Three Linux server security holes found

Three separate security flaws could be used by an ordinary user to gain total control of a Linux server or workstation, security researchers have warned.

Two of the vulnerabilities lie in the way the Linux kernel - the core of the open-source operating system - manages memory. They affect all current versions of Linux, according to advisories released on Wednesday by iSEC Security Research, a Polish security company. The third flaw affects the module for the kernel that supports ATI Technologies' Rage 128-bit video card.

Because Linux is frequently used on shared servers, security holes that allow a user to expand their access rights on a computer are serious, said Alfred Huger, the senior director of engineering for security software company Symantec. However, they are not as critical as flaws that allow an outsider to compromise the computer, he said.

"In the grand scheme of things, if an attacker is able to get access to your box, then they could probably get root [control] on your box, anyway," he said. The root user is the standard Linux and Unix name for the person who has complete control of a computer.

For example, the recently announced flaw in Windows that allows an attacker to remotely execute code on any computer running the Microsoft operating system is a more serious vulnerability. That flaw could allow a worm to spread throughout the vulnerable computers attached to the Internet. The security holes in the Linux kernel are of more use to an attacker looking to compromise a single computer.

The Linux Kernel Project released a new version of the 2.4 series kernel - version 2.4.25 - to fix the vulnerability, the second time this year it has had to issue an update as a patch. In January, it released the 2.4.24 kernel to fix another flaw iSEC found.

Another vulnerability in the kernel, found last September, allowed attackers who had compromised a developer's computer to extend their control to several key servers used for development of the Debian Linux distribution.

Linux companies and projects that package their own version of Linux have rushed to deliver updates. Red Hat, Novell's SuSE Linux, Debian and other Linux distributions had released fixes by Thursday morning.

The newly found flaws underscore the fact that vulnerabilities still exist in the core software that makes up Linux, according to Symantec's Huger.

Moreover, the discovery of serious flaws in the kernel the past three consecutive months raises questions about the "many eyes" theory, which maintains that open-source software can be audited for security holes easily and is therefore more secure. In reality, the majority of developers don't like to review old code, Huger said.

"I think the concept is great, but by and large, I don't think the practice is as true as people would like it to be," he said.

That criticism has been leveled at Linux before. And while auditing may not be as pervasive as some open-source advocates would believe, recent security holes in Linux continue to be less serious than those found in Windows.

Robert Lemos writes for CNET News.com