The flaw, found by two software programmers, could give a user with access to a Linux system the ability to crash the system using two dozen lines of code written in the C programming language, said an advisory posted over the weekend on linuxreviews.
"Assume your kernel is (vulnerable) unless you have good reason to believe it is safe," Oyvind Saether, one of the discoverers of the flaw, said in the advisory.
The program, dubbed "evil.c," causes problems with the code sent to the floating-point unit, the part of the processor that handles noninteger calculations, according to a note in a source code patch published by Linux founder Linus Torvalds.
The open-source Linux operating system has fallen prey to its share of flaws and attacks this year. Several flaws were found in the Concurrent Versions System, CVS, a commonly used application for managing open-source code under development. In March and April, online attackers targeted Linux and Solaris systems at many academic high-performance computing centres.
Researchers also found flaws in the OpenSSL software used by many Linux distributions to enable secure Internet communications.
On Monday, staffers associated with Red Hat's community-based distribution, Fedora, released an update to Fedora Core 2, to fix the latest problem. The kernel patch has also been included in the latest release candidate of the Linux kernel, 2.6.7-RC3, which is expected to be released soon.
Other distributions of Linux should be fixed this week as well.
Andrew Morton, the maintainer of the Linux 2.6 kernel, promised a fix within 48 hours and said the flaw was not very serious.
"Bugs wherein local users can lock the machine up are not uncommon, and local users have always been able to bring a machine to its knees anyway -- say, by using up all the memory," he said.
Morton said the discoverers of the flaw didn't give the kernel team any notice before releasing the code to take advantage of the problem -- a no-no in the security community.
Talkback
Since when is CVS part of Linux? Its used on loads of operating systems and is not part of a Linux kernel.
Get your facts(?) right
This bug had been fixed before ZDNet even managed to post the story about it - see kernel.org
any infinite loop even in scripts could crash any operating system (I will not list examples here).
But talk about a mediocre bug that never was!
The new kernel comes now with optional UML (User Mode Linux) which would protect a machine from the most avid intentional crashing scripting.
Gosh this site is getting pretty uninformative, perhaps it's time to delete the feed.
Rogue click can take down Windows systems!
A security flaw in the windows operating system has been discovered. Windows is a propietary monopoly OS. Proprietary is a business model when a corporation bands together many paid programmers of dubios quality to churn out closed programs that the customers are forced to take as is.
The flaw found by a little old lady can execute at random whenever anything is clicked by a local user.
"Assume your copy of windows is (vulnerable) unless you have good reason to believe it is safe," Steven Balmer said in an advisory.
The proprietary closed-source Windows operating system has fallen prey to its share of flaws and attacks this year. But then again, doesn't it always.
Bill Gates, the Chief Software Architech of the Windows OS, promised a fix within 48 years and said the flaw was not very serious.
"Bugs wherein local users can lock the machine up are not uncommon, and local users have always been able to bring a machine to its knees anyway -- say, by using up all the memory," he said.
Billy G. said the little old lady didn't give the kernel team any notice before calling her grandson about the problem -- a no-no in the proprietary community.
This has always been the case with every platform, where is the news?
With the ZX81 and CBM machines, it only took 1-2 lines of code. MS-DOS didn't need much more. Windows 1-3 needed just a bad library call to bring the machine to its knees. Windows 9x was pretty much the same and you could probably kill XP with a couple of well place library calls using invalid parameters (in fact, running many commercial games on XP will bring up the BSOD or an automatic reboot).
On a training course, we even managed to take down a VAX running VMS using a few lines of DCL, theoretically the same concept could be used to bring a Unix/Linux machine to its knees.
Locally attached users have always been able to do bad/stupid things and stop a machine running.
And I've seen a couple fo mini's and PC's killed by people who didn't even need to log in, a cleaner or engineer pulling the wrong plug out the wall is just as deadly.