Month of Kernel Bugs: Linux in the lead
At this point in time, nine vulnerabilities in operating system kernels have been publicised as part of the Month of Kernel Bugs. Following on July's Month of Browser Bugs initiated by H.D. Moore, a similar project to highlight security vulnerabilities has been announced for November under the title "Month of Kernel Bugs" (MoKB). The project's initiators intend to release one security hole per day for the various operating system kernels. Up until now, fuzzing tools like "fsfuzzer" and "fs-bugs" have been used to turn up the errors.
Three of the publicised holes affect Linux kernel 2.6, two FreeBSD 6.1, two Mac OS X, one Solaris and one Windows. Proof of concept exploits have already been released for seven of the vulnerabilities, demonstrating the problems in the respective kernels. Five of the vulnerabilities can be used to inject and execute code, according to their discoverers' assessment. The remainder crash the system. The hole in Apple's Orinoco driver is the only one that can be exploited over the net or via WLAN.
No patches have been released for any of the vulnerabilities as yet. On the other hand, several of the errors seem only remotely likely to be provoked on standard systems. Hence two of the publicised errors in Linux are related to the "squashfs" file compression system, which is generally only used in embedded systems; another bug is found in zlib, which together with the file system "cramfs" can lead a system to crash.
- Month of Kernel Bugs (MoKB), overview of all reports from the MoKB