Red Hat plans automated security updates

Linux vendor Red Hat has revealed that it plans to include a service with its distribution of Linux that will automatically update systems with the latest security patches.

The move comes after a warning from security advisory group Cert last weekend of widespread attacks on internet servers that target security vulnerabilities for which fixes are readily available. A large number of hosts, many of them running Red Hat Linux, have been affected, according to Cert.

Colin Tenwick, European general manager at Red Hat, said that, alongside other vendors, it had issued patches to correct the problems but said more was needed to make the updating process easier for end users.

"We do everything we can to make people aware of the availability of updated software," said Tenwick, adding that this process needs to become more effective.

"Over the next few months we'll be making announcements about the automatic distribution of software. Automatic services and new ways to update software will take away the burden on administrators of keeping up to date."

However, Malcolm Skinner, product marketing manager at security firm Axent, said that many companies would balk at having unsolicited software entering their networks, which might itself be a security risk. Email alerts of security notices are far from perfect, said Skinner, but they are the best mechanism for updates we have at present.

"In theory, automatic updates are a good idea but many companies like to exercise change control," he said, adding that systems managers have a responsibility to make sure software is up to date.

The Cert alert warned that hackers are using automated tools to probe for and exploit vulnerable internet hosts on a widespread scale.

These searches are targeting systems that have versions of either the rpc.statd program or versions of the wu-ftpd file transfer protocol package, which have not been patched with security fixes. This is proving a potent attack technique because vendors have issued fixes for input validation error in these packages but these have not been applied in many cases - leaving the door open for hackers.

Once vulnerable hosts are discovered, attackers are installing Trojan horse and denial of service tools on victims' machines - a process which closely resembles that which happened prior to the distributed denial of service attacks that paralysed many internet sites in February.

In a security notice, Cert warned: "The combination of widespread, automated exploitation of two common vulnerabilities and an associated increase in distributed denial of service tool installation poses a significant threat to internet sites and the internet infrastructure."

Cert has recorded more than 560 hosts at 220 internet sites, being part of a Tribe Flood Network 2000 distributed denial of service network.