strictly required, just to annoy the Windows admins in the server department by clocking a full year uptime. Yeah, I'm petty like that :).

          1. captain veg Silver badge

            Re: Petty like that

            Back in the days when we had "a server room" I descided to do a hard reboot on a Windows server because it didn't seem to be responding to the console.

            The machine came back up and informed me that, since it had been running for more than three years without a reboot, it would now perform a fsck. Oh, and that it was running Debian.

            Oops.

            -A.

            1. David 132 Silver badge
              Happy

              Re: Petty like that

              I'm puzzled. Was this a case of "I'm sick of being Windows for so long, I want to now identify as Debian"?

              Or had you just rebooted the wrong machine?

              1. Anonymous Coward
                Anonymous Coward

                Re: Petty like that

                It probably was pretending to be Windows by being an SMB server.

                After all, being better at being a Windows file server than Windows itself is what originally got Linux into company use by IT people fed up with having to keep a Windows server alive.

              2. captain veg Silver badge

                Re: Petty like that

                It was in a rack of several identical-looking blades. I was out by one. Wouldn't happen in the cloud, of course.

                -A.

    5. Ben Tasker

      Re: Auto update and reboot anyone?

      > These patches are advertised why before they are available due to the end user, so teh bad guys are handed a window of opportunity on a plate.

      Sorry, but for the majority of issues this is wrong.

      Issues get reported on the (closed) OSSEC list where they're handled under embargo until the participating distros are ready.

      By the time they get announced, the change is already in the repos of quite a large number of distros.

      It's true that sometimes things come out first - researcher doesnt want an embargo, someone makes a commit public by aciddent etc etc, but for the vast majority of issues your comment is just uninformed misinformation.

  6. FF22

    Cry me a river

    Linux fanboy's feeling hurt, because Microsoft did what for ex. Google did a million times over in the opposite direction (like publicize a Windows vulnerability, quite often even prior to public patch being released to fix it), and because his pet operating system has been exposed as "not even a tiny bit more secure" than the one he despises (and that not even just now, but every single month, for 25 years now). News at 11.

    1. alcalde

      Re: Cry me a river

      Eh? I'm writing this from a desktop Linux distro right now, and it doesn't even have networkd-dispatcher in its package management system, let alone have it installed. So I'm not crying that my OS is not "not even a tiny bit more secure". To the contrary, my operating system still isn't recording my voice or phoning home 5500 times a day (literally), so I'm actually quite happy....

      https://thehackernews.com/2016/02/microsoft-windows10-privacy.html

      1. BPontius

        Re: Cry me a river

        Alot has changed in the six years since that article was written. Windows 10 and 11 don't report nearly as much telemetry as the early days of Windows 10 and much of the telemetry can be disabled. Windows 10 & 11 professional and Enterprise the telemetry can be disabled in services by stopping and disabling the "Connected User Experiences and Telemetry" (Windows Home with a registry edit), also Microsoft publishes a list of end points Windows 10 & 11 talks to and how to disable them.

        Even through Linux and a VPN you leave all kinds of meta data (browser and TCP/IP) that can be used to trace back to you. Especially if you use a VPN based in the U.S or a five, nine or fourteen eyes country, don't think that their claim of no logging is true. They are required to keep that information for the Government(s) and any one of the nations connected to the alliance will share that information with all the others.

    2. jake Silver badge

      Re: Cry me a river

      "It's better to keep your mouth shut and be thought a fool than to open it and remove all doubt." —Unknown

    3. Joe W Silver badge

      Re: Cry me a river

      Google != Linux

      So... what was your point?

      Oh, and since it usually took Microsoft ages to even acknowledge a bug existed this is probably not an entirely fair comparison anyways. And it was not about releasing the info early, which has not been done here, so kudos to Microsoft on that, but has been done by Google (which is stupid and petty and sucks a lot!), it is about going "nee-nah, you also have bug, and even though it is not really a relevant software packe for most we'll give it a catchy name so the news catch up on it".

    4. trindflo Bronze badge
      Linux

      Re: Cry me a river

      The author is commenting that it seems like Microsoft is trying to get marketing mileage out of finding a leak in a Linux add-on. Linux is not a for-profit enterprise, so there is no Linux marketing department doing things in the "opposite direction" to Windows. Linux certainly isn't Google.

      Nobody I can think of cares that the vulnerability has been reported, especially since it has already been patched without waiting for patch Tuesday (usually the best case) or until Microsoft has been publicly shamed into doing something about it.

