Glibc: An online superbug that could affect thousands, or not

17 Feb 2016

Confusion and panic reigns over the discovery of a new potentially catastrophic vulnerability called Glibc, but no one is really sure if it is as apocalyptic as some experts believe.

Glibc was discovered by a Google engineer who was in the process of debugging some of the company’s software, only to find a rather scary oversight that could potentially lead to thousands of devices globally being open to attacks.

According to Google’s blog post on the issue, the engineer had filed a ticket on the error in programming, only for it to show that, if exploited, it could lead to someone being able to instigate a remote code execution and access anything from your phone to an internet router.

Implications for future IoT security

What instigated much of the worry was that this was not some small piece of code with limited scope for damage, but one that is commonly used in many devices, particularly those coded in the languages of Python and PHP, but others, too.

In terms of what could be affected, the BBC says that many of the phones we carry with Android are unaffected by the vulnerability, as well as the desktop operating systems of Windows and OS X, but many of the other small internet of things (IoT) devices out there could still be vulnerable.

Patch now available

As is always the case with these issues, however, Google says that following its discovery it partnered with the security engineers over at Red Hat to patch the issue, which is now being released on the developer’s blog for programmers to implement in their software.

Speaking of what this means for users, security researcher Kenneth White says it’s more of a wake-up call than anything else for the industry.

“It’s not a sky-is-falling scenario,” he said. “But it’s true there’s a very real prospect that a sizeable portion of internet-facing services are at risk for hackers to crash, or worse, run remote code to attack others.”

Revealing the process of patching the vulnerability, Google admits that both its team and Red Hat had discovered independently and worked quickly on fixing the patch, but the original maintainers responsible for the bug were shown to have been made aware of it back in July 2015, but had deemed it a ‘low priority’.

Code image via Shutterstock

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com