The 2009 Pwnie Nominee For Most Epic Fail

Linux default kernel security

Linux kernel development team

Last year, Linus Torvalds and the Linux kernel team were nominated for the Lamest Vendor Response Pwnie. This year, they were nominated for Most Epic FAIL due to the results of their continual response to security vulnerabilities. Here are some highlights of Linux’s Year in Security 2009:

  • 4 byte overflow resulting in reliable remote disabling of SELinux
  • Improperly patching a 7 year running local bypass of a flawed ASLR implementation
  • Arbitrary root command execution via an environment variable
  • Silent disclosure of numerous kernel vulnerabilities

Finally, as descibed in a Usenix HotOS paper:

An attacker seeking to exploit unidentified vulnerabilities in Linux bug-fix disclosures would have, as Figure 2 shows, between 4 and 16 bugs with hidden impact waiting for him or her at any time in the last three years.