Transactions without Transactions
Richard Kreuter and Kyle Banker on how to avoid classical RDBMS transactional systems by using compensation mechanisms, transactional messaging or transactional procedures.
News
The content has been bookmarked!
There was an error bookmarking this content! Please retry.
Critical Security Vulnerability Found in Quicksort
Posted by Ryan Slobojan on Apr 01, 2009
In what is sure to become one of the most wide-reaching security vulnerabilities yet known, a researcher with L0pht Heavy Industries has uncovered a flaw in the standard implementation of the Quicksort algorithm. InfoQ spoke with Dildog of L0pht to learn more about this vulnerability and it's ramifications.
Dildog explained the vulnerability as being of a class of vulnerabilities known as buffer overflow exploits. In these sorts of vulnerabilities, a malicious program is able to execute arbitrary code using the permissions of the user which is executing the given process.
In the case of Quicksort, the source of the vulnerability has not yet been made public, however it has been confirmed by two external security analysis firms as being present in the standard implementation of the Quicksort algorithm. Pseudocode for this algorithm, as found on Wikipedia, is:
function quicksort(array)
var list less, greater
if length(array) ≤ 1
return array
select and remove a pivot value pivot from array
for each x in array
if x ≤ pivot then append x to less
else append x to greater
return concatenate(quicksort(less), pivot, quicksort(greater))
This vulnerability has been confirmed as affecting the following libraries, runtimes and products:
- Several implementations of the JVM (including those of Sun, IBM, Oracle/BEA and Apache)
- The .Net CLR up to and including version 3.5 SP1
- The Microsoft Visual C Runtime up to and including version 9.0
- The Adobe Flash runtime up to and including version 10.0
- glibc up to and including version 2.6
- Apache HTTPD up to and including version 2.2.13
- Numerous hubs, switches and routers including some from Cisco, Juniper, D-Link, Netgear and Linksys
According to Dildog, this vulnerability was first discovered while performing forensics upon a system which had been compromised by a previously unknown exploit. This exploit caused the computer in question to change all system sounds to clips of an 80s pop song, and replaced all system images and icons with pictures of assorted Lolcats. Although there have been no other reports of this exploit being seen, we advise all InfoQ readers to keep alert and report any unexpected appearances of either Rick Astley or Lolcats to the proper authorities.
- See more SOA content at: http://www.infoq.com/soa
- See more Agile content at: http://www.infoq.com/agile
- Other recent content items in this topic
RelatedVendorContent
Case Study: IBM's Agile Transformation
18 agile and lean practices for effective software development governance
Improve Java Garbage Collection, Runtime Execution, and JVM visibility with Zing
Related Sponsor
In today’s hyper-competitive world, later may be too late to adopt Agile development and this Roadmap for Success will help you get started. Download "Agile Development: A Manager's Roadmap for Success" now!
Oh Noes !
by
Michael Neale
Posted
Re: Oh Noes !
by
Jim Nasium
Posted
Similar to bug in binarySearch
by
Thomas Mueller
Posted
Happy April Fool's Day?
by
rubem azenha
Posted
Re: Happy April Fool's Day?
by
Jim Nasium
Posted
Re: Happy April Fool's Day?
by
Hermann Schmidt
Posted
No doubt April fools
by
Lou Marco
Posted
-
I just looked at how many machines we have that are compromised... it's over 9000.
-
Similar to this bug:
bugs.sun.com/bugdatabase/view_bug.do?bug_id=504...
(however this bug didn't affect that many applications) -
It's probably an April Fool's joke...
-
Do you think? ;)
-
No, it's true! Our credit card billing database has just quicksorted itself and everything is gone, because some exploit moved it to Youtube. We are bancrupt!
-
But a pretty good one. I'm curious if anyone at the ranch bites.
7 comments
Watch Thread Reply