Operating system vendors were given two months' notice before a security flaw was made public, but some have yet to resolve the issue, a security researcher has claimed.
Colin Percival detailed the vulnerability--which affects versions of Intel's CPU that use a technology called hyperthreading--at a conference on May 13.
The vulnerability could allow a local hacker to steal sensitive information, such as passwords, held on servers configured to allow multiple users to log in simultaneously.
FreeBSD security team member Percival has received formal responses to the issue from the makers of the BSD family of open-source operating systems, as well as SCO and Ubuntu Linux. However, Linux vendors Red Hat, Novell and Mandriva have been slow to act, as has Microsoft, he said.
"Given that I reported this problem in early March, I really think that they should have had a patch over a month ago--in time to test it extensively before releasing it on May 13," Percival said.
"I made it quite clear to everyone that I would be releasing my paper on that date and that they should make sure they were ready by then," he added.
A representative from Red Hat said its security team rated the issue as having "a moderate security impact," and that it was working with the creators of the OpenSSL toolkit--which is used to exploit the vulnerability--on a fix.
A Microsoft representative said while the company was investigating Percival's report, it was not aware of any active attacks using this method at this time and would wait until completion of its investigation to take action.
"We are aware of the issue and have been working on it," a Novell representative said.
Percival also took issue with Intel's reaction. The company had described the risk as "very low."
"Intel is being too simplistic," he said. "This flaw allows users on a machine to steal each others' data."
Although the problem only affects multiuser servers, these machines are widely used. "The most obvious example is shared Web servers, which constitutes the vast majority of small e-commerce sites," he said. "On these systems, the flaw is very serious."
Last December, Percival alerted the BSD family to the problem, and a workaround has since been posted.
Red Hat, Novell, Mandriva and Microsoft. For some reason, it's easier for some to just slag off M$.
In this case, it would seem reasonable to criticise M$ - bloody pathetic response. But let's spread the blame around to those others who also deserve blame.
What a surprise that some clueless, fangless keyboard vomit would flow from someone who simply keyed on the word "Microsoft" in the article. This issue isn't restricted to Microsoft products, or even software in general.
Read the other comments; they were much more insightful than yours.
There's a better chance of somebody breaking into your office, or getting a search warrant against you, and stealing your machine than loosing a private key as a result of this exploit.
While the attack described is certainly interesting, it is quite impractical in real use, and only relevant in very limited situations.
In addition, the required fixes in the operating system are non- trivial, and in many cases will lead to a severe performance hit. It isn't just a simple case of "here's the flaw, now fix it in a couple months". It is best fixed in the hardware, but it really doesn't seem to me to be that urgent a fix.
It is also completely unnecessary to do anything about for home users, and even most servers, regardless of which OS you're talking about.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
Whether Apple will release a new iPad next month doesn't seem to be the question as much as what day it will happen. A new rumor has it down to the day.
Tommy Jordan, the man who shot his daughter's laptop for YouTube, gets a visit from police and child protection services. Oh, and Good Morning America.
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
"Never Stop Playing" campaign for upcoming portable marks Sony's largest platform launch marketing spend, with ads to reach YouTube, Facebook, TV, and billboards in major cities.
As UC Berkeley students, the co-founders of "Back to the Roots" discovered they could grow mushrooms using recycled coffee grounds. Now their mushroom kit sells at grocery stores across the country.
1. Press makes a big deal about the flaw
2. Millions of computers are exploited
In this case, it would seem reasonable to criticise M$ - bloody pathetic response. But let's spread the blame around to those others who also deserve blame.
Read the other comments; they were much more insightful than yours.
Just plain silly.
attention.
impractical in real use, and only relevant in very limited
situations.
In addition, the required fixes in the operating system are non-
trivial, and in many cases will lead to a severe performance hit.
It isn't just a simple case of "here's the flaw, now fix it in a
couple months". It is best fixed in the hardware, but it really
doesn't seem to me to be that urgent a fix.
It is also completely unnecessary to do anything about for home
users, and even most servers, regardless of which OS you're
talking about.