Linux makers release patch for new cyber threat
BOSTON, January 28, 2015
Red Hat and other makers of the widely used Linux operating system for business computers updated their software on Tuesday to thwart a serious new cyber threat they warned could allow hackers to gain remote control of their systems.
The previously undisclosed vulnerability, dubbed "Ghost," is deemed critical because attackers could exploit it to covertly gain complete control of a targeted Linux system, according to cyber security firm Qualys, which uncovered the bug.
To highlight the severity of the risk, researchers identified a way to craft malicious emails that could automatically compromise a vulnerable server without the email even being opened, said Amol Sarwate, director of engineering with Qualys.
The firm has not released that code and has yet to develop other methods for attacking other types of Linux systems, including servers that run websites.
Sarwate knows of no cases in which hackers exploited the Ghost vulnerability to date, but suspects that motivated hackers could figure out how now that the bug has been disclosed.
"We were able to do it. We think somebody with good security knowledge would also be able to do it," he said.
The vulnerability is caused by a security flaw in the open-source Linux GNU C Library, which is used by Red Hat and other Linux software makers, according to Qualys.
It is called GHOST because it can be triggered by what are known as gethostbyname functions.
Qualys uncovered the bug following discoveries last year of high-profile vulnerabilities, including Heartbleed and Shellshock, which were caused by security flaws in other kinds of widely used open-source software.
"It won't be as widespread as those flaws, but it is widespread enough that IT operations at many companies are scrambling to patch," said Chris Wysopal, chief technology officer of security software firm Veracode.
Red Hat, the No. 1 provider of Linux software to businesses, recommends that customers update their systems "as soon as possible to mitigate any potential risk," said company spokeswoman Stephanie Wonderlick.
Other vulnerable software includes some of the Debian, CentOS and Ubuntu versions of Linux, according to Qualys. – Reuters