Bug Discovered in FreeBSD, Emergency Patch Released

Critical local root vulnerability has been found in FreeBSD, the open source OS, which could let an attacker execute malicious code on a vulnerable computer. However, people behind making FreeBSD have issued a relevant and hasty security patch to fix the flaw.

With the flaw becoming public, a computer attacker named Kingcope created an associated attack code which, according to security researchers, was unexceptionally easy.

It is also learnt that the vulnerability affects FreeBSD 8.0, and also existed in versions 7.1 and 7.2. Further, the bug lies in the link editor of FreeBSD, which could enable a hacker to hijack a server wholly through security flaws within web applications.

Reports also state that a user without administrative rights can carry out a binary operation using privileges in restricted conditions. Consequently, the user can gain control of the computer's root system, all of which are necessary to execute the attacker's code.

Soon as the flaw became publicly known, Colin Percival, Security Officer at FreeBSD, announced that a patch was available that more-or-less fixed the flaw, as reported by MXLogic on December 2, 2009. The officer, nevertheless, cautioned that since a patch was immediately required, the program was designed more with speed into consideration than precision. He also stressed that users downloading and installing the patch would themselves be liable for any consequences.

Percival further stated that usually the FreeBSD Security Team didn't publicly talk about security problems till an advisory was available, but in the current instance, as an attack code was widely obtainable, he wanted to develop and release a patch ASAP, as reported by ZDNet on December 1, 2009.

Percival added that since the time period for making and releasing the patch was short, the patch might not be the ultimate edition that came with an advisory.

According to the security researchers, the attack code represents a first one, recently posted, in connection with an open source operating system. The attack codes that were recently posted targeted Google or Microsoft applications.

Related article: Bugs Swell In Browsers in 2006

» SPAMfighter News - 12/14/2009