Eee PC vulnerable, say researchers

Stephen Withers
Tuesday, 12 February 2008 00:11

Business IT - Open Source

Security researchers have warned that the Asus Eee PC is vulnerable to attack by hackers.

According to Brazil-based RISE Security, the Eee PC ships with a version of Samba that includes an exploitable heap-overflow vulnerability discovered in the middle of 2007.

Furthermore, Samba is loaded by default on the Eee PC and a known exploit for the flaw can be used to gain root access to the subnotebook.

The popular Asus Eee PC sub-notebook, which was released in October last year, is now the world's best selling Linux computer, Asus having sold more than 300,000 in 2007. The wireless capable Eee PC runs a version of the Xandros Linux distribution and comes preloaded with a number of open source and free proprietary applications such as OpenOffice.org and Skype. The Eee part of the name is meant to signify that the portable computer with a 7-inch screen, 512MB RAM and 2GB of Flash storage is "Easy to work, Easy to learn and Easy to play."

However, as RISE puts it: "Easy to learn, Easy to work, Easy to root."

Fraser Howard, principal virus researcher at Sophos, said it was not surprising that a vulnerability had been found, but the issue "is less about any inherent weakness or flaw with the Eee PC, and more about the dangers of how users perceive technology. Simple technology requires simple security, which in this case means having an update mechanism that 'just works'."

Samba is an open-source implementation of the SMB/CIFS protocol, allowing computers running operating systems such as Linux to provide file and print services to Windows PCs.

The current release (3.0.28) does not have the flaw discussed above, and can be downloaded from samba.org.