Tails Distro update fails to address serious zero-day vulnerabilities
The Tails Linux distro gained a lot of publicity when Edward Snowden noted it as his operating system of choice. But while TAILS goes to great pains to ensure maximum anonymity when using online services, it is not impenetrable. In fact, the software's design is seriously flawed, says Loc Nguyen, a researcher at Exodus.
More on the vulnerabilities at the Register and Forbes.
Tails is comprised of numerous components working in interchange," he said. ... however because there are numerous inter-locking mechanisms in play on the system, it's difficult to readily pinpoint a particular weak area."Nguyen and team had identified a number of zero-day vulnerabilities in the distro that have gone unaddressed and remain open even as TAILS releases an update to the software. Exodus said it would release details about the zero-days in a series of blog posts next week. For the Tails platform, privacy is contingent on maintaining anonymity and ensuring their actions and communications are not attributable. Thus, any violation of those foundational pillars should be considering highly critical," added Nguyen. This affects every user of Tails, who should all "diversify security platforms so as not to put all your eggs in one basket", he added. Exodus sells to private and public businesses hoping to use the findings for either offensive or defensive means. Those unconcerned about governments targeting their systems might not be concerned about the Tails zero-days. Others will likely be anxious one of their trusted tools to avoid government hackers contains vulnerabilities that could be exploited to spy on any user of the OS."
More on the vulnerabilities at the Register and Forbes.
This also reminds me of a change they made in Android not too long ago where they randomized the place in memory where running applications were stored. Prior to that I think it was some standard location that allowed for easier exploitation.