Man in the middle is not difficult in the slightest. This is really, really easy to exploit - If you set up a man in the middle, or if they ever surf to a domain you control. Ever accidentally tried to visit a very common page and been one letter off? Congratulations, you landed on a potentially attacker controlled domain, and your device is now potentially compromised. This is actually very usable, and EXTREMELY dangerous. Basically every single machine that runs a Unix kernel of some description (so basically every mobile device ever) is potentially at risk. Why do you think that Google stumbled across this, along with the people running the library, and the red hat Linux devs?
14 comments
12 u/FriedFood100 17 Feb 2016 18:00
Internet of Highly Vulnerable Things
6 u/Drenki 17 Feb 2016 18:13
da fug,
getaddrinfo()is an extremely straightforward function. how the fuck did they mess it up. i gotta see this.5 u/ratsmack 17 Feb 2016 17:56
While this is a severe bug, it looks like it is extremely difficult to exploit.
1 u/noblefool 17 Feb 2016 22:22
Man in the middle is not difficult in the slightest. This is really, really easy to exploit - If you set up a man in the middle, or if they ever surf to a domain you control. Ever accidentally tried to visit a very common page and been one letter off? Congratulations, you landed on a potentially attacker controlled domain, and your device is now potentially compromised. This is actually very usable, and EXTREMELY dangerous. Basically every single machine that runs a Unix kernel of some description (so basically every mobile device ever) is potentially at risk. Why do you think that Google stumbled across this, along with the people running the library, and the red hat Linux devs?
4 u/jen1980 17 Feb 2016 21:33
FYI, the fix is out for CentOS/Red Hat. To verify you're safe:
rpm -qa glibc
And look for version 2.17-106.
0 u/ThisIsntMe123 18 Feb 2016 16:28
Or higher?
2 u/Amadameus 17 Feb 2016 18:51
The article mentions that, despite this being on some core functions of Linux, when Google built the Android OS they modified those tools.
Yep. Totally didn't know about that one in advance.
1 u/johnP 17 Feb 2016 23:13
It looks like if you're running debian it's already fixed so you just have to update with apt:
https://www.debian.org/security/2016/dsa-3481
0 u/weezkitty 18 Feb 2016 00:59
Bugs in GlibC are pretty gnarly because it is a non-trivial update and it could be a while before it is deployed widely
0 u/kwithh 18 Feb 2016 01:26
Adjectives. Adjectives everywhere.
-1 u/anoneko 17 Feb 2016 22:09
I figured GNU and open software will be the end of us all.
0 u/weezkitty 18 Feb 2016 00:59
You don't even want to know how many exploits are in closed source software. They just aren't published when they are found