Reflare Weekly Security Briefing 2016-07 - Vulnerability in Linux & Apple vs. FBI
A major bug in Linux security was found this week that would allow a hacker to perform a number of critical attacks. Although it was introduced in 2008 in the GNU C Library, it was only just discovered this week.
The vulnerable function is the getaddrinfo() method used to perform domain name lookups. It gives the attacker the ability to trigger a buffer overflow. A buffer overflow is often called a â€œneedle in the haystackâ€ attack, because they are difficult to find but also provide a higher level of malicious activity. With a buffer overflow attack, the hacker can remotely execute malicious code. This code, since it runs on the local server, can perform any number of malicious activities that might not be detected by the administrator.
The exploit spans several systems since Linux is used to power web servers, routers, and mobile devices. Administrators are urged to patch their systems as soon as possible. While an exploit is difficult to develop, the weakness non the less poses a significant security risk.
Furthermore, Apple is resisting an FBI request for a backdoor into their iOS operating system. The request was made after the terrorist attacks in San Bernardino when it was found that one of the shooters used an iPhone for images and communication. The clash is basically an attempt to back two different interests.
The FBI ultimately desires access to every iPhone and cites terrorism as its motivator. Apple claims the request harms privacy for its users. It is a bold move on Appleâ€™s part, but it is also a good sales point for a company that is in the competitive mobile device market. Apple has always had the capability to provide backdoors as does any third party device manufacturer. Since Apple does not store keys that could be used to decrypt the device in recent versions of iOS, a customized version of iOS itself would be the only way into the phone.
The FBI is filing suit to have the courts decide. The concern is that if Apple is forced to provide decryption mechanisms to law enforcement, it may set a trend of government requests to break or backdoor other systems or even include government surveillance into any phone sold.
While this is a major news topic, that will have major implications for the future of device security, the immediate impact for regular businesses is limited.