Warning! Linux is being haunted by a G-G-G-GHOST vulnerability -- are you at risk?
Recently, I declared that the Linux Desktop was dead, something that I stand by. However, Linux still dominates in the mobile device and server categories. And yes, a relatively minuscule number of people -- including myself -- will still continue to use Linux on the desktop. Why? People trust Linux-based operating systems to be safe and secure.
Because of Linux's popularity for servers and smart phones, it is imperative that it remains safe, and free from malware and vulnerabilities. Sadly, we learn today that Linux is being haunted by a g-g-g-ghost -- a ghost vulnerability, that is. Qualys explains that it is calling the vulnerability a "GHOST" because "it can be triggered by the GetHOST functions". In other words, Linux isn't as safe as we thought.
"The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue. Qualys security researchers discovered this bug and worked closely with Linux distribution vendors. And as a result of that we are releasing this advisory today as a co-ordinated effort, and patches for all distribution are available January 27, 2015", says Qualys.
The company further explains "the first vulnerable version of the GNU C Library affected by this is glibc-2.2, released on November 10, 2000. We identified a number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed including Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 and 7, Ubuntu 12.04, for example".
So what does this mean? The vulnerability was fixed on most newer versions of Linux distributions. However, it remains a threat to users of stable and older Long Term Support (LTS) releases where the bug remains. With Linux, the old adage of "if it's not broke, don't fix it" generally applies, especially for businesses. With that said, even though Ubuntu is up to version 14.10, version 12.04 is supported until April of 2017 -- many users are likely still on this older release. Hell, Intel just recently released a new product running 12.04.
It is quite maddening to think this vulnerability has existed for over 14 years. Even crazier is that it was fixed in 2013, but not properly categorized as a security issue, leaving it to haunt some distributions. I am sad to say this, but it looks like the fragmentation of Linux developers and a lack of leadership can be blamed on this most recent calamity. The Linux community needs to organize and get focused.
If you are using an affected distro, don't panic. Simply update your system as patches should be available now.
Does this make you trust Linux less? Tell me in the comments.