Google finds security flaw across the web
Thousands of devices have been left open to a security flaw that dates back to 2008, according to a BBC report.
Google’s own engineers have found a flaw in glibc, an open-source code that features in the majority of internet-connected devices. Essentially, a hacker can implant a code within the device’s memory, and simply clicking on a link could result in remote code execution that provides full control of a device and can allow hackers to steal information or even carry out a more complex theft.
An affected device can make queries to a malicious DNS server, this then floods the memory with code that takes over the system. Technically a Secure Shell could be infected this way, but the hacker would need to get around security mechanisms that include the non-executable stack protection to successfully carry out such an attack.
Experts have already moved to quell concerns. While it is significant that a flaw of this size has been around for the last eight years, it certainly doesn’t seem to have provided hackers with any kind of master key to the public’s systems. If anything, it looks like Google has discovered and fixed the problem before anybody even realised it could be used for nefarious purposes.
Computer security researcher Kenneth White told Ars Technica: “It’s not a sky-is-falling scenario. But it’s true there’s a very real prospect that a sizeable part of internet-facing services are at risk for hackers to crash, or worse, run remote code to attack others.”
The internet giant has released a patch that fixes the issue and the biggest risk now is that the cyber criminals have been alerted to this backdoor in the system. It is important that everyone install the patch that Google has released as there could be an opportunistic wave of attacks as the cyber criminals realise the chance to take over systems with this kind of attack. Or there could be a man-in-the-middle attack which can attack and tamper with the DNS, giving the attacker the chance to monitor and manipulate data between the device and the internet.