GHOST Bug Not New, but Can Haunt Older Linux Versions

By Sean Michael Kerner  |  Posted 2015-01-28 Print this article Print
Linux security

The Risk

The real issue with GHOST isn't that a vulnerability was found in an open-source package. The GHOST vulnerability was fixed before anyone ever even knew it existed. The issue is that package stability might represent a risk to security.

Any software bug is a potential exploit waiting to happen. The fact that GHOST wasn't labeled a vulnerability until Jan. 27 potentially left some users at risk. Yet, admittedly, the risk is small since GHOST has never been exploited, and as yet, there isn't even proof-of-concept exploit code available.

It is incumbent on Linux distributions to update from upstream projects as quickly as possible. For community Linux distributions, where enterprise stability is not a primary concern, that is the normal practice.

With one class of Linux distribution, known as a "rolling release," the latest packages are always available for users to include. Linux users themselves can also always choose to manually pull from the upstream projects.

GHOST is not a vulnerability like Heartbleed, ShellShock or POODLE, which were zero-day issues. GHOST is an issue that doesn't affect all Linux distributions and it's an issue that was fixed 17 months ago.

The challenge is one of balancing the needs of enterprise stability with the constant flow of upstream updates. It's a difficult balance to achieve, but let's hope that the impacted Linux vendors redouble their efforts to make sure that users aren't left at risk from bugs that have already been patched.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel