Skip to main content

Security Firm Confirms Serious Ubuntu/Debian Security Flaw

Application vulnerability specialist Fortify Software has confirmed the findings of a research posting to the Debian security list last week, which details a critical security vulnerability in the OpenSSL packages within the Debian and Ubuntu Linux operating systems.

Fredrick Lee, a researcher with Fortify's Security Research Group, said that the posting understates the potential seriousness of the flaw, which affects the Open Secure Sockets Layer elements of the two Linux operating systems.

"We're calling this vulnerability `insecure randomness' since it allows an attacker to predict the SSL cryptographic keys used for supposedly secure online transactions," he said.

According to Lee, the serious flaw could, for example, allow a malicious user to intercept an ostensibly secure online banking session between a customer and their bank.

"What's worse is the fact our researchers calculate this flaw has been available to hackers for more than two years," he said.

The problem, Lee went on to say, stems from a bug fix issued by Debian programmers that effectively emasculates the randomness engine required to ensure true security within the SSL module.

"Had we been contacted as part of the release strategy, as a number of other developers do, then the flaw would have been immediately identified by our research team, before the insecure update was released to the public," he said.

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Following an eight-year stint at where he discovered the joys of global tech-fests, Désiré now heads up TechRadar Pro. Previously he was a freelance technology journalist at Incisive Media, Breakthrough Publishing and Vnunet, and Business Magazine. He also launched and hosted the first Tech Radio Show on Radio Plus.