by Swapnil Bhartiya

Linux hit by critical security hole

Jan 27, 20153 mins
LinuxOpen SourceSecurity

A new security hole has been discovered in Linux that allows anyone to remotely take control of a system without knowing the username and password.

The discovery was made by Qualys, a cloud security company. The hole impacts any Linux system built with glibc-2.2 released on November 10, 2000. The vulnerability, called GHOST (CVE-2015-0235), is triggered by the gethostbyname function.

Actually there was a patch released back on May 21, 2013, between the releases of glibc-2.17 and glibc-2.18. However it was not considered to be a security risk and thus major Linux distributions that offer long term support and get security updates remained vulnerable, including Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7 and Ubuntu 12.04.

This time around, Qualys worked closely with the Linux distribution vendors and the patch is already available, I just patched my servers. So if you are running any Linux based servers and systems update them immediately.

That’s the strength of open source, where in most cases the patches are released even before the discovery of a hole spreads across the websphere. Last year we witnessed Heartbleed and Shellshock and the patches were released immediately, securing Linux powered machines.

Open Source patches faster than closed source

I noticed something really interesting in the way open source and closed source companies deal with such security risks. There have been several instances when Microsoft didn’t release any patch for their products even after the vulnerability was made public.

Recently, Google disclosed a security hole in Windows after giving Microsoft over three months to patch it. It’s still not patched and instead of fixing it Microsoft created a stink that Google disclosed the hole before it got patched.

Compare this to the case of Shellshock, which affected UNIX and UNIX-like systems. Almost all major Linux distributions released the patch within a day or two of the discovery; Apple was the last one to push the patch.

What’s even more interesting to know is that the US government seemingly tries to exploit such security holes instead of patching them immediately. According to media reports, the NSA was allegedly aware of the Heartbleed bug for years, but instead of closing it they exploited it.

I wonder: Why would a company like Microsoft take more than three months to patch a hole? Conspiracy theorists would say that patching delays gives security agencies time to exploit the holes. Bloomberg reported that Microsoft and other companies do work closely with NSA and other Federal agencies and give them early access to information about such bugs and security holes.

It looks like businesses are safer in the hands of open source where vendors’ primary concern is users and not some spying agencies.