News headlines screaming that yet another Microsoft Windows vulnerability has been discovered, is in the wild or has just been patched are two a penny. Such has it ever been. News headlines declaring that a 'major security problem' has been found with Linux are a different kettle of fish. So when reports of an attack that could circumvent verification of X.509 security certificates, and by so doing bypass both secure sockets layer (SSL) and Transport Layer Security (TLS) website protection, people sat up and took notice. Warnings have appeared that recount how the vulnerability can impact upon Debian, Red Hat and Ubuntu distributions. Red Hat itself issued an advisory warning that "GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification... An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid." In all, at least 200 operating systems actually use GnuTLS when it comes to implementing SSL and TLS and the knock-on effect could mean that web applications and email alike are vulnerable to attack. And it's all Linux's fault. Or is it?

The problem with all of this would appear to have started with the best intentions; a programmer working for Red Hat discovered the flaw and Red Hat then issued that advisory which suggested users apply a product update to fix it. All good stuff, with a quick discovery and time to patch ratio. The problem itself, or at least the problem I have here, would more accurately be with the reporting of the flaw. The Internet social media grapevine, Linux and general IT discussion forums, security vendors and before any time at all publications which should know better, all started claiming that this was a Linux bug. A bug, a flaw, with Linux that has been in place for longer than 10 years no less. Linux is flawed, Linux is dangerous, Linux is not as secure as fanboys would have you believe. What a load of rot!

This flaw is very similar indeed to the recent one involving Apple's iOS encryption bug in that it involves the goto command. In the iOS case it was, as I understand it, just a single goto fail command that screwed things up, whereas as far as Linux is concerned it is a whole series of goto cleanup calls that have errors. Here's the thing though, these errors are in the GnuTLS library. This library has been an accepted part of the Linux OS for years now, and Red Hat in particular which is so often used as a web server OS, and so surprise has been expressed by many (quite rightly) at how it could go undetected so long in an open source OS. The big security positive argued when it comes to any open source product is that anyone can access the source code and test any part of it at will, which should mean that security flaws are that much harder to escape attention. I'm with those who say it's a glaring error that the GnuTLS library wasn't checked until now, allowing this error to go unnoticed and available to anyone who might have spotted it and wanted to exploit it for criminal gain. That's a given. What isn't a given, in my opinion, is saying that Linux itself is flawed. That the Linux OS has a major security problem.

Actually, the library (which is maintained by a separate group to the Linux OS one) has a major security problem. The library which isn't used just by Linux distributions (which have patched against the vulnerability) and so the claim of it being a Linux problem are not really valid. Maybe I am splitting hairs here, and let me just state that as a Windows, Android and iOS user but not a Linux one I certainly have no fanboy axe to grind, but this sounds a lot like those who would blame Internet Explorer or Microsoft for an Adobe Reader vulnerability...

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

2 Years
Discussion Span
Last Post by happygeek

"This library has been an accepted part of the Linux OS for years now, and Red Hat in particular which is so often used as a web server OS, and so surprise has been expressed by many (quite rightly) at how it could go undetected so long in an open source OS."

Just a note to prevent anyone drawing the wrong conclusion from this: RH OSes don't usually use gnutls for web server security. We provide the Apache modules for all three major SSL/TLS libraries - mod_security (OpenSSL), mod_gnutls (gnutls) and mod_nss (NSS). mod_security is the one you're most likely to wind up with if you don't make an explicit choice. Your webserver is obviously only vulnerable to this exploit if you're using mod_gnutls (and you haven't installed the update yet).

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.