At CoreOS Fest in Berlin, Greg Kroah-Hartman, Linux kernel developer and maintainer of the stable branch, talked about an inconvenient truth about Linux and security: vendors are notoriously bad about implementing patches.
For the last 15 years the kernel community has been following a rule to fix things as soon as possible. The Linux community fixes the bugs and pushed them so that vendors can push them to their users.
But there is a problem.
Kroah-Hartman said, “… nobody takes [the patches]. Someone fixed a bug in the TT1 layer about three years ago. It looked like a normal bug. We fixed it, pushed it in the new releases and got it out there. Three years later, someone realized there’s a security bug. You could go to a local root user and away you could go. Turns out Red Hat and SUSE had to go back and fix all of their old stuff. We have a very bad history of keeping bugs alive for a long time. Somebody did a check of it; most known bugs live for 5 years in systems. These are things that people know and know how to exploit. They’re not closed. That’s a problem in our infrastructure.”
Android is another example cited by Kroah-Hartman. Android phones are based off long term kernel 3.10, and there has been a fix in the 3.10 stable kernel tree for about 6-8 months now [to a bug] that allows you to get root on Android phones. But Google has not updated the kernel yet, which makes these devices vulnerable to root access. “You can base your kernel and base your product on a long term kernel, but if you don’t take advantage of it, it means nothing,” said Kroah-Hartman.
The matter of security is becoming more serious as Linux is becoming more and more widely used. Kroah-Hartman stressed that you have to get things updated soon and quickly. “I’m averaging 10 fixes per day of things that may or may not be a security bug, because I don’t have time to test to see if all of them are or not; but other people do,” he said.
He took it one step further, saying that ”…your machine is insecure unless you’re running my kernel, or based on my kernel, or based on another one. If you’re not taking these fixes, then it is insecure.”
Kroah-Hartman has a very clear message for any company or community building products around Linux, “You have to be able to update your machine. You have to be able to provide a system where your machines are updated and you constantly take advantage of it.”