Don't get cocky, kid!
— Han Solo
With all the Windows vulnerabilities running around loose, Linux fans have no great reason to be sitting back resting on their security laurels. It turns out that there was until recently a buffer overflow vulnerability in the Caiaq USB driver. It was detected by MWR Infosecurity and reported March 7. They report building a USB device to take advantage of the vulnerability (PDF).
OK, the vulnerability requires a USB key, so physical access. The bad guy waits until department secretary Matilda waltzes away from her desk. He then wanders over to her desk and sticks his Trojan USB device into her computer. He waits five seconds, then withdraws it and walks away. By then the udev drivers have executed the driver, and initialized the device. The buffer overflow exploit carries a small payload, which then executes with root privileges. The payload then further compromises Matilda's computer. Say by appending the bad guy's public SSH key to root@matilda:~/.ssh/authorized_keys.
Linux definitely gets points for quick turnaround. The guys who found the vulnerability also provided a fix. That is usually only possible when the source is generally available. In fact, it was probably someone going through the driver for some other reason who found the vulnerability.
OK, this is an attack which requires physical access to the target, and which can be foiled by good physical security. Yawn, right? Not so fast. The HB Gary scandal shows that HB Gary Federal had potential clients that were interested in just such an exploit.
Buffer overflows due to insecure library functions are a well known vulnerability. Programmers should avoid them not only for security reasons but for data integrity reasons. Even Microsoft has figured this out, and banned certain vulnerable library functions. Four years ago. They even have a header file to identify banned functions in your code.
Here's my question: Does anyone audit the Linux kernel for these sorts of things? How hard is it to write a cron job based on a shell script with something like:
find -iname *.[ch] | xargs grep \(strcpy\|…\) | mailx …