The Kernel Exploit Timeline
Posted by creining | Filed under Security
The Kernel Exploit Timeline covers the process of patching the linux kernel for a bug that allowed a 20 line C program to trigger a floating point exception that put the kernel into an unusable state. As most people close to me know, I tend to favor open source software over proprietary software. One of the reasons I do, is because of the turnaround time on security fixes. The open source developers value their reputations much more than anything else (when money is not in the mix, what else is there?). And a reputation goes a long way in the open source world. For instance, I wouldn’t hesitate using any of DJBs software, because I know he is an extremely security-conscious coder. And I think that reputation is something that you don’t find in the commercial world. At Microsoft they churn out bug ridden bloated code and most people still buy it. Where’s the motivation to write secure code? Where’s the motivation to release patches in a timely matter? The coders still go home with a paycheck no matter how many bugs are teeming in the code and no matter how long it takes to get that patch out. With respect to the linux kernel exploit, it would appear that from disclosure (with exploit code) to the major distributions announcing a new kernel was not more than 5 days. 5 days! That’s a great turnaround and it’s worth noting that there was a temporary patch available in less than 2 days. There’s a huge difference here. The linux folks reacted and solved the problem. They didn’t sit around pissing on their hands for months and making excuses like a lot of vendors do.
Comments are closed.