A Belgian beveiligingsonderzoeker without a lot of effort 200 security vulnerabilities found in X.org the displayserver that in most Linux distributions is used. About 120 bugs were in the part that if the root is rotated.
“A lot of code is thirty years old and not prepared for the way in which X.org today, it is used”, says the researcher. So can X.org at some points it is crashing when it write files of 4 gigabytes; in the days that X.org was designed was to write the contents of files of that size was unthinkable, but today the day is already long not more. Software crashes are a vulnerability because they are sometimes malware can be exploited to use your own code to run. Van Sprundel has no exploits developed, so if the bugs actually exploits can be abused is not known.
Most of the vulnerabilities in the X. org-server still need to be patched; in the majority of the client’s vulnerabilities that already happened. In most cases, the variables of which the input was not checked. This would mean that they can be used for the execution of rogue code. Especially in the X. org-server, with root-rights operates, this is a problem. An attacker who is already of a vulnerability in other software exploits, would be via the X. org-server than a root-rights can obtain, what the impact of the attack increases. “I give little information about the bugs in the X. org-server, because they still need to be patched,” says Van Sprundel.
X.org is the displayserver of many Linux distributions including the popular Ubuntu, although the distribution’s busy with his own displayserver. The displayserver is in Linux distributions and other Unix-based operating systems responsible for the on-screen drawing of the graphical interface. The X. org-server consists of clients and a server, where the clients pass to the server what is on the screen must be drawn. The X. org-client is primarily used as part of a toolkit, such as GTK, Gnome or Qt for KDE. According to Van Sprundel are also implementations of the client, however, as leak as a basket.
The Belgian researcher, is the least to speak about the code of the OpenGL-extension in X.org. That is, according to Van Sprundel ‘unimaginably bad’. “It is an endless stream of crap”, says Van Sprundel. “It’s awful and broken beyond repair.” Thus, memory is not properly allocated and there are memory leaks, which can be exploited to run malicious code. Also the support for fonts is, according to Van Sprundel ‘very bad’. The X. org support for the drawing of text is rarely used, but is still present.
According to Van Sprundel is X.org in the coming years, not by anything else replaced, and it is therefore important that bugs are found and fixed. He is, however, to speak about the way in which the X. org-team is reporting bugs to pick up. “There was not be in perspective applied to, such as still sometimes happens,” says Van Sprundel.