Bonum Certa Men Certa

Qualys Starts Self-Promotional FUD Campaign, Naming a Bug That Was Already Fixed 2 Years Ago and Distros Have Covered With Patches

Ghostwriting a Qualys horror story for maximal FUD (fear, uncertainty, and doubt)

Spooky



Summary: Responding to the media blitz which paints GNU/Linux as insecure despite the fact that bugs were evidently found and fixed

THERE IS something to be said about the "top" news regarding GNU/Linux. It's not really news. The so-called "GHOST" publicity stunt needn't be repeated by FOSS sites. It is about a bug which was patched two years ago, but some sites overlook this important fact and stick lots of spooky logos, playing right into the hands of Qualys, an insecurity firm (making money from lack of security or perception of insecurity).



We have watches the 'news' unfolding over the past day and a half and now is a good time to explain what we deal with. The so-called "GHOST" (all capital letters!) bug is old. Qualys is going two years ago into bugfixes, giving a name to the bugfixes, then making plenty of noise (all over the news right now). Qualys does not look like a proxy of Microsoft or other GNU/Linux foes, but it is self-serving. Insecurity firms like Qualys probably learned that giving a name to a bug in GNU (SJVN mistakenly calls it "Linux", but so do many others) would give more publicity and people will pay attention to brands and logos rather than to substance. Just before Christmas an insecurity firm tried to do that with "Grinch" and it turned out to be a farce. SJVN says that this old "vulnerability enables hackers to remotely take control of systems without even knowing any system IDs or passwords."

Well, it was patched back in 2013. Use of names for marketing is what makes it "news"; the opportunists even prepared a PRESS RELEASE and pushed it into 'big' sites like CNN. It has marketing written all over it, just like "Heartbleed" that had strong Microsoft connections behind the disclosure. It is sad that Linux sites fall for this. Phoronix copies the press release as though it's reliable rather than self-promotional. Michael Larabel writes: "The latest high-profile security vulnerability affecting Linux systems us within Glibc, the GNU C Library."

It is not "latest", it is 2 years old. Larabel says that "Qualys found that the bug had actually been patched with a minor bug fix released on May 21, 2013 between the releases of glibc-2.17 and glibc-2.18."

OK, so it's not news. FOSS Force cites SJVN to amplify the scare and other FOSS sites are playing along as though this is top news. It oughtn't be. It is already widely patched (maybe requiring a reboot), so let's patch and move on (unless it was already patched upstream/downstream years ago). IDG has already published at least three articles about it [1, 2], including one from Swapnil Bhartiya, who is not too alarmist to his credit. He noted that "there was a patch released back on May 21, 2013, between the releases of glibc-2.17 and glibc-2.18. However it was not considered to be a security risk and thus major Linux distributions that offer long term support and get security updates remained vulnerable, including Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7 and Ubuntu 12.04."

It affects very specific versions, mostly long-term support releases that already have reliable patches available. It should be clear that some headlines such as this or that clarify the limited scope of impact (not bad reporting) unlike the alarmist trolls.

What Techrights generally found was that early coverage came from so-called 'security' sites or blogs of insecurity firms that try to sell their services (e.g. [1, 2, 3]). These set the tone for many.

The response to this bug is proportional to the perceived danger (e.g. due to media hype), not the severity of the bug. Some security news sites [1, 2] focus on names and logos while facts remain only a side issue. This so-called "ghost" nonsense (some lines of code basically) was fixed 2 years ago and as the blog post "long term support considered harmful" explains it: "In theory, somebody at glibc should have noticed that fixing a buffer flow in a function that parses network data has security implications. That doesn’t always happen, however, for many reasons. Sometimes the assessment isn’t made; sometimes the assessment fails to consider all possible exploit strategies. Security bugs are “silently” fixed frequently enough (without evil intentions) that we should consider them a fact of life and deal with them accordingly."

Some of the worst kind of coverage we found came from The Register with its flamebait headlines (scary headlines for maximum effect) and the troll Brian Fagioli. They are only some among many who are using the name to come up with puns and FUD. Jim Finkle is back to his GNU/Linux-hostile 'reporting', bringing this to the corporate media (there is some in the UK also) and LWN quickly cited the GNU/Linux-hostile Dan Goodin. He called "Highly critical" a bug that was patched two years ago.

Debunking some of the latest security FUD we had Fedora Magazine which stated "don’t be [worried], on supported Fedora versions."

For unsupported version there is a lot more than this one bug that one needs to worry about.

Apple fans were quick to take advantage of the news, despite the fact that Apple is leaving systems vulnerable for many months, knowingly (like Microsoft does, until Google steps in).

