Overlooked Linux Bug Puts ‘Tens Of Millions’ Of Computers And Phones At Risk

Overlooked Linux Bug Puts ‘Tens Of Millions’ Of Computers And Phones At Risk

A bug that’s been present in Linux for almost three years can be used by hackers to gain almost total control over a device, say security researchers. It could affect tens of millions of PCs and servers, as well as 66 per cent of all Android phones and tablets.

Perception Point reports that the newly discovered bug, which is snappily known as CVE-2016-0728, sits in the operating system’s keyring, which is used to store things like security data, authentication keys and encryption keys so that they can’t be used by any old app. The team at Perception Point, however, has identified a bug — and built a proof-of-concept attack — that makes it possible to replace an item from the keyring that’s temporarily stored in memory with some code.

That code is then executed by the kernel — the crucial bit of an OS that translates input and output requests from software into actions that the CPU has to carry out. The code could be used to do all kinds of things — gaining root access to a server, gaining control of the entire OS on an Android phone, or even attacking hardware that runs an embedded version of Linux, like a router.

The bug affects the Linux kernel in version 3.8, which was released in early 2013, so it also affects any Android device running KitKat or later. Perception Point notes that it has not observed “any exploit targeting this vulnerability in the wild,” but it does “recommend that security teams examine potentially affected devices and implement patches as soon as possible.”

Ars Technica notes that major Linux distributions are expected to receive a fix this week, but it may take far longer for your Android handset to get an update. As ever, be vigilant.

Canonical has already rolled out an update for Ubuntu OSes.

[Perception Point via Ars Technica]

Image by Mike Holloway


The Cheapest NBN 50 Plans

It’s the most popular NBN speed in Australia for a reason. Here are the cheapest plans available.

At Gizmodo, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.