Cracks in Linux Kernel Plugged
Open-source developers have released an upgrade to Version 2.4 of the kernel to fix a pair of security vulnerabilities, including one that could let attackers run their own code on target systems.The maintainers of the Linux kernel have released a new version of the 2.4 series kernel to fix two security vulnerabilities, including one that enables attackers to escalate their privilege level and run arbitrary code. Nearly a day after researchers disclosed the vulnerabilities, a young computer engineer posted proof-of-concept exploit code for one of the flawsa virtual memory vulnerabilityto a mailing list. The code, designed to run on x86 machines, was posted on the BugTraq security list.
The more serious of the two vulnerabilities is in a system call that deals with the way that addressable space is allocated and shifted in virtual memory areas. Because of a faulty bounds check, a local attacker could exploit this flaw to run his own code on the machine or disrupt other areas of the computers virtual memory, according to an advisory posted Monday by iSec Security Research, a Polish security organization.