Plus: Why Linux gamers should hold off on preordering the Oculus Rift, and LinuxInsider reviews Deepin 15 (Depth OS) Zero-day vulnerability affects Linux and Android Security is a never-ending battle for any operating system, including Linux. A new report notes that Android and Linux are both vulnerable to a zero-day exploit that allows applications to escalate privileges to gain root access. Mario Korolov reports for CSO: A new zero-day vulnerability has been discovered that allows Android or Linux applications to escalate privileges and gain root access, according to a report released this morning by Perception Point. Any machine with Linux Kernel 3.8 or higher is vulnerable, he said, including tens of millions of Linux PCs and servers, both 32-bit and 64-bit. Although Linux lags in popularity on the desktop, the operating system dominates the Internet, mobile, embedded systems and the Internet of Things, and powers nearly all of the world’s supercomputers. Using this vulnerability, attackers are able to delete files, view private information, and install unwanted programs. According to Pats, this vulnerability has existed in the Linux kernel since 2012. Pats said that the Linux team has been notified, and patches should be available and pushed out soon to devices with automatic updates. Perception Point has also created proof of concept code that exploits this vulnerability to gain root access. More at CSO You can get much more detail from the Perception Point report: The Perception Point Research team has identified a 0-day local privilege escalation vulnerability in the Linux kernel. While the vulnerability has existed since 2012, our team discovered the vulnerability only recently, disclosed the details to the Kernel security team, and later developed a proof-of-concept exploit. As of the date of disclosure, this vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices (phones/tablets). While neither us nor the Kernel security team have observed any exploit targeting this vulnerability in the wild, we recommend that security teams examine potentially affected devices and implement patches as soon as possible. In this write-up, we’ll discuss the technical details of the vulnerability as well as the techniques used to achieve kernel code execution using the vulnerability. Ultimately, the PoC provided successfully escalates privileges from a local user to root. CVE-2016-0728 is caused by a reference leak in the keyrings facility. Before we dive into the details, let’s cover some background required to understand the bug. Quoting directly from its manpage, the keyrings facility is primarily a way for drivers to retain or cache security data, authentication keys, encryption keys and other data in the kernel. System call interfaces – keyctl syscall (there are two other syscalls that are used for handling keys: add_key and request_key. keyctl, however, is definitely the most important one for this write-up.) are provided so that userspace programs can manage those objects and use the facility for their own purposes. More at Perception Point Why Linux gamers should hold off on preordering the Oculus Rift Linux gamers shouldn’t get too excited about the Oculus Rift, according to PCWorld. Linux support might happen, but won’t be available when the Oculus Rift first becomes available. So you might want to hold off on those preorders until there’s an official announcement that Linux will be supported. Chris Hoffman reports for PCWorld: News of Oculus Rift preorders is bittersweet at best for Linux users. The first consumer version of the Rift will be Windows-only, with Linux support a vague promise for the future. But it wasn’t always this way. In the beginning, Linux support was something Oculus was actively developing. The original Oculus SDK released in mid-2013 (Version 0.2.3) added support for Linux. Red Hat’s Richard Jones blogged about his experience with it in August of that year: “Surprisingly, using Linux is not a problem at all,” he wrote, finding it offered a basically plug-and-play experience on Linux. “How the world has moved on,” he wrote. Then Oculus changed its mind. In a May 2015 blog post titled “Powering the Rift,” Oculus came right out and said it was prioritizing Windows support over all else. “Our development for OS X and Linux has been paused in order to focus on delivering a high-quality consumer-level VR experience at launch across hardware, software, and content on Windows.” Oculus didn’t cancel Linux support altogether, but it made no firm promises. “We want to get back to development for OS X and Linux,” the blog post said, “but we don’t have a timeline.” In December 2015, Oculus CEO Palmer Luckey reiterated Linux support, but with no more certainty than “Linux support is on the roadmap post-launch.” More at PCWorld LinuxInsider reviews Deepin 15 (Depth OS) The distribution once known as Deepin is undergoing something of a name change, according to a review of the latest version by LinuxInsider. Depth OS is apparently the new name. LinuxInsider examined the naming issue in a full review of Depth OS (Deepin 15). Jack M. Germain reports for LinuxInsider: The latest release of the Linux distro now called “Depth OS” deserves serious consideration. It is fast, reliable and innovative, with an impressive homegrown desktop design dubbed “Deepin Desktop Environment,” or DDE. Depth OS has a bit of an identity problem. It’s not well known outside Asia and Europe, but that’s not the major cause of confusion. The problem is that the open source community that developed the distro seems to have a difficult time deciding what to call it. It has had several names, including “Hiweed GNU/Linux,” “Linux Deepin,” “Deepin” and now “Depth OS.” It seems that many of the community support staff never got the memo. Most of the website and the OS itself still are labeled as “Deepin.” When the community released the latest version last month, it was called “Deepin version 15.” As of this writing, it still was. A half-hearted name-change process is ongoing. More at LinuxInsider Did you miss a roundup? Check the Eye On Open home page to get caught up with the latest news about open source and Linux. Software DevelopmentTechnology IndustryOpen Source