A new security hole has been discovered in Linux that allows anyone to remotely take control of a system without knowing the username and password. The discovery was made by Qualys, a cloud security company. The hole impacts any Linux system built with glibc-2.2 released on November 10, 2000. The vulnerability, called GHOST (CVE-2015-0235), is triggered by the gethostbyname function. Actually there was a patch released back on May 21, 2013, between the releases of glibc-2.17 and glibc-2.18. However it was not considered to be a security risk and thus major Linux distributions that offer long term support and get security updates remained vulnerable, including Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7 and Ubuntu 12.04. This time around, Qualys worked closely with the Linux distribution vendors and the patch is already available, I just patched my servers. So if you are running any Linux based servers and systems update them immediately. That’s the strength of open source, where in most cases the patches are released even before the discovery of a hole spreads across the websphere. Last year we witnessed Heartbleed and Shellshock and the patches were released immediately, securing Linux powered machines. Open Source patches faster than closed source I noticed something really interesting in the way open source and closed source companies deal with such security risks. There have been several instances when Microsoft didn’t release any patch for their products even after the vulnerability was made public. Recently, Google disclosed a security hole in Windows after giving Microsoft over three months to patch it. It’s still not patched and instead of fixing it Microsoft created a stink that Google disclosed the hole before it got patched. Compare this to the case of Shellshock, which affected UNIX and UNIX-like systems. Almost all major Linux distributions released the patch within a day or two of the discovery; Apple was the last one to push the patch. What’s even more interesting to know is that the US government seemingly tries to exploit such security holes instead of patching them immediately. According to media reports, the NSA was allegedly aware of the Heartbleed bug for years, but instead of closing it they exploited it. I wonder: Why would a company like Microsoft take more than three months to patch a hole? Conspiracy theorists would say that patching delays gives security agencies time to exploit the holes. Bloomberg reported that Microsoft and other companies do work closely with NSA and other Federal agencies and give them early access to information about such bugs and security holes. It looks like businesses are safer in the hands of open source where vendors’ primary concern is users and not some spying agencies. Related content opinion These are the most exciting Linux powered devices Did you know that Tesla cars ran on Linux?rn By Swapnil Bhartiya May 22, 2017 4 mins Linux Open Source opinion How Rackspace flew through turbulence in the private cloud Bryan Thompson, General Manager, OpenStack Private Cloud at Rackspace, talked about the second generation of cloud and some turbulence that OpenStack recently experienced.rn By Swapnil Bhartiya May 22, 2017 4 mins Open Source Cloud Computing Data Center opinion How Dell’s Project Sputnik came to life I met and talked to Barton George, the projectu2019s initiator and leader, to understand the backstory. By Swapnil Bhartiya May 22, 2017 10 mins Linux Open Source Computers and Peripherals opinion Elementary OS is trying to create a business model for open source app developers There is no dearth of Linux based operating systems, you will find dime a dozen. However there are only a few major ones that matter and elementary OS is among them. rn By Swapnil Bhartiya May 20, 2017 4 mins Linux Open Source Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe