Re: CVE-2010-3081 kernel: 64-bit Compatibility Mode Stack Pointer Underflow

"beyond" is wrong. 4 GB and higher should be stated. That's why you have the PAE-kernel.

Re: CVE-2010-3081 kernel: 64-bit Compatibility Mode Stack Pointer Underflow

Wikipedia is wrong there (it's not always the most reliable source, as anyone can edit it - even clueless people).
32-bit can only handle 3GB. The pae kernel adds the ability to move that 3GB window with lots of swapping.
You should install the 64-bit version (the upcoming Maverick next month is a good occasion for that). Then you can make the best use of your 4 GB and don't need to worry about that security hole anymore. More info below.

Re: CVE-2010-3081 kernel: 64-bit Compatibility Mode Stack Pointer Underflow

If I understand then, 64bit does not require a special CPU, but depends only on the RAM. Right?

For info, my cpu, according to /proc/cpuinfo, is a Pentium(R) Dual-Core CPU E5400 @ 2.70GHz/ Will that do for the 64-bit version?

Somebody already recommended I install the 64-bit version, but I understood it took more than just what I have. Maybe the video card?

Thanks in advance.Pentium(R) Dual-Core CPU E5400 @ 2.70GHz

Re: CVE-2010-3081 kernel: 64-bit Compatibility Mode Stack Pointer Underflow

NO, it doesn't affect the 32bit Linux OS and isn't a threat to Ubuntu or Kubuntu. I explain why here.

Re: CVE-2010-3081 kernel: 64-bit Compatibility Mode Stack Pointer Underflow

"If I understand then, 64bit does not require a special CPU, but depends only on the RAM. Right?"

Nope, wrong. It DOES require a special CPU. Well, if you buy a new computer (except for netbooks) then you already have that "special" CPU. But older computers mostly don't have a CPU that is capable of 64-bit, and netbooks don't have that one either.

Re: CVE-2010-3081 kernel: 64-bit Compatibility Mode Stack Pointer Underflow

Your CPU is 64bit because it is Dual Core. The performance of your computer will increase by about 15% using the 64bit kernel.

You can check which Linux kernel you are using by opening a Konsole and issuing
uname -a
As you can see, I am using the 6 bit kernel (x86_64).

Re: CVE-2010-3081 kernel: 64-bit Compatibility Mode Stack Pointer Underflow

That's not entirely true. Some of the original dual core CPUs were not 64bit enabled. You can find out if you have 64bit capability by looking for the lm flag in a 'cat /proc/cpuinfo'.

Re: CVE-2010-3081 kernel: 64-bit Compatibility Mode Stack Pointer Underflow

zlow, you are correct.

I knew the second I posted that, that some one would disagree., but I was too lazy to change it because it is essentially true for most laptops today and because the 32 bit dual core had such a short life

The Intel Yonah had two cores but the CPU microcode was 32 bit. As wikipedia pointed out:

Or, like my 6 year old Gateway m675prr laptop which, although it had only one CPU, used hyper-threading to mimic two CPUs. That really didn't make it faster. The Linux system monitor's "system load - CPU history" graph would show two lines as if there were actually two CPU's when, in fact, there was only one. It confused the threads with separate CPUs. So, two CPU lines doesn't mean that one is running a dual core machine, either. The 64 bit Linux OS would reject the install it when I attempted to try it out on that Gateway, as it would on all 32 bit dual cores.

Re: CVE-2010-3081 kernel: 64-bit Compatibility Mode Stack Pointer Underflow

I agree that the 32bit Core Duo was short lived, unfortunately I have a Yonah chip in one of my older computers. Even the dual core Atom chips are 64bit enabled these days.

http://www.intel.com/products/proces...ifications.htm

Hyperthreading provided some value in that it allowed the schedular to divide time slices better between threads or processes. It allowed a system to stay somewhat responsive if a single threaded process chewed up an entire CPU.

That said, I haven't ever found it beneficial, and in some cases (older versions of VMWare Server) it caused software to effectively run slower when enabled.

Re: CVE-2010-3081 kernel: 64-bit Compatibility Mode Stack Pointer Underflow

The only time to be concerned over this is if you are running a 64bit kernel, and either allowed access to users via ssh (IE: web hosting, or to a friend), or you had the computer directly connected to the internet without any router or firewall and had exposed services with known vulnerabilities (like phpmyadmin for example).

