Google and Red Hat Found a Dangerous, Widespread Bug
Engineers at Google and Red Hat independently found an egregious bug in very widely-distributed computer code library known as “glibc”.
The bug, which dates back to 2008, affects hundreds of thousands of devices and programs that use software derived from the GNU free-software project. The products, which range from servers to routers to Internet-of-things devices, are vulnerable when they try to use a certain function to translate web addresses into their underlying, numerical IP addresses.
If an attacker controls the web server or domain name the victim is trying to communicate with, or if someone is intercepting the communications between the victim’s device and the server or domain name, it’s possible to make the victim’s computer crash -- or, with some effort, to even insert malicious code in that machine.
Computers running Windows or Mac OS X or iOS or Android should not be affected.
Google explained in a blog post that one of its engineers had discovered the bug when she found a problem with software she was using for remotely controlling a computer. It turned out that two Red Hat employees were also examining the bug’s impact.
Google released a piece of code that proves the vulnerability can crash a victim’s computer. It said it has also developed a proof-of-concept for remotely running code on the victim’s machine, but it’s not releasing that publicly, for obvious reasons.
There is now a patch for the bug, and server administrators should definitely be installing that right away. People using Linux versions such as Canonical’s Ubuntu should be moving quickly to protect themselves.
Given the severity of the bug, there are now at least two points worth considering.
Firstly, as Google Chrome security engineer Chris Palmer pointed out, the episode highlights the fact that free-software projects don’t always fix their bugs in a timely manner -- it turned out someone first raised this bug last July.
Next time someone claims that the abusive culture of GNU/Linux keeps the engineering bar high, #glibc is your answer.— Chris Palmer (@fugueish) February 17, 2016
Secondly, we can probably expect to see servers and such get patched quickly, but devices with embedded software -- routers and Internet-of-things devices, for example -- don’t typically get updated very often, if at all. Internet-of-things manufacturers in particular have a legendarily lax attitude to security.
If a computer doesn’t have a screen attached to it, people tend to forget that it’s a computer and needs regular care and attention. In cases like this, that’s a problem.