I've long been of the opinion that computing probably needs to start again to lose the security nightmare it currently suffers.

The rooting of the Asus EEE PC comes at the end of a bad month for security. The large number of critical Microsoft patches this month (fortunately the IIS 5 one doesn't affect our servers at work), the update for Adobe Reader, the vmsplice linux kernel exploit to name a few, show that a lot of systems are pretty vulnerable.

The vmsplice is a local privilege escalation, so not pretty but I tend to assume anyone who can run local code can own a Linux/Unix/Microsoft Windows/..many others... system if they have clue! So hardly surprising.

Starting again doesn't look like it is happening any time soon, so in the meantime I guess we just have to do the best we can. Raul Siles had an interesting diary entry covering software to keep your Microsoft Windows 3rd party software up-to-date. He says "For Linux you are pretty much tied to the software package manager of the distribution you like to use", which is basically saying "it is built in", which is pretty key difference security wise.

For the vmsplice vulnerability, those servers at work which were vulnerable had already downloaded and installed the kernel patch, and were waiting for me to reboot them by the time I checked it out. Indeed only one of these boxes runs end user code, so only one server was easily exploitable this way, and it was running an older kernel (because the stock kernels are too far behind on the aacraid driver - 2.6.24 is finally up to date enough!).

The ASUS smb exploit is I believe the one covered in DSA 1291 the fix for which was accepted by Debian QA April 7th 2007. So shipping it in the Asus is unfortunate, but looking at the date stamps in the Asus repository I'm guessing it is fixed simply by running a software update before exposing your Asus EEE PC to the big bad world out there (all new systems should be patched before being exposed).

However as the old custom kernels on our server, and the pristine Asus EEE shows, being up to date doesn't always happen. The Asus EEE could have mitigated this vulnerability by not running the SMB daemon by default or even not until it is patched up to date(!), whilst it is handy for it to be running it can also easily be started when needed. I even briefly wondered if a "not patched recently enough" kill switch should be installed in consumer computing devices, but I'm not sure that will fly!

How will starting again help? Well several of the vulnerability, whilst in part logic errors, also depended for the success of the attack on the behaviour typical of the C programming language programs. There are also established designs of secure system that just make such exploits of logical errors almost impossible by not offering this level of escalation. The problem is that starting again and being compatible is fantastically expensive, the solution is of course to start again and be more user friendly but incompatible.