Don’t get spooked by the Ghost bug or other vulnerabilities

  • Hackers take advantage of older systems by embedding malware and executing malicious code into overflow data.

  • More devices in IoT are running open-source software and connecting to the network, increasing the potential for breaches.

  • AT&T Security Services can help you protect your enterprise from harmful attacks.

In our New Year, New Security Challenges webinar, we discussed how software vulnerabilities in open source software are now impacting a wide variety of products. The Ghost vulnerability is another example impacting a wide variety of vendor products, as well as an example showing how difficult it can be to determine how serious (or exploitable) a vulnerability may be.

The buffer overflow vulnerability at the root of Ghost is a problem that has been plaguing software systems for many years, despite a good understanding of the problem and methods to overcome the hazard. The vulnerability is a result of improper bounds checking. Some programming languages, most notably C, depend on the programmer to implement appropriate checks and controls for function calls. Without proper bounds checking, a program or process may attempt to put more data in a buffer than the buffer was allocated to hold. The excess data spills into nearby memory and can lead to unexpected behavior. Consequently, in a buffer overflow exploit, an attack may be able to execute arbitrary code, which can lead to escalated privileges.

Hidden vulnerabilities

Like the Shellshock bug that lay low for years, the Ghost vulnerability has existed since November 2000. While it was fixed in May 2013, at the time, I believe no one realized Ghost might be remotely exploitable. Consequently there was no significant effort to back-port patches for all the versions of Linux. As it turns out, the Ghost vulnerability has not manifested into a significant threat – so far. While remotely executable exploits have been theorized, they have not manifested into practical exploits. The exploitability of a vulnerability like Ghost is very difficult to predict given the wide variety of applications that may use the code.

There are likely many other vulnerabilities like Ghost that are lurking in the corners. As many systems, appliances, and the Internet of Things adopt use of common open-source software, there are many more products using common code in a wide variety of ways, thus increasing the likelihood of exploitable vulnerabilities. And since some IoT devices are not well designed or supported, patching processes may not be available for these devices. Consequently, it may be nearly impossible to eradicate vulnerabilities in some products.

Fortunately, some efforts are emerging to help improve the situation. In the wake of the Heartbleed vulnerability, funding has been generated to help ensure that open-source software is reviewed for vulnerabilities. The effort started with OpenSSL and is expanding. Likely, efforts will continue to find vulnerabilities that will need to be patched in many products. The need for patching will not just continue, it will need to expand and improve.

Patch now and continuously

Lessons learned from recent issues like Ghost are:

  • Ensure that any network-connected device is included in patching processes
  • Ensure that older software is included in security patching processes

To learn more about Ghost and how to address the impact, listen to the weekly AT&T ThreatTraq online broadcast, where AT&T security experts take a deeper dive into Ghost and many other security topics.

To learn more about how AT&T can help protect your enterprise, visit AT&T Network Security Services today.

Hear a replay of the webinar for more about security trends for 2015.


Brian Rexroad Executive Director of Threat Analytics AT&T About Brian