Linux News Today: Don't Panic About Recent Zero-Day Linux Kernel Vulnerability, It's Not That Bad
The kernel vulnerability that was revealed only yesterday got some users panicked, but the truth is that’s not really the case.
It’s easy to scare users with warnings of vulnerabilities in the Linux kernel, which powers pretty much everything. The vulnerability was aptly named CVE-2016-0728, which is not all that impressive. This is the first indication. When something is bad enough, it usually receives a name, like Heartbleed for OpenSSL. When you’re called CVE-2016-0728, it’s hard to become a serious threat.
The vulnerability was discovered by a security firm named Perception Point Research, which also built an exploit to show that it can really be used. It turns out that this particular vulnerability has been present in the kernel since 2012, which would make for a very long time. The good news is that the kernel security team hasn’t found any evidence that this particular vulnerability has been exploited.
It’s not all that bad
It’s important to be concerned about the security of your system, but there is no real reason to panic about CVE-2016-0728. The original announcement went into the wild with the idea that it affects all operating systems powered by anything above Linux kernel 3.8, and that included a large number of Android devices.
There are some caveats, though. Many Android phones are still using the old 3.4 branch, and not all of them have moved to newer versions. Some developers have backported some of the features, but many of the phones aren’t prone to this problem. You can give thanks for the incredible fragmentation of the Android market.
As for the Linux operating systems, all of the important ones have been updated already, and the patch has been made available. Sure, there are going to be some systems that take longer to update than others, but it’s a much safer environment than Android.
All in all, it’s a vulnerability that will give an attacker root access to the system, but it takes a long time to execute it, and security teams already know about it.
If you want to panic over vulnerabilities, do so about the more dangerous ones that have yet to be found.