Critical Linux Flaw Threatens More Systems Than You Think

News
By
published

A newly discovered bug in open-source encryption software leaves Web traffic vulnerable to attack and affects more systems than you think.

A serious bug in the open-source GnuTLS library, used by many Linux variants, undermines the encryption that keeps Web traffic safe from snoops and attackers and is similar to the "goto fail" Apple bug discovered last month. 

But wait. It's Linux — why should Windows and Mac users care? Because Linux exists in more places than the average computer user might realize, and the Linux distributions, or variants, affected by this security flaw are among the most widely used.

MORE: 7 Ways to Lock Down Your Online Privacy

First of all, Red Hat Enterprise Linux is widely used by Internet servers, which host Web pages that you access from any computer.

Another affected distribution, Ubuntu Linux, is the most common version of Linux used on personal computers. Ubuntu is also the basis of other Linux distributions, including Linux Mint and SteamOS. 

Android is Linux-based as well, but uses OpenSSL, a different SSL/TLS library (see below for an explanation) by default. Android owners should generally be safe from the GnuTLS bug, although it's possible that some individual apps may use GnuTLS.

The GnuTLS library can be used in Windows or in any Unix-like OS, which includes Linux and Mac OS X. Any piece of software that uses the GnuTLS library is affected by the bug.

Here's how the bug itself works: The gnuTLS library provides the code that lets the computer connect securely to the Internet via the SSL, TLS and DTLS protocols. These protocols encrypt your Web traffic data while it's in transit so that snoops on the network can't see your personal information, or modify the data packets in a man-in-the-middle attack. 

The GnuTLS library has several errors that lets attackers force acceptance of a false SSL/TLS certificate (called an X.509 certificate), thus allowing attackers to decrypt Internet traffic on targeted computers. Even worse, this bug may have existed in the code since 2005. 

The nature of this bug is similar to the equally critical "goto fail" bug discovered and patched in Apple's Mac OS X, iOS and Apple TV operating systems late in February.

In both cases, the errors undermined SSL/TLS encryption, leaving victims unprotected. Both bugs also appear to result from simple human error on the part of software coders.

In the GnuTLS case, however, the fact that the bug existed for so long is surprising, since anyone can review open-source code. (No outside eyes noticed the bug in Apple's open-source Secure Transport SSL/TLS library either.)

Fortunately, a solution already exists: updating to GnuTLS 3.2.12. Ubuntu and Linux Mint users will get this rolled into their daily update notifications; Red Hat Enterprise will have to be manually patched by IT departments.

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

See more Computing News
TOPICS
Jill Scharr

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects. 

More about online security
Zelle app icons on two smartphones.

Chase will start blocking Zelle payments to social media accounts to cut down on fraud
MacBook Pro 2021 (16-inch) on a patio table

Macs under attack from dangerous malware targeting digital wallets and Apple’s Notes app — how to stay safe
The ensemble cast of Netflix's "Pulse"

Netflix's new show could be perfect for 'Grey's Anatomy' fans — and we just got our first look
See more latest
25 Comments Comment from the forums
  • Rhinofart
    Really? No comments saying "Linux sucks"? If this was any other OS, the fanbois would be all over it. Just goes to show NO OS is infalable.
    Reply
  • b23h
    yea, the every present Linux fanboys are deathly silent. I guess that excellent opensource code wasn't quite so excellent.
    Reply
  • TFrog
    You'll note that this critical flaw was fixed the very same day. You Microsloth fanboys WON'T get that kind of speed from Microsloth to fix a critical error. Linux remains to be one of if not the BEST OS bar none. And it's free unlike Microsloth Winbloze.
    Reply
  • irish_adam
    Really? No comments saying "Linux sucks"? If this was any other OS, the fanbois would be all over it. Just goes to show NO OS is infalable.
    no internet enabled device is 100% secure and it never will be. All you can hope for is that once these flaws are found they are fixed ASAP. I will note though for the money you pay for Apple products and Windows you would assume that they would fix their problems faster than Linux which is free
    Reply
  • b23h
    You'll note that this critical flaw was fixed the very same day. You Microsloth fanboys WON'T get that kind of speed from Microsloth to fix a critical error. Linux remains to be one of if not the BEST OS bar none. And it's free unlike Microsloth Winbloze.
    ah, you mean nine years later. I thought one of the supposed strong points of open source software was that bugs would be noticed and fixed earlier.
    Reply
  • antilycus
    There is still a REALLY evil MS bug that wipes out all users redirected folders in Active Directory that has existed since Windows Server 2003 and is still there in Windows Server 2012. Microsoft answer is "change a setting before it happens" and is not set by default( and is very difficult to find ) we know of companies that have lost millions because of this bug.
    Reply
  • Harry Callahan
    This article leaves out several important details. Full disclosure, I'm a Linux fanboy, I guess; I started using Linux eighteen years ago and all my computers run Linux.The main point to understand is that only a small minority of Linux software uses GnuTLS. No web browsers on Linux use GnuTLS for certificate validation. (Google Chrome does use GnuTLS, but not for certificate validation; it uses NSS for certificate validation.) No web servers or other servers on Linux use GnuTLS. On my system (a fairly complete and functional Linux install), the only user programs using GnuTLS are lftp (a command-line ftp client), TigerVNC (VNC client/server), Wireshark (ethernet sniffer), CUPS (printer drivers), and libvirt (virtualization support). If I were still using mutt (terminal-based email client), that would have been affected. The vast majority of programs use openssl or NSS for TLS support.The bug was published on Feb. 25 by the GnuTLS author, patched on Feb. 26, and included in official GnuTLS releases on March 3. https://bugzilla.redhat.com/show_bug.cgi?id=1069865I am confused why Jill would state that Red Hat Enterprise needs to be manually patched. This is completely untrue. Red Hat Enterprise installations receive automatic software updates just like Ubuntu and Mint. In fact, updates for Red Hat are already published on the update servers; Ubuntu and Mint (as of this writing) have not published their updates yet.
    Reply
  • mamasan2000
    "Both bugs also appear to result from simple human error on the part of software coders."As opposed to monkeys? Who else codes programs?
    Reply
  • rokit
    That was a critical flaw? It was fixed in 1 day! Jeez, you MS/Apple fanboys are slow. Try harder.
    Reply
  • itsnotmeitsyou
    "Both bugs also appear to result from simple human error on the part of software coders."As opposed to monkeys? Who else codes programs?
    NSA monkeys. I know they said it was error, but wouldnt be surprised if the NSA has been cashing in on this one for some time.
    Reply