As IT workers continue their daunting job of protecting network users from bad guys, a few new tools might help stem the tide of vulnerabilities that continue to link open source and proprietary software.
Canonical and Microsoft reached a new agreement to make their two cloud platforms play nicer together. Meanwhile, Microsoft apologized to open-source software devs. But no apology was rendered for BitLocker locking out Linux users.
Let’s get caught up on the latest open-source software industry news.
New Open-Source Tool Helps Devs Spot Exploits
Vulnerability software platform firm Rezilion on August 12 announced the availability of its new open-source tool MI-X from the GitHub repository. The CLI tool helps researchers and developers quickly know if their containers and hosts are impacted by a specific vulnerability to shorten the attack window and create an effective remediation plan.
“Cybersecurity vendors, software providers, and CISA are issuing daily vulnerability disclosures alerting the industry to the fact that all software is built with mistakes that must be addressed, often immediately,” said Yotam Perkal, director of vulnerability research at Rezilion.
“With this influx of information, the launch of MI-X offers users a repository of information to validate exploitability of specific vulnerabilities, creating more focus and efficiency around patching efforts,” he added.
“As an active participant in the vulnerability research community, this is an impactful milestone for developers and researchers to collaborate and build together,” Perkal noted.
Current tools fail to factor in exploitability as organizations grapple with a litany of critical and zero-day vulnerabilities, and scramble to understand if they are affected by that vulnerability. It is an ongoing race to figure out the answer before a threat actor does.
To make this determination, organizations need to identify the vulnerability in their environment and ascertain if that vulnerability is truly exploitable to have a mitigation and remediation plan in place.
Current vulnerability scanners take too long to scan, do not factor in exploitability, and often miss it altogether. That is what happened with the Log4j vulnerability. The lack of tools gives threat actors a lot of time to exploit a flaw and do major damage, according to Rezilion.
The introduction of MI-X is the first of a series of initiatives Rezilion plans to foster a community around detecting, prioritizing, and remediating software vulnerabilities.
Linux Thrives, Along With Growing Security Woes
Recent data monitoring of more than 63 million computing devices across 65,000 organizations shows the Linux OS is alive and well within businesses.
New research from IT asset management software firm Lansweeper shows that even though Linux lacks the more widespread popularity of Windows and macOS, plenty of corporate devices run Linux operating systems.
Scanning data from more than 300,000 Linux devices across some 26,000 organizations, Lansweeper also uncovered the popularity of each Linux operating system depending on the total amount of IT assets managed by each organization.
The company released its finding August 4, noting that around 32.8 million people use Linux globally, with about 90% of all cloud infrastructure and almost all the world’s supercomputers being dedicated users.
Lansweeper’s research revealed CentOS is the most widely used (25.6%) followed by Ubuntu (20.8%) and Red Hat (15%). The company did not break out the percentages for users of the numerous other Linux OS distributions in use today.
Lansweeper suggested that businesses demonstrate a disconnect between using Linux for its enhanced security and proactively putting security processes in place.
Two recent Linux vulnerabilities this year — Dirty Pipe in March and Nimbuspwn in April — plus Lansweeper’s new data, show that when it comes to protecting what is under their own roof, businesses are going in blind.
“It’s our belief that most of the devices running Linux are business-critical servers, which are the desired target for cybercriminals, and logic shows that the larger the company grows, the more Linux devices there are that must be protected,” said Roel Decneut, chief strategy officer at Lansweeper.
“With so many versions and ways to install Linux, IT teams are having to grapple with the complexity of tracking and managing the devices as well as trying to keep them protected from cyberattacks,” he explained.
Since its launch in 2004, Lansweeper has been developing a software platform that scans and inventories all types of IT devices, installed software, and active users on a network. This allows organizations to centrally manage their IT.
BitLocker, Linux Dual Booting Not Perfect Together
Microsoft Windows users who want to install a Linux distribution to dual boot on the same computer are now between a technological rock and a Microsoft hard place. They can thank an increased use of Windows BitLocker software for the worsening Linux dual-booting dilemma.
Developers of Linux distros are fighting more challenges in supporting Microsoft’s full-disk encryption on Windows 10 and Windows 11 installations. Fedora/Red Hat engineers noted that the problem is worsened by Microsoft sealing the full-disk encryption key is sealed using the Trusted Platform Module (TPM) hardware.
Fedora’s Anaconda installer along with other Linux distribution installers cannot resize BitLocker volumes. The workaround is first resizing BitLocker volumes within Windows to create enough free space for the Linux volume on the hard drive. That useful detail is not included in what are often flimsy installation instructions for dual-booting Linux.
A related problem complicates the process. The BitLocker encryption key imposes another fatal restriction.
In order to unseal, the key must match the boot chain measurement in the TPM’s Platform Configuration Register (PCR). Using the default settings for GRUB in the boot chain for dual boot setups produces the wrong measurement values.
Users trying to dual boot then get dropped to a BitLocker recovery screen when trying to boot Windows 10/11, according to discussions of the problem on the Fedora mailing list.
Microsoft, Canonical: A Case of Opposites Attract
Canonical and Microsoft have tightened the business knot connecting them with the common goal of better securing the software supply chain.
The two software companies on August 16 announced that native .NET is now available for Ubuntu 22.04 hosts and containers. This collaboration between .NET and Ubuntu provides enterprise-grade support.
The support lets .NET developers install the ASP.NET and .NET SDK runtimes from Ubuntu 22.04 LTS with a single “apt install” command.
See full details here and watch this brief video for the update:
Microsoft Reverses Open-Source App Sales Ban
In what might well be the latest case of Microsoft opening its marketing mouth to insert its stumbling foot, the company recently upset software developers by implementing a ban on the sale of open-source software in its app store. Microsoft has since reversed that decision.
Microsoft had announced new terms for its app store to take effect July 16. The new terms stated that all pricing cannot attempt to profit from open source or other software that is otherwise generally available at no cost. Many software developers and re-distributors of free- and open-source software (FOSS) sell installable versions of their products on the Microsoft Store.
Redmond maintained its new restrictions would solve the problem of “misleading listings.” Microsoft claimed FOSS licenses permit anyone to post a version of a FOSS program written by others.
However, developers pushed back noting the problem is easily solved the same way regular stores solve it — through trademark names. Consumers can tell genuine sources of software products from third-party re-packagers with trademark rules that already exist.
Microsoft has since acquiesced by removing references to open-source pricing restrictions in its store policies. The company clarified that the previous policy was intended to “help protect customers from misleading product listings.”
More information is available in the Microsoft Store Policies document.