Bug in Linux's open source leaves number of apps and software under attack

Catastrophic flaw has been discovered in Linux operating hardware and software's by a group of researchers. The flaw has affected hundreds or thousands of apps and hardware devices.

The vulnerability was first introduced in 2008 in GNU C Library, which is a open source code that powers thousands of standalone applications and most distributions of Linux, including those distributed with routers and other types of hardware.

A function getaddrinfo() performs domain-name lookup which contains a buffer overflow bug that allows attackers to remotely execute malicious code.  It could be exploited when the device make queries to attacker-controlled domain names or domain name servers.

All versions of glibc after 2.9 are vulnerable. Every Linux-based software or hardware that performs domain name lookup should install it as soon as possible.

"It's a big deal," Washington, DC-based security researcher Kenn White told Ars, referring to the vulnerability. "This is a core bedrock function across Linux. Things that do domain name lookup have a real vulnerability if the attacker can answer."

One of the Linux-based package that's not vulnerable is Google's Android mobile operating system. It uses a glibc substitute known as Bionic.

"This was an amazing coincidence, and thanks to their hard work and cooperation, we were able to translate both teams’ knowledge into a comprehensive patch and regression test to protect glibc users," the Google researchers wrote.


Share this with Your friends: