Security researchers at Google and Red Hat have both discovered a serious vulnerability with glibc.
Glibc is an open source library of code that is widely used in internet-connected devices, and the discovery comes after another flaw was discovered last month by Qualys.
The Glibc flaw is potentially very serious, as it could allow for remote code execution, blogged Google researchers.
The flaw could compromise apps, devices and other Internet-connected services.
“Our initial investigations showed that the issue affected all the versions of glibc since 2.9,” said Google. “You should definitely update if you are on an older version though.”
A patch is available here.
“The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used,” said Google. “Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.”
“Many people are running around right now trying to work out if this is truly catastrophic or whether we have dodged a bullet,” said Prof Alan Woodward, a security expect from the University of Surrey told the BBC.
He said that the routers and anything considered part of the ‘Internet of Things‘ could be affected.
Another security expert meanwhile has warned that rapid action is required, and system administrators need to rollout the patches immediately.
“Organisations will need to move fast on this one – since it looks as though a large number of connected devices are at risk,” said Ross Brewer, VP and MD of international markets at security specialists LogRhythm.
“While the flaw may not yet have been exploited, it’s only a matter of time, now that this has been brought to everyone’s attention,” said Brewer. “Unless the new patch is installed quickly, hackers are going to have a field day accessing confidential information via computers, mobile phones or internet routers.
And Brewer pointed out that this flaw has been around for a number of years now.
“What’s worrying is that the bug has been around since 2008 and was identified last year, but overlooked as a low priority,” said Brewer. “In all honestly, it’s baffling that nothing was done about it sooner.”
“Hot on the heels of the Logjam and Shellshock bugs, businesses must use this as another wake-up call to make sure they have more than just the basic lines of defence in place,” he said. “Mobile and internet-connected devices are now an essential part of business life, but there’s no doubt that they have opened up new ways for hackers to get their hands on company data.”
Last month Qualys discovered a critical vulnerability in the Linux OS. That flaw could allow attackers to remotely take control of an entire system without having any prior knowledge of system credentials.
The vulnerability was in the Linux GNU C Library (glibc) and is known as GHOST (CVE-2015-0235), because it can be triggered by the gethostbyname functions. It impacts many systems built on Linux starting with glibc-2.2 released on November 10, 2000.
How much do you know about Linux? Take our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
Interesting, but what's the BLIBC flaw mentioned in the title?
Ooops. Corrected to Glibc. Many thanks for pointing this out. Must have been a long day.