Google Project Zero: slow patches Linux are dangerous for users

The developers of Ubuntu and Debian receive a warning from Googles Project Zero. Project Zero researcher Jann Horn, who found the Meltdown and Spectre bugs, calls on them to update their Linux distros more quickly. Otherwise, users will be exposed to threats for an unnecessarily long time.

According to Horn, some Linux distros are too slow to release new versions. By not releasing a new kernel update quickly enough, users run unnecessary risks. Horn points out that once a patch is publicly announced, attackers are going to use it to develop exploits. Because of the way Linux works, with different distributions, end users are extra vulnerable.

Dangerous exploitation

Some time ago Horn found a dangerous exploit in Ubuntu 18.04. The next day it was already closed by Linux founder Linus Rovalds, with a stable kernel launch. But according to Horn, some distros take far too long to bring a new stable kernel release to their users.

Once a patch has been applied in the upstream kernel, it is made public. That’s when an attacker gets a chance to develop an exploit. Users are only protected against this when the developer of their distro releases a stable kernel. In addition, the user will eventually have to install the patch himself, for which they sometimes need some time.

Debian and Ubuntu

Horn also specifically criticizes distributions Debian and Ubuntu. The last update of Debian took place on August 21 and Ubuntu on August 27. The new critical fix of the problems arising from the previously discovered exploit was only made available on 1 October. This has put users at risk for a long time, as the specific exploit was discovered on 12 September.

Since there is a good chance that more of these exploits will be found in Linux distros in the near future, Horn is calling on developers to release updates to their systems more quickly. This is the only way to keep users optimally protected against hackers.