It's been an apocalyptic year for Linux security, with a sophisticated Trojan and security holes over 20 years old. The Shellshock bug left Linux desktops and servers wide open for anyone to own. Security updates fixed these problems--but you may not even be getting those patches.
Security revelations in 2014 shattered the myth of Linux impenetrability. No, the sky isn't falling, and yes, Linux is still inherently more secure than Windows--but this year proved that Linux lovers still need to pay at least some attention to their system's protection.
Turla's been infecting Linux systems for years
Security researchers have known about a piece of malware called "Turla," "Snake," or "Ouroboros" for years. Turla is an extremely sophisticated piece of government-sponsored malware--one that appears Russian in origin. As usual, it was Windows malware.
But, this week, Kaspersky unveiled it had found a Linux version of Turla. This Trojan has been silently infecting Linux systems for years. It's based on an open-source backdoor program called cd00r. Turla listens to network traffic and allows an attacker to run commands on the infected Linux system. Crucially, the Torjan doesn't require root access--it just runs as your standard user account, so all the sudo and privilege restrictions used on the Linux desktop won't hinder it. While it's a network service, it's clever enough to hide itself from the netstat tool so you won't see it listening if you start looking at your network connections. Read Kaspersky's blog post for the gory details.
This is terrifying for a few reasons. It demonstrates that, yes, Trojans can infect Linux systems. And, no, not having access to root won't necessarily stop a piece of malware. All the interesting stuff like online banking happens under your user account, anyway.
Realistically, Turla probably isn't infecting your PC. You're probably not a target. As a government-sponsored piece of malware, Turla is designed to infect targets for purposes of surveillance or corporate espionage, not to steal your credit card number. But there's been a Linux Trojan infecting computers around the world for years now. Yes, Linux Trojans are possible and do exist.
X.org has security issues going back 20+ years
Late last year, we learned there are a huge list of security vulnerabilities in the X.org graphical server and its libraries. Some of these security holes have been around for more than 20 years. The researcher who discovered these holes said X.org security was a disaster, and "it's worse than it looks."
This week, many of these security vulnerabilities were made public knowledge. Your Linux distribution should be rolling out security updates for your X.org server and proprietary NVIDIA driver shortly, if it hasn't already. But, even after these patches, X.org security still doesn't inspire much confidence.
Sign up for Computerworld eNewsletters.