See, with proprietary systems one knows for a fact that there is no security. With GNU/Linux is an open question and it depends on what measures one takes to keep it secure. For Apple and Microsoft security is not at all the goal; back doors and unpatched flaws are not really as "interesting" and important for them to patch as helping spying agencies. Google is not at fault here, Google just saw that Apple and Microsoft had no plans to plug serious holes -- a patch evidently wasn't going to be made ready before the public finds out about it, owing to Google. Apple chooses to blame Google; same as Microsoft. They should only blame themselves both for the bugs and for negligence after the bugs were highlighted to them. There is no room here for properly comparing GNU/Linux (Free/libre) to OS X or Windows (proprietary) because evidence clearly shows that the latter are not interested in security and not pursuing security when it is trivially possible.

What we find curious amid the latest FUD campaign is that Apple back/bug doors are not as widely publicised as a GNU bug that was patched 2 years ago and mostly affects LTS systems (which already have patches available). "Nothing I can think of," said a reader of ours about this media hype, "but the LTS model followed by RHEL and Ubuntu have different goals and purposes than the short, fast development cycle like OpenBSD."

Nobody is forced to use an LTS release and those who choose it must be aware of the potential risk.

Regarding the other FUD that flooded the press in recent weeks, targeting for the most part Google and Android, our reader XFaCE wrote the following:

I assume you want to write about that new Android vulnerability. Basically I can see the narrative being pushed through three points

- Microsoft supported Windows XP/7/etc. for years, why doesn't Google support old Android versions

- Google told Microsoft about a very old bug in their software, so they are hypocritical

- Heartbleed bug was fixed way back for 4.1.1

For the last point, it's a bullshit comparison because

a) 4.1.1 was one point release where upgrading to 4.1.2 fixed the issue (it was already fixed back when 4.1.2 was released)

b) The fix was one file, as evident by XDA members patched it themselves on phones manufacturers refused to upgrade to 4.1.2 SOURCE: http://forum.xda-developers.com/showthread.php?t=2712916

c) As shown by the link, a lot of manufacturers DIDN'T update certain 4.1.1 devices to 4.1.2, hence proving Google's point. The fix there was SIMPLE, but the OEMs didn't bother to do it

With Webview, not only is webview involved, but so is the webkit rendering engine, so the fix for all those previously releases is much more complicated

As for the second point, Google did catch it, with KitKat, and furthermore made KitKat supported on more low-end devices so theoretically older 512mb or less devices could be updated

For example, HTC said (when Jelly Bean 4.1 came out) that they would not update any device with 512 mb of RAM (SOURCE: http://www.cnet.com/news/htc-one-v-and-desire-c-will-never-get-jelly-bean/ ), so naturally when KitKat came out, they updated those devices because the OS officially was designed for such low ram devices

oh wait

http://www.androidpit.com/android-4-4-kitkat-update-plans

"Later this year, the entry-level smartphone the HTC Desire 500, should also be seeing the KitKat update. However, the One X, One X+, One S, and One V will be left in the dust and will be receiving no more official updates from HTC."

So the OEMs are at fault for not upgrading the devices, not Google, which leads to point 1 - Google doesn't control the Android OEMs like Microsoft does OEM pay Microsoft for the support whereby Microsoft controls all updates, Google doesn't get paid or have the agreemeent in that way

OEMs like HTC could easily fix this by porting Kitkat to those devices, but they won't cause they want you to buy a new HTC phone or whatever phone brand


Techrights did not cover that (except in daily links) because it should be self-evident that free-of-charge Android upgrades make it inhernetly different from proprietary software and keeping up to data typically ensures security. A lot of the analogies (Android and Windows) were inherently flawed and the FUD rather shallow.

Recent Techrights' Posts

Gemini Links 11/04/2025: Microcosmographia Academica and Ada Language
Links for the day
At the Root of the SLAPPs There Are Matters of GitHub Corruption and Microsoft Competition Crimes
Keep both eyes on the ball; this is about monopoly abuse and attempts to muzzle critics
Open Source Initiative (OSI) Privacy Fiasco in Detail: More on the Complaint, Which Also Points the Finger at Stefano Mafulli and Deb Nicholson
Focus on what they are attempting to distract from
"Linux" Foundation, Besieged by Microsoft, Isn't About Science But Against Science and Against Facts
(and for Microsoft Dogma, Microsoft Domination, Microsoft Money)
IBM Pays IDG's IDC to Market Proprietary Red Hat Enterprise Linux (RHEL) Under the Guise of "Research"
Proprietary RHEL promoted by FUD (Fear, Uncertainty, Doubt or just plain fear-mongering)
 
