Google and Red Hat Found a Dangerous, Widespread BugThe bug, which dates back to 2008, affects hundreds of thousands of devices and programs that use software derived from the GNU free-software project.
ByDavid Meyer•
This story originally appeared onFortune Magazine
Engineers at Google and Red Hat independently found an egregious bug in very widely-distributed computer code library known as "glibc".
The bug, which dates back to 2008, affects hundreds of thousands of devices and programs that use software derived from the GNU free-software project. The products, which range from servers to routers to Internet-of-things devices, are vulnerable when they try to use a certain function to translate web addresses into their underlying, numerical IP addresses.
If an attacker controls the web server or domain name the victim is trying to communicate with, or if someone is intercepting the communications between the victim's device and the server or domain name, it's possible to make the victim's computer crash -- or, with some effort, to even insert malicious code in that machine.
Computers running Windows or Mac OS X or iOS or Android should not be affected.
Googleexplained in ablog postthat one of its engineers had discovered the bug when she found a problem with software she was using for remotely controlling a computer. It turned out that two Red Hat employees were also examining the bug's impact.
Google released a piece of code that proves the vulnerability can crash a victim's computer. It said it has also developed a proof-of-concept for remotely running code on the victim's machine, but it's not releasing that publicly, for obvious reasons.
There is now apatchfor the bug, and server administrators should definitely be installing that right away. People using Linux versions such asCanonical's Ubuntushould be moving quickly to protect themselves.
Given the severity of the bug, there are now at least two points worth considering.
首先,谷歌Chrome浏览器安全工程师克里斯Palmer pointed out, the episode highlights the fact that free-software projects don't always fix their bugs in a timely manner -- it turned out someone first raised this bug last July.
Next time someone claims that the abusive culture of GNU/Linux keeps the engineering bar high,#glibcis your answer.
— Chris Palmer (@fugueish)February 17, 2016
Secondly, we can probably expect to see servers and such get patched quickly, but devices with embedded software -- routers and Internet-of-things devices, for example -- don't typically get updated very often, if at all. Internet-of-things manufacturers in particular have a legendarilylax attitude to security.
If a computer doesn't have a screen attached to it, people tend to forget that it's a computer and needs regular care and attention. In cases like this, that's a problem.