*nix takes a page from Windows' book


— 4:41 PM on September 7, 2000

And you thought that Microsoft operating systems were bad on security... Well, they are. But all is not rosy in the Unix/Linux world either, as this News.com story shows. An entirely new class of exploit has been showing up over the last couple of months, and it's been termed the 'format string' vulnerabilty.

Similar to a buffer overflow exploit, the new type of vulnerability uses formatting commands to run malicious code. Apparently, some of the code has been vulnerable to these exploits for years, and the bugs are just now getting found and fixed. One such bug has been found in a core package that is relied upon for basic display services by "countless" programs.

That particular bug affects "all Linux and Unix operating systems except OpenBSD and FreeBSD" according to the president of a security company who was interviewed for the article. According to the article, Red Hat has already posted a fix for this bug; browsing the Red Hat site, I came upon this page, dated September 1, that appears to deal with the exploit in question. The article doesn't mention the status of bug fixes for any other Unix variant.

While it's good that this bug is quickly being stamped out, it looks to be a long road ahead; analysts seem to think there are quite a few more format string exploits lurking in the source code. Greeeeeat.

Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.