A recent security advisory announced today by Rapid7 explains, “the NVIDIA Binary Graphics Driver for Linux is vulnerable to a buffer overflow that allows an attacker to run arbitrary code as root. This bug can be exploited both locally or remotely (via a remote X client or an X client which visits a malicious web page). A working proof-of-concept root exploit is attached to this advisory.” The advisory goes on to note that the FreeBSD and Solaris binary drivers are also likely vulnerable and cautions, “it is our opinion that NVIDIA’s binary driver remains an unacceptable security risk based on the large numbers of reproducible, unfixed crashes that have been reported in public forums and bug databases.”
Just because your email programs won’t execute attachments by default doesn’t mean your OS isn’t vunerable in one way or the other If somebody really wants in, they’ll find a way.
Your argument only makes sense if we’re talking about using 3rd party applications and drivers, which most people don’t include when they talk about OS security. It’s Apples and Oranges…
Your argument only makes sense if we’re talking about using 3rd party applications and drivers, which most people don’t include when they talk about OS security. It’s Apples and Oranges…
Well, if one of those apps or drivers allows a remote hacker to take control over your computer, who gives a shit if the hole was in the application/driver or in the OS itself? Many of the vunerabilities being found these days a direct result of flaws in applications, so even if you’re running a solid OS with a bad app or driver installed, you’re still vunerable. If you want to argue semantics while your machine is being rooted and turned into a spam zombie, then have it at.
Edited 2006-10-17 02:23
Well, just goes to show you …
That WorknMan is calling a proprietary closed graphic driver an OS … INCOMPETENT and PATHETIC !
You see Now according to this pundit expert , Windows and GNU/Linux are now just as insecure … Disregard the fact that Free Software and Open Source advocate have been telling people for decades now that such security risk are ineherent with closed source method … That they should also demand and only accept Free Software that is Open Source.
The problem with reality that WindowsOrknMan as is the GNU/Linux OS is Free Software and Open Source and that Microsoft Windows is closed source … When a flaw , method or new technique is found the softwares ( around 20 000 + ) get tested for it and patches and fixes issued with GNU/Linux , its still a guessing game with the entire Microsoft Windows OS.
The problem here is that instead of having people able to offer a fix now , based on there discovery , its just a detailed method of how to take advantage of it and we all have to wait for a Nvidia fix , that might or might not come soon.
This is what, the first such bug found (ever?), and years since the driver was released?
Besides, nVidia has already released a fix for it:
“NVIDIA released the 1.0-9625 driver which fixes this bug last month:
http://www.nzone.com/object/nzone_downloads_rel70betadriver.html“
– http://kerneltrap.org/node/7228
In the end, whether it is “acceptable” or not, nVidia is the only option for Accelerated High Performance Consumer 3D Graphics under operating systems such as Solaris. Quite frankly, they could name an exploit every day and I still wouldn’t care. I have no choice in hardware…
Edited 2006-10-16 22:51
I don’t want to criticise your opinion, but think it’s fascinating (and surely you are not the only one).
The whole system in regards to security is as weak as it’s weakest part is. Yet, as soon as not using weak parts rises to a certain level of uncomfortable (in this situation, alternative hardware), they will be accepted, even if they drive the whole system unsecure.
Edited 2006-10-16 22:57
I don’t want to criticise your opinion, but think it’s fascinating (and surely you are not the only one).
It’s not an opinion. I don’t have a choice about the hardware I use if I want a consumer level 3D Card with accelerated 3D graphics for Solaris.
So, quite frankly, I don’t really care. I just want the tools to do my job or to do whatever I need to.
The moment a viable alternative comes available, I’d be all for it. But so far, none have materialised.
Actually the choice between bad and bad it not a choice at all.
Seemengly windows drivers use the same codebase are they affected? Did NV release update for them as well?
I don’t think it is a question of how uncomfortable it is. There simply is no alternative to fall back to even on Linux.
Intel Graphics are very slow and Ati drivers… well… you sure don’t want to leave nVidia for Ati if it comes to drivers.
So if there is an true alternative then i’m not aware of it.
Hmm .. the whole system is not as weak as its weakest part if the weak part is isolated .
So how to isolate this driver?
Beta drivers are not the answer. It’s like saying that your WinXP security problems can be fixed by installing Vista Beta
Beta drivers are not the answer. It’s like saying that your WinXP security problems can be fixed by installing Vista Beta
Why not? Works for everyone else in the industry…
(Creative, Microsoft, etc.)
Nvidia website is nvidia.com ,
** Beta driver ** , that dont fix the August version on the official main site …
“nVidia is the only option for Accelerated High Performance Consumer 3D Graphics under operating systems such as Solaris. ”
http://www.xig.com/Pages/Summit/OSsupport.html#Solaris32anchor
“Quite frankly, they could name an exploit every day and I still wouldn’t care. ”
I wonder where they get the idea that employee are the #1 security risk , with people like you … ( really cynical here ).
