Previous Story
Deadly Linux Bug Puts Millions Of Systems At Risk, Patch Now Available
Posted On Feb 18 2016
Comment: Off
Researchers have discovered a critical vulnerability in the GNU C Library, glibc, which is exposing many Unix-based systems such as Linux servers to a range of security attacks.
Another security expert meanwhile has warned that rapid action is required, and system administrators need to rollout the patches immediately.
The glitch does not affect major systems like Windows or OS X, but smaller connected devices may be at risk.
In the course of Google’s investigation, engineers discovered that glibc maintainers knew about the bug and potential exploit since July.
Google said that while the flaw was hard to exploit, its engineers had done it (although they did not reveal how).
“Our suggested mitigation is to limit the response sizes accepted by the DNS resolver locally as well as to ensure that DNS queries are sent only to DNS servers which limit the response size for UDP responses with the truncation bit set”.
Google’s Android runs on Linux, but “most Android phones will not be affected because they use a different libc”, said Murdoch.
“Think routers and increasingly anything considered part of the “Internet of Things”,” Prof Woodward said.
A severe vulnerability recently uncovered in the widely-used GNU C Library (glibc) can cause severe security problems for websites if they don’t patch soon.
Google has managed to exploit this flaw through, as they say on their security blog, “intense hacking sessions” – but are remaining responsible and not releasing the exploit to the public.
“However, protections of this nature are not implemented in integrated devices like routers due to their expensive nature, both in costs and hardware requirements”. As a result, it is used to power most mobile devices.
White also said there is a possibility that CentOS, Oracle, and Amazon Linux may be vulnerable to the glibc vulnerability.
While the process is as simple as downloading and installing for other users, it may not be the case for users with apps that were compiled with the affected glibc. This is a slightly different version of the operating system, which doesn’t contain the flaw.
Manufacturers are now being urged to test their systems using the proof-of-concept attack developed by Google, with Veracode’s Paul Farringdon warning companies that a quick response time to these kinds of vulnerabilities is crucial, alongside scanning for unknown vulnerabilities.
“Like Heartbleed and Shellshock before it, the glibc vulnerability reinforces the reality that using components in the application development lifecycle introduces risk….our software is constructed like Legos, relying on components rather than coding”.
