Glibc Bug Could Affect Thousands of Connected Devices and Apps
- Wednesday, February 17th, 2016
- Share this article:
Engineers at Google have uncovered a security flaw which experts say could affect hundreds of thousands of devices, apps and online services.
The vulnerability was found in glibc, an open source code library that’s widely used in connected devices. One of the principal ways in which hackers could exploit the flaw is in the domain look-up process, when a website URL, say Google.com, is converted into a numeric IP address. The glibc domain look-up code houses a bug that could allow hackers to plant malicious code in the device’s memory during the domain look-up process and so take control of the device.
Google’s engineers stumbled across the flaw during a routine debugging exercise, as they explain in a blog post. They initially thought the problem lay in their SSH client – a software program which uses the secure shell protocol to connect to a remote computer. On further investigation, however, they discovered the problem lay within the glibc code.
Google and security firm Red Had have issued a patch to fix the problem. Neither Android phones, OSX or Windows devices are affected, but the issue could affect smaller connected devices running on the Linux OS, including routers and the Internet of Things-type devices. The issue also affects a multitude of common programming languages, including PHP and Python, and experts say that some apps that were compiled with a vulnerable version of glibc will need to be recompiled with an updated version of the library.
While Google has said it would be very hard for hackers to exploit the vulnerability, the fact that its own engineers have worked out how to do so should be enough to convince device manufacturers and developers to issue the patch to affected devices and services.