” I have no choice in hardware…”
Driver is hardware now …
On the subject of the XIG drivers. As an owner and a long-time user of one of their packages, I feel I can comment that they are excellent drivers. The only thing that is a shame is that more recent and powerful hardware cards are not supported.
Through the efforts of the manufacturers, they have laregely been pushed out of the fully hardware accelerated chips and mostly focus on Intel integrated graphics solutions these days.
I own one of their Platinum packages for my old HP notebook and have been quite pleased. The performance is excellent (given the underlying chipset) and they are extremely reliable. However, if you demand incredible performance on a modern 3D design package, you will be out of luck with XIG as they simply no longer support recent 3D Labs, nVidia, or ATI hardware. It is really a shame.
I believe in their products and appreciate all the work it takes to develop their products.
The only thing that is a shame is that more recent and powerful hardware cards are not supported.
Which is my primary problem and why I qualified my statement with “High Performance”. XiG is not an option.
http://www.xig.com/Pages/Summit/OSsupport.html#Solaris32anchor
nVidia is still the only option. XiG’s support is only good for the older generation of video cards. I don’t see SLI or anything like that on there either (maybe I’m missing it). Not only that, between choosing to pay for a driver and one for free, the choice is obvious in this case…
Besides, this whole conversation was about binary drivers, how is choosing *another* binary driver any better?
“nVidia is still the only option.”
Your not interested to pay for other options …
“between choosing to pay for a driver and one for free”
The cost of a working secure and up to date driver is included in the sale price of the graphic card.
“how is choosing *another* binary driver any better?”
I was answering your no other option comment.
The cost of a working secure and up to date driver is included in the sale price of the graphic card.
Exactly, so why would I pay for a driver *again*?
I was answering your no other option comment.
My no other option comment taken in context was that there was no *non-binary-only* option.
That should shut up the people who call anti-blob folks “idealists.” Closed code can’t be easily audited, and thus can’t be trusted.
As much as I like free drivers, open source code can have root exploits too….
Yes, but usually open source developpers doesn’t wait two years before fixing them.
@renox
Open source developpers wait for a volunteer to fix the bugs. Which could be between immediately or never. It’s the same has in closed source software.
“That should shut up the people who call anti-blob folks “idealists.” Closed code can’t be easily audited, and thus can’t be trusted.”
Actually I don’t call anyone idealists. I think Open code is just as bad since me not being a coder, I just have to use it and rely on someone else. Being open means it is easier to slip exploits in. I don’t know any of these so called ‘Auditors’ monitoring the code.
“Being open means it is easier to slip exploits in.”
No it doesnt but I’m sure someone is happy that there are people who beleive in that FUD.
“”Being open means it is easier to slip exploits in.”
No it doesnt but I’m sure someone is happy that there are people who beleive in that FUD.”
Well, with closed source only the developers can contribute code to it, and yes it may take a bit longer to fix when something is found. With open source supposedly any one can commit code, unless I am sorely misunderstanding the meaning of community contributions, so an exploit may not even be found for awhile.
Well, with closed source only the developers can contribute code to it, and yes it may take a bit longer to fix when something is found. With open source supposedly any one can commit code, unless I am sorely misunderstanding the meaning of community contributions, so an exploit may not even be found for awhile.
Uhh…I don’t know of any decent project which allows just about anyone to apply a patch to the source tree..Usually the moderators check the patches and then either accept or reject them. So, if someone wrote a malicious patch, it would get rejected anyway. Sure, someone could download the whole source tree and patch it, but he/she would still not get it spread..Anyway, in essence, while only the developers can contribute code to closed source drivers, in open source model anyone can contribute a patch, but still the devs decide whether it goes in or not..
And it failed miserably.
It all comes down to who you trust. Do you trust all Microsoft employees? Are you sure nobody is including a backdoor in there somewhere? Do you trust the guys around the Linux/Xorg/Gnome/KDE projects?
Each of them uses their own software, so nobody of them wants a backdoor from other developers in his software. They have a clear motivation not to include a backdoor in their code, because all accepted code changes have to be attributable to someone for copyright reasons. The one who tries to include a backdoor knows, that no open source project will ever trust them again. And the likelihood that the backdoor will be found is very high, the code is open so everyone can search it for backdoors!
“With open source supposedly any one can commit code”
No, only people granted access to commit code can do so.
You cannot just like that put code into CVS. You can send a submission, but that doesn’t mean it is accepted.
Open Source != Uncontrollable
> Well, with closed source only the developers can contribute code to it,
> and yes it may take a bit longer to fix when something is found. With
> open source supposedly any one can commit code, unless I am sorely
> misunderstanding the meaning of community contributions, so an
> exploit may not even be found for awhile.
Yes, you *are* misunderstanding. Open Source (to some extents), and even more Free Software, mean that anyone can download the software and source code, distribute it, locally modify it, and distribute modifications.
Nothing, really nothing, gives you permision to modify the codebase in the project’s repository as you wish. The project maintainers are free to accept your modifications (if you distribute them), but they could just as well ignore them altogether. Finally, a project maintainer who allows anonymous users to commit changes to the repository obviously hasn’t learnt the hard way yet. But again, *nothing* in OSS or FS gives you permissions to do that, only stupid maintainers do.
easier to slip exploits in, are you joking? you dont think other developers on the project notice if someone throws in a root exploit? and you say you dont know of any auditors, there are LOTS, many distributions do some stuff to the packages before deploying, they look at the code, many end users do too, and often, bugs and security problems gets back upstream because of that.
and you may need to rely on someone, but atleast you know you always will have the ability to actually get it fixed. if suddenly your closedsource vendors decides they dont care, you are simply owned, on the other hand, in the opensource world you may hire others to do the work.
“and you may need to rely on someone, but atleast you know you always will have the ability to actually get it fixed. if suddenly your closedsource vendors decides they dont care, you are simply owned, on the other hand, in the opensource world you may hire others to do the work.”
Agreed to an extent, those are valid points. I have my concerns with both models. Convincing the folks who control the money in a company to go with OpenSource for that reason is like poking yourself in the eye with a sharp stick repeatedly from my experience. This even included having an issue with a Linux box, posting to a news group and having my answer in about 2 hours. They still didn’t buy it, go figure.
I think that says more about the company you’re working with rather than the Open Source model.
Why would it be easier to slip exploits into open code? Open source projects only give commit privleges to trusted commiters. Indeed, its probably pretty hard to slip an exploit into a major piece of open source code. You make a commit to the Linux kernel, and tens of thousands of people see the generated changelog message. Unless you’re a very trusted commiter, at least a couple of people see the patch too. And all these things are there on the internet, for anyone to look at any time.
In the world of politics, it’s called “transparency”. When everyone sees what’s going on inside, it makes it much harder for somebody to do something wrong.
There is always the option of using open source drivrs, no one is forceing anyone to use close source. Only if they want decent 3d.
If would be nice to have more documentation from the vendor so we could get the open source drivers up to speed.
I do see the thier point about giving more information to the competition. On the other hand, if both ATI and NVIDIA disclosed more information, wouldn’t it encourage competition in the marketplace.
> There is always the option of using open source drivrs, no one is
> forceing anyone to use close source. Only if they want decent 3d.
I think it is a bit unrealistic to expect anyone with an nVidia card *not* to want decent 3d features and performance. After all, they have paid a lot of money for their graphics card.
while i admire the principle, and even agree with it, i’m not willing to submit myself to the misery of trying to play Gothic 3 on a G965 open source graphics chipset.
if you seriously think that the specifications required to create drivers that supports 3d for nvidia and ati cards puts them at a disadvantage, you are not informed on the subject. the documentation required by us wouldnt even disclose information about their driver optimizations (which are mostly useless to their competitor, as its almost entirely hardware specific).
both ati and nvidia has hugeass budgets and labs to get exactly the information they want from the competitor, they dont need any stinking documentation.
I can only hope that they create a usable card with open source drivers soon.
It sucks to either have a vulnerable system or be lightyears behind technology and performance wise.
Hate doing it but I’m using Nvidia’s driver on my system because of strange (performance?) issues with DVI under the open source driver (can’t watch videos without stripes on the screen).
On the other hand the fscking VGA mode gets my screen’s resolution _very_ wrong:
As wrong as 800×600 with some 16 colours instead of
1280×1024.
It’s not like I’d need some high performance 3d stuff…
So I decided to have a stable distro and and another with blobs for watching videos…
Yup, it sure can. exploits that can be searched for and fixed on a timely basis, instead of having to wait 2 years for a fix for a remote root vulnerability in a kernel driver.
Of course, I’m still waiting to be able to use Xen with my nvidia card, so maybe I’m just a bit on the pissed-off-at-closed-driver side in general…
Yeah, I use the nvidia drivers. They’re the best 3D acceleration for Linux, and I do graphics development, so that’s the choice. I’m just waiting to be able to throw money at the OGP
Even if it costs 200 EUR and is half as fast as a ATI or NVidia. Just to know, that there will be no more hassle at install or unfixable bugs makes an excess of 100 EUR worth paying.
I hope OGP will sell in the millions, that would give them enough budget for further development, and maybe NVidia and ATI would finally see that free drivers are a killer feature for us. Loosing most of their Linux market share to OGP over night might tell their upper management the story we could not yell at them loud enough for them to hear.
