Uncategorized

Yet Another Major Open Source Program Flaw Discovered – After 8 Years

February 26, 2016 mitch tanenbaum Leave a comment

Some people are big advocates of open source because, they say, since people can look at the source, bugs are found more quickly.

I am not a big supporter of that theory even though I am a supporter of open source because just because people CAN look at the source, doesn’t mean that they will and just because they DO look at it, doesn’t mean they will find the bugs.

On a side note, OpenSSL, the super popular open source SSL software package used in many apps and on many web sites will be releasing patches on March 1st for multiple vulnerabilities.

Google announced this week another major open source software package vulnerability. The package, GLibc, provides basic functionality for C Language software developers. While not used by every C developer, it is an extremely popular library – likely used in tens of thousands of applications.

Going back to the open source conversation, this bug was introduced in 2008 – 8 years ago. And, it was only discovered by accident when a Google developer kept crashing his system. After some work, the Google team discovered that it was caused by a bug in Glibc.

And the bug is pretty serious. It allows a hacker to intercept a DNS request and respond with a specially crafted response which allows the attacker to take over the computer by inserting an arbitrary program up to 64,000 bytes and then running it.

The problem with these two bugs – and the fact that they are open source doesn’t really impact this issue – is that developers who use this package need to release an update and every single user needs to install that update.

In fact, these two open source packages are ATYPICAL because they both have teams that support them. Many open source software packages don’t have formal support teams.

For major developers, such as many Linux distributions, there are likely patches already in the works and users will likely install them.

The problem comes with smaller software packages and dedicated hardware devices that use it – companies that may no longer be supporting that version of the software or hardware or even companies that have gone out of business.

Since Glibc is a large library, many Internet Of Things developers don’t use that library. For us, that is a good thing.

But as an end user, we likely have no clue which software packages on our devices use the affected library. Since the bug has been around for 8 years, any software product that uses the library, likely uses the infected version.

The OpenSSL announcement – minus details as is their standard policy – can be found here.

Information on the Glibc bug can be found in Ars Technica, here.