Links 11/04/2025: LLMs as Worthless Gimmicks, People in Trouble for Saying Too Much in (or Before) 'Cheeto Era'
Links for the day
Links 11/04/2025: "Getting Screamed At" and LLM Crawlers as Vandals Online
Links for the day
Links 11/04/2025: Microsoft Mass Layoffs Again, Zelensky Doubles Down on Claim That Many Chinese Are Fighting for Russia
Links for the day
Slopwatch: A Sea of LLM Slop About SparkyLinux, Kubernetes, Ubuntu, and Linux Kernel
Welcome to the future? The future of the Web?
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, April 10, 2025
IRC logs for Thursday, April 10, 2025
Gemini Links 10/04/2025: "Secret of Happiness" and Overthinking POSSE
Links for the day
Links 10/04/2025: NNCPNET Email Network, RSS Readers, and IRS as 'Immigration Enforcer'
Links for the day
IBM Layoffs in Markham (Canada) Apparently Still Happening
"Still going on... Got laid off today. TEL Canada, Band 9, 19 years with IBM."
Links 10/04/2025: Fentanylware (TikTok) Perils and Internet Shutdown
Links for the day
Microsoft's "Linux" Foundation Pays Writers to Publish Propaganda and Then LLM Slop Sites (Slopfarms) Repeat the Propaganda, Using Microsoft LLMs
consider the latest LLM slop
Once You Slop You Can't Stop and If You're a Serial Slopper Nobody Will Believe You Really Wrote an Article (Even If You Did)
It's a lot like, "if you're a serial liar people won't believe you even when you say some truth" (or "once a cheater, always a cheater")
Pressing Against SLAPPs (From Americans Who Strangle Women While Microsoft Pays Their Salaries) is a High Priority for Us
We also need to ensure that greedy firms/people that facilitate the SLAPPs get "disbarred" or "struck off"
Mozilla Firefox Already Down to 1% in Brazil
Don't people crave the surveillance and the slop?
Links 10/04/2025: Hardware, Politics, and Internet
Links for the day
Gemini Links 10/04/2025: Creativity and Agitation, Life in the USA, CSS Naked Day 2025
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, April 09, 2025
IRC logs for Wednesday, April 09, 2025
Alleged Layoffs at IBM Consulting in Australia
IBM loses many government contracts these days
The Rumours Were Likely True: Sixth Wave of Microsoft Mass Layoffs in 2025 (Days After "50" Anniversary and About 5,000 Layoffs)
5 hours ago, by Ashley Stewart
Malware in Proprietary Software - Latest Additions
Original by Free Software Foundation, Inc.
Links 09/04/2025: More Trade Wars and Wars, Chinese Army Troops Found Fighting in Ukraine
Links for the day
Linux Clickbait by Slop
Give it up for Brian Fagioli, the Serial Slopper
IBM and MCC: Layoffs Coming Again to Metro Connect Company Limited (MCC) as Tariffs Bite and IBM's Shares Fall
Blacklists applicable to Chinese suppliers also mean that IBM can no longer cooperate with key partners in Asia
Microsoft's Entire Premise for Its Future Existence Goes Up in Flames
32 minutes ago
GNU/Linux on a High in Colombia
Stereotypes much?
Go Static
Please don't Go(lang) or JavaScript or PHP or...
Techrights Be Like...
K.I.S.S.
Gemini Links 09/04/2025: Autism, Cybersecurity, and LLMs Attacking Services Online
Links for the day
GNU/Linux Would be Measured at Over 5% Globally (by statCounter) Had the Data in India Not Been Changed
GNU/Linux grew a lot in many countries and has expanded since then
Keeping Track of Microsoft Layoffs in 2025
So here's a quick roundup of 2025
The Sixth Anniversary of the Lightweight Alternative to the Web (Gemini Protocol)
Now 11 short of 3,000 active capsules. 65 short of 4,500 total.
Links 09/04/2025: Quartz Fires All Writers (Shutdown, LLM Slop or Slopfarm Instead), "Bitcoin Is Crashing Hard"
Links for the day
People Are Sick of LLM Slop. Offer Them Alternatives.
We never used LLM slop for anything and we never will
Web Surveyor statCounter Sees Apple's macOS Falling From 5.6% to 3.6% in Two Months, It Might Soon be Smaller Than GNU/Linux
Apple's "value" (faked, exaggerated) is back to "pandemic times"
UK House of Lords Recognises the SLAPP Issue in the UK and EFF Pursues "Bill (That) Could Put A Stop To Censorship By Lawsuit" in the US
"A House of Lords inquiry into how the news industry can survive into the future has accused the government of “failing to prioritise” action on strategic lawsuits against public participation (SLAPPs)."
Open Source Initiative (OSI) Privacy Fiasco in Detail: Seeking Class Action Against the OSI
"LETTER SEEKING CLASS ACTION REPRESENTATION"
The Value of Slop, by Alexandre Oliva
Original by Alexandre Oliva
Gemini Links 09/04/2025: Neocities, Tinylogs, and Inter-community Protocols
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, April 08, 2025
IRC logs for Tuesday, April 08, 2025
You Can Be an A--hole to Women (Even Strangle Women) as Long as You Work for Microsoft
Recalling the Mark Shuttleworth origin story
Canonical is a Proprietary Software Reseller With a 'Debian Base'
"Canonical Ubuntu" is just Debian with some proprietary things sold on top of it