In that case, you should run rkhunter to check for a root kit. If you had none of those things, and you have installed the patch released the other day you are probably fine.

The issue with this exploit is that it installed a root kit leaving a backdoor on the system *if* an attacker was able to get into the system to exploit the kernel somehow.

The bigger issue isn't that the exploit was just released, the issue is that the exploit was underground for ~2 years before being made public.

Re: CVE-2010-3081 kernel: 64-bit Compatibility Mode Stack Pointer Underflow

It was noticed and fixed in 2007, but a recursion commit in 2008 reopened it. So, it could have been "underground" for the last two years, i.e., someone before Hawkes discovered it and had been using it, but I doubt it. Your favorite Ukrainian supported hacker website didn't know about it. IF it had been open for the last two years then professional and state supported hackers wasted a eight months of MANUAL "dear john" attacks just to compromise 700 Linux boxes. That a 700 zombie Linux bot farm is the largest ever found is evidence that no significant Linux back door exploit is operating in the wild. During that same 8 months a 1,300,000 Windows zombie bot farm was discovered.

Also, approximately 70% of the Internet servers are running Apache (presumably on Linux or BSD) and only 20% are running Windows. IF this exploit were in the wild it would have been reported by the more responsible server admins. For the 47,292,193 servers sampled in that survey 33 million were exposed to this exploit but for such a large number NO reports of Linux internet servers being compromised by this exploit have been reported. IF such an infection had taken place several anti-Linux forces would have made sure it reached the front pages of all major media, and get repeated endlessly for months or years afterwords.

And, being a local exploit, most single account Linux users have nothing to worry about if, like you say, they haven't purchased a domain name for the Apache server running on their box, and put it online, or they don't allow remote logins or remote desktop accesses, which are turned off by default in Kubuntu.

If folks think their box may have been exploited they can download a tool from KSplice here, which will report the backdoor, if it exists on the user's system.

Re: CVE-2010-3081 kernel: 64-bit Compatibility Mode Stack Pointer Underflow

It is implied in the "other" exploit that the "other" exploit was underground for 2 years.

Source: http://seclists.org/fulldisclosure/2010/Sep/268

As I have said multiple times, that site isn't the malware underground. If it was, you wouldn't be able to google it. Underground sites are not available over the general access internets, it usually takes an invite and some sort of encrypted connection.

This is not true. You cannot make the connection that the person with the recently published exploit hangs out with the person that attempted to create this botnet.

Again, a kernel exploit that requires a shell cannot be attacked through another service with no vulnerability. That's why I said phpmyadmin and not Apache. Apache has a very good security track record, where PHPMyAdmin does not.

Example: http://saifulfaizan.blogspot.com/201...e-exploit.html

They don't have to have a "domain name", you can reach a computer over the internet by IP alone. Try it yourself by browsing to http://74.125.45.105/ (google). Apache is one of 10,000 (or more) possible applications for the Linux platform that expose one or more ports. My implication was that one of these must be installed, be directly connected to the internet (no not behind a home use router), and contain a known vulnerability that grants someone exploiting it a local user shell. I used PHPMyAdmin because it has a history of problems like this, as does Joomla and other similar apps.

This is sane advice. If you are directly connected to the internet, running services or behind a router and forwarding ports to your computer (you may not even know if you are using upnp), it may be in your interest to run rkhunter or the ksplice diagnostics tool (which is based on the exploit source code). If you are just a single user that uses his PC to surf the web and check email, you most likely have nothing to worry about.

Re: CVE-2010-3081 kernel: 64-bit Compatibility Mode Stack Pointer Underflow

Actually, only very old computers with old single-core Cpus don't support 64-bit, as it was already introduced in 2003 by Amd with its Athlon64 Cpus. Incapable Intel took a bit longer to bring out working 64-bit. So if you bought a PC within the last five years, it most probably will have 64-bit support.
Only exception there is netbooks with Intel Atom crap.

Re: CVE-2010-3081 kernel: 64-bit Compatibility Mode Stack Pointer Underflow

True, but most people will have Intel (which is crap, well except for the i-series). So most people will have a 32-bit CPU if their PC is >=4 years.