      IMHO closed source is the tattered security blanket of obscurity. You should expect to get called on that reasoning any time you use it.

      1. werdsmith Silver badge

        Re: Cry me a river

        Linux is not a for-profit enterprise, so there is no Linux marketing department doing things in the "opposite direction" to Windows

        Are you new to Register comments?

        1. bombastic bob Silver badge
          Meh

          Re: Cry me a river

          I saw 163 posts. So, no.

    5. elaar

      Re: Cry me a river

      "Feeling hurt"? You're the only one here getting all emotional.

      None of my Linux systems even use networkd-dispatcher....

  7. AdamWill

    Note

    Note, this flaw is in a third-party addon for systemd-networkd (called networkd-dispatcher) which most distributions don't even package, let alone install by default. It seems like it's installed by default on Ubuntu and Mint - at least in some configurations - for some reason, and Mint also has some quirks which might make exploiting it easier (from what I read it's likely quite hard to exploit on Ubuntu even if it's technically vulnerable).

    1. diodesign (Written by Reg staff) Silver badge

      "most distributions don't even package"

      It gets more desperate the more you look at it. It's not on our Debian 11 workstations.

      That it's in default Ubuntu, so some people out there are using it, is Redmond's saving grace.

      C.

      1. Neil Barnes Silver badge

        Re: "most distributions don't even package"

        barnacle@barnacle-Latitude-7480:~$ ps ax | grep networkd-dispatcher

        613 ? Ss 0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers

        So it's there in Mint, but the update manager is telling me there's an update for it...

      2. Doctor Syntax Silver badge

        Re: "most distributions don't even package"

        I see it listed by synaptic which at first sight looks odd as this is Devuan but, of course, Devuan falls back to Debian (11 in this case) repositories for what it doesn't maintain itself. So although you might not be running you would be able to see it listed there.

  8. Pascal Monett Silver badge
    Windows

    Absolutely thrilling

    Borkzilla has discovered that its malformed offspring is not the only thing in the Universe that has issues.

    I'm so choked I'm almost going to shed a tear.

  9. rmstock

    Many certified experts have warned for this

    systemd is actually a Trojan horse software package which was successfully launched into the open source UNIX community, not only Linux. once Microsoft had established their BOOT BIOS Hegemony called UEFI in new hardware. The documentation for systemd on systemd.io is rather vague, certainly is miles away from the much-vaunted Unix "philosophy". In short, systemd can do anything, not only has taken over udev but has grabbed sole rights (Monopoly?) when it concerns hardware with UEFI :

    https://crashrecovery.org/systemd/DEB/ubuntu2004/systemd-stable-250.pdf

    page 9 :

    "systemd can interface with the boot loader to receive performance data and other information, and pass control information. This is only supported on EFI systems. Data is transferred between the boot loader and systemd in EFI variables. All EFI variables use the vendor UUID 4a67b082-0a4c-41cf-b6c7-440b29bb8c4f. "

    A good remedy is to have new hardware released with a old-fashioned but proven legacy BIOS. Maybe AMD can be of help and do a Elon Musk style buyout of Microsoft UEFI .

    1. sinsi

      Re: Many certified experts have warned for this

      "systemd can interface with the boot loader to receive performance data and other information, and pass control information. This is only supported on EFI systems. Data is transferred between the boot loader and systemd in EFI variables. All EFI variables use the vendor UUID 4a67b082-0a4c-41cf-b6c7-440b29bb8c4f. "

      Any software can query the UEFI loader, the variables can be enumerated, nothing hidden.

      Microsoft were late to the party, Intel started it and Apple joined in a bit later. The bad thing MS did was to create secure boot, but any decent BIOS lets you disable that.

    2. DrXym

      Re: Many certified experts have warned for this

      I'm not understanding the paranoia here. If your computer uses UEFI and it exposes useful info (e.g. serial nrs, BIOS info, CPU temperature, fan speed etc.) then why shouldn't systemd provide a mechanism to read that information?

      1. Marcelo Rodrigues
        Boffin

        Re: Many certified experts have warned for this

        "...then why shouldn't systemd provide a mechanism to read that information?"

        Because of the UNIX philosophy: "Don one thing only, and do it well". Systemd is trying to be the jack of all trades, doing everything under the sun. It shouldn't - it creates complexity, makes it harder to maintain and broads the attack surface.

        ONE thing should do what the old sysinitV did.

        ANOTHER thing should take care of the network

        A third one should read the sensors.

        And so on. NOT one monolithic monster, spreading its tentacles over everything.

        1. David 132 Silver badge
          WTF?

          Re: Many certified experts have warned for this

          Whenever I read about what new capability Poettering has assimilated into Systemd, all I can think of is that old SNL sketch - "It's a floor wax! It's a dessert topping!"

        2. DrXym

          Re: Many certified experts have warned for this

          I don't believe systemd is trying to be a jack of all trades. It's a facilitator of services and low level system functionality and that is what it does via processes running via the principal of least privilege. Some people seem to conflate systemd being a single package with it being a single executable doing all this stuff when that is not what is happening. It's gotten to the point that its kind of boring even bothering to respond to these stupid flamebait stories because people will negative people down for pointing out reality.

  10. Mike 137 Silver badge

    A truism that omits the bottom line

    "Defending against the evolving threat landscape requires the ability to protect and secure users' computing experiences, be it a Windows or non-Windows device," Bar Or opined.

    Ideally, defending against the evolving threat landscape would fundamentally start from sufficient resourcing and expertise to avoid applications being utterly riddled with exploitable vulnerabilities in the first place.

    Sorry - I snoozed for a moment and was dreaming.

  11. Ball boy Silver badge

    Oh, a discovered bug?

    Thank you to the person/team that discovered this, I'm sure it made a welcome change from reporting issues to (insert name of a major closed source OS here), who would have sat on it for a while before doing a cost/benefit analysis and then, hopefully, adding the snag to their list of things to fix next time they issue a routine patch.

    As it is, a bunch of people, all calling on experience from vastly different areas, will be scouring the source code as we speak to find the issue and create a workable solution. A patch will then be released as soon as it's ready; there'll be no holding it back until a magic day in the month is reached or until a dozen other patches are also ready to be pushed out in the same update.

    That's the beauty of open source: not only can anyone with the skill set examine the codebase and spot trouble, they can make changes and propose updates for the wider community.

    Software has bugs. It's unavoidable and is even more likely to happen when code crosses OS, application, etc. boundaries. What's important is how well (for some issues read: how quickly) these issues are addressed.

    As you were. Nothing to see here; it's simply an issue that's been found in a utility package that many don't even use.

    1. Richard 12 Silver badge

      Re: Oh, a discovered bug?

      The patch is already available, has been for a couple of weeks if not longer.

      All due, of course, to the beauty of open source.

    2. Stuart Castle Silver badge

      Re: Oh, a discovered bug?

      Re: "A patch will then be released as soon as it's ready; there'll be no holding it back until a magic day in the month is reached or until a dozen other patches are also ready to be pushed out in the same update."

      In fairness to Microsoft, they bundle the patches up because Enterprise administrators complained. After all ,if you are managing a fleet of PCs numbering in the thousands, you likely have a set at-risk time to apply updates, so you can pre-warn the users, and they know to expect potential problems and reboots. It's much easier if you can tell the users they'll be updated a few times a month rather than more than that.

      Also, when dealing with production servers, you definitely want to reduce the reboots as much as possible because if the server is rebooting, it's not doing work for the company (hosting files, a website etc).

      Of course, Microsoft do issue emergency patches as well, and as an enterprise administrator you should be, to the best of your ability, testing every single patch before sending it out for deployment.

      Even if you host your own update server, and can delay the updates going out (effectively bundling them up yourself) , then it's easier if you can test patches released in bulk, as it means you can set aside an amount of time for testing.

      It's also worth noting that bug fixes can be missed in Open Source as well. How long was the Heartbleed bug actually in the Open SSL source code, which despite powering several of the world's busiest website, was being maintained by a small team, all of whom had day jobs? Don't get me wrong. I love Open Source, but in this case, most people were essentially leeching the Open SSL source code. Now, while there are no restrictions on Open Source preventing anyone doing this, I would argue that the larger users of a project should certainly contribute something whether that is development/bug fixes or money.

  12. emacs-enjoyer

    SystemD + Linux

    I'd just like to interject for a moment. What you're referring to as Linux, is in fact, SystemD/Linux, or as I've recently taken to calling it, SystemD plus Linux. Linux is not an operating system unto itself, but rather another free component of a fully functioning SystemD system made useful by the SystemD corelibs, shell utilities and vital system components comprising a full OS as defined by POSIX.

    Many computer users run a modified version of the SystemD system every day, without realizing it. Through a peculiar turn of events, the version of SystemD which is widely used today is often called "Linux", and many of its users are not aware that it is basically the SystemD system, developed by the SystemD Project.

