Search This Blog

Powered by Blogger.

Blog Archive

Labels

Bug in Linux's open source leaves number of apps and software under attack

Catastrophic flaw has been discovered in Linux operating hardware and software's by a group of researchers. The flaw has affected hundreds or thousands of apps and hardware devices.
Catastrophic flaw has been discovered in Linux operating hardware and software's by a group of researchers. The flaw has affected hundreds or thousands of apps and hardware devices.

The vulnerability was first introduced in 2008 in GNU C Library, which is a open source code that powers thousands of standalone applications and most distributions of Linux, including those distributed with routers and other types of hardware.

A function getaddrinfo() performs domain-name lookup which contains a buffer overflow bug that allows attackers to remotely execute malicious code.  It could be exploited when the device make queries to attacker-controlled domain names or domain name servers.

All versions of glibc after 2.9 are vulnerable. Every Linux-based software or hardware that performs domain name lookup should install it as soon as possible.

"It's a big deal," Washington, DC-based security researcher Kenn White told Ars, referring to the vulnerability. "This is a core bedrock function across Linux. Things that do domain name lookup have a real vulnerability if the attacker can answer."

One of the Linux-based package that's not vulnerable is Google's Android mobile operating system. It uses a glibc substitute known as Bionic.

"This was an amazing coincidence, and thanks to their hard work and cooperation, we were able to translate both teams’ knowledge into a comprehensive patch and regression test to protect glibc users," the Google researchers wrote.

Share it: