[rvz]

Another one.

Linux is falling apart faster than it can assign these CVEs.

[hn92726819]

Falling apart? You mean getting stronger? Every single one of these is an existing hole being patched. It isn't making new holes

[Gigachad]

Government agencies probably already have half of these exploits in their private toolbox for years now. Finding and patching them is good, but there probably needs to be some systematic change to prevent them rather than just patching bugs when they get found.

[onjectic]

Something something microkernels + capability-based security.

[mattstir]

I've seen microkernels mentioned a few times between these LPE posts and I'm curious about why. Would they be fundamentally more secure against forgetting to add bounds checking, or assuming user-provided input buffers should be writable without checking?

[Gigachad]

Yes, because as a userspace program if you forget to do bounds checking or read the wrong thing, the kernel kills the process. But if the buggy code is the kernel then there’s no protection. Microkernels aim to have as little code as required in kernel space.

[FriedFishes]

> for years now ZCRX is less than half a year old. I'm so tired boss.

[tgv]

As other people said in this thread: so many devices won't be patched. And that can easily lead to users and manufacturers moving away from Linux. Linux is in a glass house.

[pjmlp]

I remember when people used to joke with Windows security and something like that would never happen on Linux, well..

[gordonhart]

Linux is "falling apart" because it's the highest-profile open source project people can point LLM agents at to find CVEs. It'll come out the other end of this hardened by all of the attention it's getting, but the next few months/years will be... bumpy.

[maven29]

perhaps this will lead to better AppArmor and SELinux defaults?

[ChocolateGod]

People will just turn SELinux off rather than have to go through the horrible tooling when it breaks a regular use case.

[yjftsjthsd-h]

I do think SELinux is a good example of how robust software with poor UX/DX gets undermined by that poor UX/DX. Although I do wonder if AI can help with it?

[pjmlp]

There is also the Android way, this is how it goes, fix your apps.

[pjmlp]

It is enabled by default on Android, and only developers can change it temporarly via an ADB session.

[EGreg]

How's BSD doing? How about Amazon Linux?

[yjftsjthsd-h]

Amazon Linux is a Linux distro? Though, yes, I would like to know how the BSDs are doing.

[otterley]

Yes, it's a fork of Fedora. https://docs.aws.amazon.com/linux/al2023/ug/what-is-amazon-l...

[toast0]

FreeBSD is getting piles of security updates lately too. Not sure about the other BSDs.

[cachius]

And Windows?

[mschuster91]

Pray to God no one ever lets an AI agent run loose on the various leaked Windows source code dumps.

Given Windows' absurd amount of backwards compatibility, chances are pretty high that there are a lot of sleeping dragons buried inside even modern Windows 10/11 kernel and userland that date back to code and issues from the 90s - code where half the people who have worked on it probably not just have departed Microsoft but departed living in the meantime.

[pjmlp]

While true, since MinWin and OneCore that most of that code has been moved around.

Also contrary to Linux, Windows 11 (optional on W10) uses sandboxing for kernel and drivers.

Since Windows XP SP2 that Windows keeps getting mitigations, Microsoft has security teams whose day job is to attack Windows.

They are also promoting using CoPilot for C and C++ code review for some time now.

While it won't stop all attacks, it is better than the whole UNIX is safer than Windows attitude from the 90's, turns out it is a matter of how much money is into it.

Want really safe above anything else, look into Qube OS with its sandboxing over everything, or mainframe systems like Unysis ClearPath MCP, with NEWP as systems language, and managed environments.