Another Ubuntu / Kubuntu flaw
I complained earlier in this blog of a gcc versioning issue with this distro which caused me to decide that as much as I otherwise like K/Ubuntu, there is way too much sloppiness for my taste. I was just reiterating this fact to a fellow Linux user at a LUG meeting this weekend.
As if to prove my point (times a thousand), an “extremely critical” security hole was found in K/Ubuntu today. Apparently, the root password is clearly readable in some installation log files by anyone with a user login.
I’ve never heard of even Windows getting this sloppy. Now granted, the K/Ubuntu developers fixed this issue faster than Micro$haft ever would have, but this release has been out since October 2005 (hence the version number 5.10; 5 for the year and 10 for the month) and no one (correction: no white hat hacker!) has even noticed it until now. So as far as we know, any number of black hats could have been secretly compromising root passwords all this time, as long as they had a user account on the systems in question. And let’s not forget that before the October release date, the developers had all that time while it was in beta stages to correct the problem as well. So how long, all told, was this problem in place unbeknownst to the developers? Since the previous release 6 months prior? So close to a year, maybe? Now granted, I don’t know how easy it is to remotely access these logfiles if you don’t have user access, but I’d say this security hole as described is catastrophic enough!
As far as media buzz goes, everyone seems to be concentrating on what a tribute to the open source community it is that a patch was released within 2 hours of the problem’s public discovery. And sure, of course it is. I can’t think of a single company that would have reacted that quickly. But!! While I love Linux and hate Windows as much as the next enthusiast (maybe more), I simply cannot turn off my objectivity and common sense long enough to be anything less than horrified that this problem occurred in the first place. It’s just inexcusable. I can’t help thinking what havoc could have been wreaked if banks, hospitals, the Social Security Administration, the Pentagon, or other organizations with highly sensitive data had been using this on their production servers.
I, for one, will not be trying this distro again for a long time.