    There really is a Linux, and these people are using it, but it is just a part of the system they use. Linux is the kernel: the program in the system that allocates the machine's resources to the other programs that you run. The kernel is an essential part of an operating system, but useless by itself; it can only function in the context of a complete operating system. Linux is normally used in combination with the SystemD operating system: the whole system is basically SystemD with Linux added, or SystemD/Linux. All the so-called "Linux" distributions are really distributions of SystemD/Linux.

    1. unimaginative
      Pint

      Re: SystemD + Linux

      I suspect your humour is a bit too subtle. I wonder how many down votes you will get from people oblivious to the satire.

      Cheers, you might need this --->

      1. Anonymous Coward
        Anonymous Coward

        Re: SystemD + Linux

        I also like the vi-ing for controversy in the choice of handle for this post

        ;)

    2. bombastic bob Silver badge
      Linux

      Re: SystemD + Linux

      Ain't no "systemd" on MY Linux workstations. Devuan.

      I call *THAT* Linux.

      1. captain veg Silver badge

        Re: SystemD + Linux

        Running the plain Ubuntu-based Mint here on my desktop/laptop PCs. Tempted by LMDE.

        I'd genuinely appreciate your honest appraisal on running Devuan on a GUI system. The only "must-have" is the ability to spin up Windows VMs. Currently using VirtualBox for that.

        -A.

  13. thejoelr

    What is the actual exposure?

    The list of affected systems among distros seems to be fairly limited. And MS disclosed it what, 2 or 3 weeks after disclosing to the author.. is that standard practice for security? I swear I've seen other issues held for months while patches are pushed out. Overall I welcome MS helping to secure Linux distros if they follow standard practices. Everyone benefits from more secure Linux distros.

    1. werdsmith Silver badge

      Re: What is the actual exposure?

      Yes exactly. MS, as an active part of the Linux world now, have found a vulnerability and addressed it. Nothing to do with whataboutery. The Register has mischievously baited the zealots with its headline and judging by the hilarious indignation in these comments, quite a few have bitten.

      1. Anonymous Coward
        Anonymous Coward

        Re: What is the actual exposure?

        Gets a bit tedious after a while.

  14. wolfetone Silver badge
    Linux

    "It's nice of Redmond to point out these flaws and have them fixed in any affected distributions; the US tech giant is a big user of Linux and relies on the open-source OS throughout its empire."

    Never a sweeter sentence written when we remember what rent-a-gob Ballmer said about Linux, the prick.

    1. Roland6 Silver badge

      Reading the article, I get the distinct impression MS are committing much development resource to Linux, so reading between the lines, perhaps this is another indication that MS are on the way to replacing Windows with a MS Linux distribution...

      1. bazza Silver badge

        Sounds like it, though I think it's interesting to see where their effort is spent. Server type things eg SQL Server, but not desktop like things such as Office. The year of the Linux Desktop has not arrived.

        1. Roland6 Silver badge

          Well with MS effectively end-gaming on-premise Windows Server, it makes it easier for Azure Windows Server to become Linux-based.

          WRT desktop, the release of Office for Linux will effectively announce the end-gaming of (non-Linux) MS Windows.

          It is perhaps noteworthy that MS seem to not be giving much attention to Free/OpenBSD even though effectively with their Mac software development they have in-house skills.

          1. Binraider Silver badge

            Server 2019 is still on-prem-able? Haven't tried the latest release yet, in fact the only reason I keep the former around is to use it as a desktop in lieu of 7.

  15. Binraider Silver badge

    Flaw identified, patch enters testing and is closed up. No fuss, no mess.

    Well, at least as long as it's a supported package. How much crap is reported in Win world that never gets fixed? How much do you not have the ability to audit?

    Systemd is not my favourite of course, because greybeards say as much. Generally have good reason to trust greybeards. It is, of course, hard to avoid in easy-to-live with distros. Yes, yes, I know, Devuan is a thing. But not that simple to pick up as Manjaro etc.

  16. Anonymous Coward
    Anonymous Coward

    Yeah, yeah...

    Great Microsoft...now fix the fucking Office 365 admin dashboards please...they're fucked.

  17. Anonymous Coward
    Anonymous Coward

    Where is @eadon...

    When you need him?

  18. martinusher Silver badge

    Its a computer, what do you expect?

