Tails Linux Still at Risk Despite Security Fixes

Researchers aim to prove a point "that no software is infallible" by finding bugs in a privacy Linux distribution favored by Edward Snowden.

Tails Linux

The open-source Tails Linux distribution issued its 1.1 update on July 22, providing multiple security fixes, though according to at least one security research firm, vulnerabilities still remain.

Tails, which is an acronym that stands for The Amnesic Incognito Live System, is focused on enabling user privacy while online. The Tails 1.0 release debuted on April 29 (check out key features of Tails 1.0 in an eWEEK slide show here) and first gained notoriety as the Linux system used by U.S. National Security Agency whistleblower Edward Snowden.

The Tails 1.1 release includes multiple bug fixes, at least four of which are identified as being security-related items. Among those four fixes is a browser update that is based on the latest Firefox ESR (Extended Support Release). There is also an update to the Linux 3.14.12-1 kernel, which provides a fix for a denial-of-service vulnerability identified as CVE-2014-4699.

Apparently however, the Tails 1.1 release is still at risk from an as-yet publicly undisclosed zero-day vulnerability that has been found by security firm Exodus Intelligence.

"By bringing to light the fact that we have found verifiable flaws in such a widely trusted piece of code, we hope to remind the Tails userbase that no software is infallible," Exodus wrote in a blog post. "Even when the issues we've found are fixed by the Tails team, the community should keep in mind that there are most certainly other flaws still present and likely known to others."

Exodus Intelligence is a company that first emerged from stealth in 2012. It was co-founded by Aaron Portnoy, who had previously been the manager of the Security Research Team at Hewlett-Packard TippingPoint and the Zero Day Initiative (ZDI).

Although Exodus sells its security services to paying customers, the company emphasized in its blog post that it does not ask for any remuneration for vulnerabilities that are reported to vendors.

The flaw found by the Exodus team is within the Invisible Internet Project (I2P) component used by Tails. The vulnerability could enable an attacker to deanonymize a Tails user. Exodus said it has provided full details to the Tails and I2P projects and has pledged not to make those details public until the proper patches have been integrated into Tails.

The I2P component might not be the only vulnerable component in Tails. This week a talk was pulled from the upcoming Black Hat USA security conference on vulnerabilities in the Tor onion router network. Tor, like I2P, is a technology that aims to help users stay anonymous on the Web and is integrated with Tails.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.