0
images/news/linux.jpgLinux is just as vulnerable if not more so than any other platform. Yesterday, it was announced that a popular software package for Linux distributions contains a backdoor giving full access to execute commands as a user on the host where this software package is installed.
To quote the author of the forum post announcing the backdoor:
"It appears the replacement of the .tar.gz occurred in November 2009 (at least on some mirrors). It seems nobody noticed it until now."
The author also indicates that this issue doesn't exist in their code repository (CVS) indicating that it was most likely placed there maliciously by someone wanting to exploit users of the software.
This back door exploit has been out there for more than 7 months. If this isn't an indicator of the need for better malware protection on the Linux platform, I'm not sure what is. When are we going to admit that we aren't as well protected as we assume we are? What other back doors are in open source that we just haven't found yet? The number has to be greater than zero.
The most interesting part of this discovery? Windows isn't affected.
"The Windows (SSL and non-ssl) binaries are NOT affected."
Signing source packages is a step forward, however unless we find a way to auto-magically verify the signature like some of our package managers do it won't help much.
The yet unanswered question though is what exploit was used to replace the original package last November? So how can we fix this problem?
fewt blog
To quote the author of the forum post announcing the backdoor:
"It appears the replacement of the .tar.gz occurred in November 2009 (at least on some mirrors). It seems nobody noticed it until now."
The author also indicates that this issue doesn't exist in their code repository (CVS) indicating that it was most likely placed there maliciously by someone wanting to exploit users of the software.
This back door exploit has been out there for more than 7 months. If this isn't an indicator of the need for better malware protection on the Linux platform, I'm not sure what is. When are we going to admit that we aren't as well protected as we assume we are? What other back doors are in open source that we just haven't found yet? The number has to be greater than zero.
The most interesting part of this discovery? Windows isn't affected.
"The Windows (SSL and non-ssl) binaries are NOT affected."
Signing source packages is a step forward, however unless we find a way to auto-magically verify the signature like some of our package managers do it won't help much.
The yet unanswered question though is what exploit was used to replace the original package last November? So how can we fix this problem?
fewt blog
