It isn’t every day that a new security vulnerability is found that can claim to expose huge numbers of systems to attack, but 2015’s Heartbleed vulnerability opened the eyes of many in the security field that systems they have trusted for years may not always be as secure as they once believed.
Researchers at Google discovered today, whilst attempting to fix issues with a remote connection client, a flaw with the GNU C libraries (known as ‘glibc’) that could potentially affect hundreds of thousands of devices worldwide. Glibc introduced a function to Linux-powered machines in November 2008 that is vulnerable to a stack-based buffer overflow attack. For those who aren’t as knowledgeable about security attacks, this is where an attacker can exploit the code’s ability to change the amount of memory it uses to hold data it is given. If the malicious attacker allows a longer-than-usual Domain Name Server packet to hit the program, the software creates a new, larger buffer (section of memory) to cope with the increased amount of data it has been given. This, in turn, allows the attacker to fill the target machine with their own malicious code.
Glibc is implemented in such a colossal amount of embedded systems, company servers and home machines that the sudden ability for an attacker to access and take control of any of these is a chilling prospect. For now, the advice is simple – when an update arrives, install it.
Some defences are possible based on limiting the size of accepted packets, and some level of solace can be taken from the Google team’s decision not to make their own exploit public, but the game of cat and mouse is truly on, with the hackers hoping to develop their own exploit based on Google’s findings before the glibc developers can develop a patch.
Aaron Pickett is a Digital Forensic Examiner at IT Group specialising in Information Security and Computer Forensics following his graduation from a Forensic Computing Degree at the University of Central Lancashire. Aaron holds accreditation from Bond Solon Expert Witness Training, as well as UFED Cellbrite Mobile Phone Forensics, using both of these to assist IT Group to stay at the vanguard of the Legal and Forensic Computing sectors.