These "format string" vulnerabilities started surfacing about two months ago, said Elias Levy, a moderator of the Bugtraq computer security mailing list. Some of them have lurked for years in basic Unix programs, but security experts only now have begun to find and fix them.
To take advantage of a format string vulnerability, an attacker gets a computer to display a string of text characters with formatting commands. By carefully manipulating the formatting commands, the attacker can trick the computer into running a program.
"Format string bugs are the new trend in computer security vulnerabilities," said Ivan Arce, president of Argentinian security company Core SDI and discoverer of the "locale" format string vulnerability that became public last Friday.
Fans of Unix and its close relative, Linux, pride themselves on the general security of their operating systems compared with Microsoft Windows, which has been plagued with security problems. But the format string issue highlights the fact that weaknesses can lurk for years within software, and that it's hard to track them down among hundreds of thousands of lines of programming code.
The format string vulnerabilities could in theory also affect Windows machines, but thus far such problems have been found only on Linux and Unix systems, Levy said.
Letting an attacker gain the privileges of the system administrator can be disastrous. An attacker could do damage such as erasing databases or password files. Even if the computer doesn't house precious information, a compromised computer can be used as a drone in a distributed-denial-of-service (DDoS) attack such as those that brought down major Web sites, such as Yahoo, in February.
Levy estimates that computer security experts have announced six or seven format string vulnerabilities in recent weeks, and Arce predicts many more are on the way. And already, security specialists have published on Bugtraq sample programs that can exploit the weakness.
The locale vulnerability uses internationalization software that allows Unix and Linux systems to be used in multiple languages. It's significant because countless basic Unix programs rely on the locale system to print messages such as "password incorrect" in the proper language.
Preston Brown, manager of Red Hat's Linux operating systems development, said today that Red Hat fixed the locale problem by changing the basic library of programs written in the C programming language. A key step is to make sure that basic programs on a computer system use the system's own message catalogs instead of allowing an attacker to get the programs to use a message catalog that contains format string attack commands, he said.
Arce initially found the locale vulnerability on a Sun Microsystems server, but it affects all Linux and Unix operating systems except OpenBSD and FreeBSD, he said. Unfortunately, the widespread nature of the vulnerability derailed Arce's plan for a coordinated announcement of the vulnerability and Unix and Linux companies' fixes.
Arce notified 18 Unix and Linux companies that he planned to announce the vulnerability Sept. 11. However, he said, representatives of the Red Hat, Debian and Conectiva versions of Linux posted advisories of the vulnerability before that--a problem because attackers could easily, and correctly, guess the vulnerability applied to other versions of Unix and Linux as well.
"I realized that the whole coordinated release of information with the vendors had been blown to pieces," Acre said in a Bugtraq posting. "Given that it's a matter of minutes to realize that the problem is present in other Unix (operating systems), that the format string bugs are the new trend and that writing an exploit is really not very hard, I decided that it was best to just publish our advisory and warn all Unix users that they might be, and some are, vulnerable."
The slipup was the result of miscommunication, Red Hat's Brown said. "It was pretty much a misunderstanding that our posts went out earlier than he intended," he said. However, it's common that coordinated attempts to release vulnerability information falter, he added.
Levy said the issue is serious, though.
"It does go to show that there needs to be better work by Linux vendors in general on informing people about vulnerabilities," he said. With slipups such as this one, those who discover bugs won't have faith in the cooperation of the operating system companies and instead will simply post vulnerability announcements without giving companies a chance to write a repair first, Levy said.
The Computer Emergency Response Team at Carnegie Mellon University has described other format string attacks. In July, the organization posted alerts about a problem with a commonly used file transfer program from Washington University called wu-ftpd. And in August, CERT posted an alert about another basic program, rpc.statd, which is part of the Network File System.
Format string vulnerabilities are similar to another broad class of problems called "buffer overflow," which have been around for decades and hinge on an attacker inserting too many characters into an input field such as a password prompt. In a buffer overflow, an attacker also can get a computer to run arbitrary instructions that let the attacker take over the computer.