HomeThe Blog

nvidia's proprietary driver caught with big hole

We all knew that something like this was eventually going to happen. We knew that Nvidia's proprietary driver would eventually be exposed with one or more security holes. It's the nature of programming; writing tens of thousands (or hundreds of thousands, or millions) of lines of detailed oriented code is inevitably going to have problems. We find these bugs, we squash these bugs, we patch for these bugs, and we move on.

This particular event is special for two reasons. The first reason is that this bug is suspectible to a buffer overflow while running in the kernel, resulting in the abilit to allow crackers to run anything they want as root. The worse part of the situation is that nvidia knew about the problem and sat upon it for a staggering _two years_.

Generally speaking, discovered exploits in free software have a wide open window of about four weeks. That works out to about a week for 'security researchers' and developers to discuss the issue and coordinate, a week to get a fix for the bug written up and a new version of the software to be released, a week for distributions to package the software and a week for users to do their sunday "I'm bored. Lets upgrade".

The nvidia bug, though published in 2004, is just now getting fixed. To get a grasp of how long two years can be for a root level compromise, consider all of these things that are younger than the bug:

* Ken Jennings was still in the middle of his 75 game winning streak on the game Jeopardy.
* The Nintendo DS was not available for purchase at the time the bug was announced on security lists.
* The big Buenos Aires nigh club fire (killed 194) hadn't happened yet.
* The Thailand tsunami was yet to destroy entire cities.

Think twice the next time you consider running a proprietary module with your kernel. That code is not going to get as much review as any free software module. The developers of that proprietary module may not bother working on the problem until it becomes a Really Public problem... months (or in this case, years) after a free software module would have been fixed by a contributor.