Security experts have warned of a suspected vulnerability in the Debian and
Ubuntu Linux operating systems.
Fortify Software confirmed the findings of a posting to the Debian security
list last week, which detailed a critical vulnerability in the Open Secure
Sockets Layer (SSL) packages within Debian and Ubuntu.
Advertisement
Fredrick Lee, a researcher at Fortify, claimed that the posting actually
understates the potential seriousness of the flaw.
"We are calling this vulnerability 'insecure randomness' since it allows an
attacker to predict the SSL cryptographic keys used for supposedly secure online
transactions," he said.
Lee explained that a malicious user could intercept an ostensibly secure
online banking session between a customer and their bank.
"What's worse is that our researchers calculate this flaw has been available
to hackers for more than two years," he said.
This flaw has been available to hackers for more than two years
Fredrick Lee Fortify Software
The problem stems from a bug fix issued by Debian programmers that
effectively "emasculates" the randomness engine required to ensure true security
within the SSL module.
"Had we been contacted as part of the release strategy, as a number of other
developers do, the flaw would have been immediately identified by our research
team before the insecure update was released to the public," said Lee.
Do you agree?
Have your say on this article