    All I know about the Linux running on this machine is that when I occasionally boot the system under Windows 10 the processor's maxed out -- it runs hot, its fan going continuously and the system is always short of cycles to the point where it can be unresponsive. Under Linux "it just works" (doing the same tasks) and the processor's fan is usually silent. I have no idea what Windows is doing and I don't really want to spend the effort finding out.

    If there is nasty stuff creeping into Linux its invariably the result of creeping "Windowization" of components. As a rule when something is advertised as a 'service' this usually is a cue for bloated, performance sucking and somewhat buggy code. This isn't anything to do with the notion of services so much as its misapplication -- anything that's remotely accessible (even indirectly so) has to tolerate poorly formed input data, its a fundamental rule of networking, and time and again we find that bugs are due to programmers making assumptions about what's being handed to them over and interface (and not testing their work that well).

    1. Boris the Cockroach Silver badge
      Big Brother

      Re: Its a computer, what do you expect?

      Which is exactly what happens to the win10/linux mint dual booter next to me(defaults to mint of course after grub gives you 3 seconds to stop the autoboot)

      Win10 thrashes the HDD for 30 mins straight after booting up, then goes 'update' and another 30 mins shutting down before 30 mins booting up and another 30 mins thrashing the HDD again before you can get it to respond to opening firefox.

      Which is why it boots into linux mint and is completley usable after 90 secs AND ITS ON THE SAME DAMN HARDWARE.

      Also theres no chance that mint is sending everything I do back to redmond.

      I wonder if you criticise m$ too much , they flip a switch that means your win 10/win 11 PC wont boot .........

      1. Anonymous Coward
        Anonymous Coward

        Re: Its a computer, what do you expect?

        A year after WinXP went EOL, I converted my (not new then!) WinXP box to Ubuntu. Since then I've replaced the hardrive and maxed the memory (8 GB) - never upgraded the processor. It's still my home desktop, and still runs modern software better today than it ran anything under XP.

  19. spireite Silver badge
    Boffin

    Systemd-hate

    I don't get the reason for the dislike.

    I assume there are a few purists out there, but really - does anyone normal actually care that much?

    What's an actual valid reason for the hate? (please, i'm genuinely interested)

    1. jake Silver badge

      Re: Systemd-hate

      There is a reason that an init, traditionally, is a small bit of code that does one thing very well. Like most of the rest of the *nix core utilities. All an init should do is start PID1, set run level, spawn a tty (or several), handle a graceful shutdown, and log all the above in plaintext to make troubleshooting as simplistic as possible. Anything else is a vanity project that is best placed elsewhere, in it's own stand-alone code base.

      Inventing a clusterfuck init variation that's so big and bulky that it needs to be called a "suite" is just asking for trouble. The systemd-cancer is b0rken by design and implementation.

      A cancer? Yes, by any definition. Consider: systemd takes root in its host, eats massive quantities of resources as it grows, spreads unchecked into areas unrelated to the initial infection, and refuses to die unless physically removed from the system, all the while doing absolutely nothing of benefit to the host. That sounds an awful lot like a cancer to me ...

    2. Binraider Silver badge

      Re: Systemd-hate

      Chiefly, the binary-blobbness is reminiscent of the registry. But largely systems is functional as long as I dont want or need to roll my own distro.

      The latter is mostly a learning exercise. Systems is pretty hard to learn from.

  20. Anonymous Coward
    Anonymous Coward

    Not so much pot calling kettle black...

    As Vantablack pot calling slightly smudged kettle black.

    Seriously, Microsoft? You named a security hole in a side package and publicized it, while quietly fixing dozens of similar issues in your OS? Sounds like classic MS FUD tactics again.

  21. Jeremy Allison

    Symlinks, the poisonous gift that keeps on giving.

    Oh look. *ANOTHER* symlink toctou vulnerability. When will we finally admit that the addition of user-creatable symlinks has been a disaster for POSIX and secure coding ? I will stand my ground and claim it is *IMPOSSIBLE* for application developers to safely use the POSIX filesystem API securely in the face of symlinks. Simply can't be done correctly.

    At lease Microsoft learned their lesson when they added symlinks to NTFS, and they made the creation of them Administrator-only.

    That one simple change probably saved them *YEARS* of symlink toctou vulnerability fixes, if it's even possible to fix them all.

  22. Anonymous Coward
    Mushroom

    EEE

    The next phase begins now

  23. razorfishsl

    They can kiss my ass

    I found an exploit today in there azure, where i can get into an account that is signed out and not even using the same login details.

    Seems if you can get the cookies of a logged OUT account, the login as admin to another , it auths you into the logged out account...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like