Shining A Light On A Security Oversight
You are probably going to see a lot of news about the new Curing vulnerability which can take advantage of the io_uring system call interface which is enabled in many Linux kernels. At a glance it seems terrifying, a way to infect a machine that is essentially invisible to current antivirus software is not a good thing, but in order to make use of it you already have to have root privileges. If an attacker already has root, then the game is finished. Then again, a way to leverage this Curing rootkit without having root privileges then you can rightfully panic.
What is interesting about Curing is what it reveals about how security software functions, and that they all definitely have a blind spot. Current protections monitor system calls, which are certainly things which need to be closely watched, but Curing reveals that they need to do more. The article is light on details, likely on purpose to ensure bad actors can’t immediately leverage this possible vulnerability, but apparently Curing can be used to make network connections or tamper with files without your antivirus programs detecting it.
As you might expect, the company which released this information, called ARMO, has a solution that can detect if io_uring has been tampered with. That explains why we will likely see overly provocative headlines over the next few days. Take them with a grain of salt, but do appreciate that they have discovered a serious oversight on the part of the software we depend upon to keep us safe.
Source link
