Critical Linux Flaw Threatens More Systems Than You Think
A serious bug in the open-source GnuTLS library, used by many Linux variants, undermines the encryption that keeps Web traffic safe from snoops and attackers and is similar to the "goto fail" Apple bug discovered last month.
But wait. It's Linux — why should Windows and Mac users care? Because Linux exists in more places than the average computer user might realize, and the Linux distributions, or variants, affected by this security flaw are among the most widely used.
First of all, Red Hat Enterprise Linux is widely used by Internet servers, which host Web pages that you access from any computer.
Another affected distribution, Ubuntu Linux, is the most common version of Linux used on personal computers. Ubuntu is also the basis of other Linux distributions, including Linux Mint and SteamOS.
Android is Linux-based as well, but uses OpenSSL, a different SSL/TLS library (see below for an explanation) by default. Android owners should generally be safe from the GnuTLS bug, although it's possible that some individual apps may use GnuTLS.
The GnuTLS library can be used in Windows or in any Unix-like OS, which includes Linux and Mac OS X. Any piece of software that uses the GnuTLS library is affected by the bug.
Here's how the bug itself works: The gnuTLS library provides the code that lets the computer connect securely to the Internet via the SSL, TLS and DTLS protocols. These protocols encrypt your Web traffic data while it's in transit so that snoops on the network can't see your personal information, or modify the data packets in a man-in-the-middle attack.
The GnuTLS library has several errors that lets attackers force acceptance of a false SSL/TLS certificate (called an X.509 certificate), thus allowing attackers to decrypt Internet traffic on targeted computers. Even worse, this bug may have existed in the code since 2005.
The nature of this bug is similar to the equally critical "goto fail" bug discovered and patched in Apple's Mac OS X, iOS and Apple TV operating systems late in February.
In both cases, the errors undermined SSL/TLS encryption, leaving victims unprotected. Both bugs also appear to result from simple human error on the part of software coders.
In the GnuTLS case, however, the fact that the bug existed for so long is surprising, since anyone can review open-source code. (No outside eyes noticed the bug in Apple's open-source Secure Transport SSL/TLS library either.)
Fortunately, a solution already exists: updating to GnuTLS 3.2.12. Ubuntu and Linux Mint users will get this rolled into their daily update notifications; Red Hat Enterprise will have to be manually patched by IT departments.