Two Google staffers have posted details of a Linux glibc (GNU C Library) stack-based buffer overflow vulnerability that sounds nasty…
Earlier this week, Google Staff Security Engineer Fermin J. Serna and Technical Program Manager Kevin Stadmeyer posted details of a Linux glibc (GNU C Library) stack-based buffer overflow vulnerability (CVE-2015-7547). The pair explained how they were able to craft a fully working exploit just to make matters worse. If you have been reading some of the headlines that have appeared since this disclosure, you might be forgiven for thinking that this is a major security event with devastating consequences. Here at IT Security Thing we have seen it described as putting “Every Linux Machine in Danger” and being both “catastrophic” and a “Linux Superbug” for example. For sure this is a flaw that has been around for a while, in every version of glibc since 2.9, which was released way back in 2008. It really does, therefore, have the potential to impact upon thousands of Linux devices, no denying that.
It all sounds very nasty, despite the mitigation efforts and the availability of a patch. So why would anyone take issue here? Well, what is open to debate, and there has been plenty of it within the IT security community already, is whether it’s actually that dangerous in the real world at all.