Re: When are security updates effective?
On Thu, Aug 31, 2006 at 07:23:27PM -0300, Henrique de Moraes Holschuh wrote:
> Indeed. lsof +L1 is currently useless for detecting unlinked libraries.
> I've been using lsof | grep "path inode" to detect them for a while now.
> Still, I hope the older, saner lsof +L1 behaviour can be restored soon...
This got me thinking:
- can the output of lsof be trusted when making security updates effective?
- can a process running vulnerable code be exploited to not show the
shared libraries and other non-shared libraries and files it had opened for
reading at some point?
- do I assume, fingers crossed, that non of my processes have been tampered
with if I trust lsof and don't do a full reboot?
AFAIK, shared libraries are just memory mapped files which can be copied
and munmap'ed, and an attacker can keep on running his 0wned process on
my host and escape my update attempts. I think this applies to all other open
files like static and scripting language libraries, data and configuration
files too, and even in trusted environments processes don't show all of these
loaded 'libraries' via open files. Perhaps package based reverse
dependencies give a better idea on what to do after upgrades, but the
dep's should be tracked all the way to the executables which started the
currently running processes, I think.
Strange, but suddenly XP's forced reboot on IE and Acroreader updates starts
to make sense...