Just forget Linux and focus on Solaris and FreeBSD…..atleast Solaris/FreeBSD users are more worried about performance and technology rather than whether some binary blob “tainted” their Holier-than-Thou GNU/Linux OS.
Get a f**king grip – one f**king security hole in 5 years since they started supporting Linux and that too it’s been fixed in the beta 9xxx series and the GPL morons get their panties in a twist.
Really people, get a grip!. It’s not like there haven’t been security holes in the Linux kernel before.
>Get a f**king grip – one f**king security hole in 5 years since they started supporting Linux and that too it’s been fixed in the beta 9xxx series and the GPL morons get their panties in a twist.
Alleged technical superiority of open source v proprietary is not a claim the FSF actively makes and it is not one Stallman endorses, he has even gone as far as advocating free inferior software. They consider it irrelevant.
I can assure you that “GPL morons” had their “panties in a twist” long before this issue was disclosed, and it has very little to do with security vulnerabilities not only because it’s irrelevant to them, but because it doesn’t make sense to get all upset about this considering how many vulnerabilities things like the Linux kernel has suffered from.
So really, your issue is with the Eric Raymondism.
“Just forget Linux and focus on Solaris and FreeBSD….”
Yes give up the billions dollar industry for the fringe failing OS … ATI/AMD and all your competitor thank you for it in advance , what you dont listen to crazy’s ?
“Solaris/FreeBSD users are more worried about performance and technology”
Performance and new technology are not what people know FreeBSD ( or any BSD ) and Solaris for …
“tainted” their Holier-than-Thou ”
Yes , security is only important for GNU/Linux people …
“one f**king security hole in 5 years since they started supporting Linux”
http://www.google.com/search?q=nvidia+linux+security+&btnG=Search&h…
” the GPL morons get their panties in a twist. ”
Nvidia driver are under the GPl ? GPL morons ?
“It’s not like there haven’t been security holes in the Linux kernel before.”
Security holes fixed/in working process in another sofware and driver will fix the problem in Nvidia driver … Your the type of person who take is neighbors car to the shop when is own car as trouble starting and running properly …
it may be a rare thing, but we have no way to fix production systems now, so tell me, these freebsd/solaris users, including yourself, you talk about, do you not care about security holes in production? do you simply upgrade to beta quality stuff to get around it? if freebsd suddenly had a security flaw on a critical machine of yours, would you simly pull CVS HEAD and compile if you knew it didnt have the bug?
Really people, get a grip!. It’s not like there haven’t been security holes in the Linux kernel before.
Hundreds in the 2.6 kernel alone.
But saying truthful things about the Linux kernel gets you modded down pretty quick!
The Risk? That you might be exploited via your video driver.
The Cost? Using half baked open source drivers with poor functionality (not exactly the fault of the open driver writers mind you, nvidia ain’t exactly handing out documentation)
I’m thinking if this is fixed, well I’m going to continue running the closed nVidia drivers myself.
sorry but the open source drivers available are just really poor right now, and while I blame that on the graphics chipset manufacturers I also respect their concerns about trade secrets and proprietary IP in the products they produce.
Option “RenderAccel” “false”
that’s the fix for anyone not wanting a) beta drivers or b) no 3D
Easy fix.What’s all the fuzz about?
I just got a new kernel update:
Linux serpent.virtuall-host.dyn-o-saur.com 2.6.18-1.2200.fc5 #1 SMP Sat Oct 14 16:59:56 EDT 2006 x86_64 x86_64 x86_64 GNU/Linux
The beta nvidia driver runs smooth by the way.
There’s only one long-term solution – don’t let untrusted binaries do whatever they like in the kernel.
There’s only 2 ways to achieve this. The first option is to dispose of all intellectual property laws so that all device drivers can be open source (and so we can all inspect the code for flaws before running it, like everyone always does).
I’ll let you figure out what the second option is, and then you can decide for yourself which option is more practical. Here’s a hint: Microsoft seem to have figured this other option out (although they’re gradually implementing it, rather than introducing a radical change).
Things like that dangerous blob should definetely be banned from the kernel space. If they run in user space, ok. But I don’t want them in the kernel space.
Things like that dangerous blob should definetely be banned from the kernel space. If they run in user space, ok. But I don’t want them in the kernel space.
What the.. You have a CHOICE you know, you don’t have to use it if you don’t want to.
Banning is NOT a solution, it only takes away people’s ability to choose what they want to run and where.
So Greg is WRONG if he tris to limit my freedom to choose.
“No, only people granted access to commit code can do do.”
And even when they commit code, it’s not a given it will also be *accepted* by the decision-makers.
Theo was right. Again.
Maybe it is better that I keep my GMA 950
a computer remotely as root using this Nvidia expoit.
Bonus – if you can actually run rm -rf * using this expoit. Seems that any arbitrary code can be run.