As IT workers continue their arduous job of protecting network users from the bad guys, some new tools could help stem the tide of vulnerabilities that continue to add up to open source and proprietary software.
Canonical and Microsoft reached a new agreement to keep their two cloud platforms running well together. Meanwhile, Microsoft apologized to open-source software developers. But BitLocker made no apology for shutting down Linux users.
Let’s take a look at the latest open-source software industry news.
New open-source tool helps devs spot exploits
Vulnerability software platform firm Resilien announced on August 12 the availability of its new open-source tool MI-X from its GitHub repository. The CLI tool helps researchers and developers quickly know whether their containers and hosts are affected by a specific vulnerability to shorten the attack window and create an effective treatment plan.
Yotam Perkal, director of vulnerability research at Resilion, said, “Cyber security vendors, software providers, and CISA are issuing daily vulnerability disclosures alerting the industry to the fact that all software is built with mistakes, which are often immediately detected. should be addressed.”
“With this flow of information, the launch of Mi-X provides users with a repository of information to validate the exploitability of specific vulnerabilities, creating greater focus and efficiency around patching efforts,” he added.
“As an active participant in the vulnerability research community, this is an impressive milestone for developers and researchers to collaborate and build together,” Perkle said.
Current tools fail to factor in exploitability as organizations grapple with critical and zero-day vulnerabilities, and scramble to understand whether they are affected by that vulnerability. It’s an on-going race to figure out the answer before the threatening actor.
To determine this, organizations need to identify a vulnerability in their environment and find out whether this vulnerability is indeed exploitable, for which there is a mitigation and treatment plan.
Current vulnerability scanners take too long to scan, don’t factor in exploit potential, and often miss it entirely. This is what happened with the Log4j vulnerability. According to Resilien, a lack of equipment gives threat actors plenty of time to exploit a flaw and do major damage.
The launch of Mi-X is the first in a series of initiatives to foster a community to detect, prioritize and address software vulnerabilities.
Linux thrives along with growing security crisis
Recent data monitoring of more than 63 million computing devices across 65,000 organizations shows that the Linux OS is alive and well within businesses.
New research from IT asset management software firm Lensweeper shows that even though Linux lacks the more widespread popularity of Windows and macOS, a lot of corporate devices still run the Linux operating system.
Scanning data from more than 300,000 Linux devices in approximately 26,000 organizations, Lensweeper also revealed the popularity of each Linux operating system based on the total amount of IT assets managed by each organization.
The company released its discovery on August 4, noting that around 32.8 million people worldwide use Linux, about 90% of all cloud infrastructure and nearly all of the world’s supercomputers are dedicated users.
Research by Lensweeper showed that CentOS is the most widely used (25.6%) followed by Ubuntu (20.8%) and Red Hat (15%). The company didn’t break down the percentages of users of many of the other Linux OS distributions in use today.
Lensweeper suggested that businesses exhibit a disconnect between using Linux for their enhanced security and proactively putting security processes in place.
Two recent Linux vulnerabilities this year — Dirty Pipe in March and Nimbuspun in April — plus new data from Lensweeper show that businesses are going blind when it comes to the security under their roof.
“It is our belief that the majority of devices running Linux are business-critical servers, which are desired targets for cybercriminals, and the logic suggests that the larger the company, the more Linux devices that need to be protected. ,” said Roel Decnett, chief strategy officer at Lensweeper.
“With so many versions and ways of installing Linux, IT teams are faced with the complexity of tracking and managing devices as well as trying to keep them safe from cyberattacks,” he explained.
Since its launch in 2004, Lensweeper has been developing a software platform that scans and inventory all types of IT equipment, installed software and active users on a network. It allows organizations to centrally manage their IT.
BitLocker, Linux Dual Booting Together Isn’t Perfect
Microsoft Windows users who want to install Linux distributions to dual boot on the same computer are now between a technical rock and a Microsoft hard place. They can thank the increased use of Windows BitLocker software for the worsening of the Linux dual-booting dilemma.
Developers of Linux distros are facing more challenges in supporting Microsoft’s full-disk encryption on Windows 10 and Windows 11 installations. The Fedora/Red Hat engineers noted that the problem is made worse by Microsoft sealing the full-disk encryption key, which is then sealed using Trusted Platform Module (TPM) hardware.
Fedora’s Anaconda installer cannot resize BitLocker volumes with other Linux distribution installers. The workaround is first resizing the BitLocker volume within Windows to create enough free space for the Linux volume on the hard drive. This useful detail is not covered in the often vulnerable installation instructions for dual-booting Linux.
A related problem complicates the process. The BitLocker encryption key imposes another deadly restriction.
To seal, the key must match the boot chain measurement in the TPM’s Platform Configuration Register (PCR). Using the default settings for GRUB in the boot chain for a dual boot setup produces incorrect measurement values.
According to the discussion of the problem in the Fedora mailing list, users trying to dual boot when attempting to boot Windows 10/11 are then left at the BitLocker recovery screen.
Microsoft, Canonical: A Case of Opposites Attract
Canonical and Microsoft have tightened the business knot connecting them with the common goal of better securing the software supply chain.
Both software companies announced on August 16 that native .NET is now available for Ubuntu 22.04 hosts and containers. This collaboration between .NET and Ubuntu provides enterprise-grade support.
Support lets .NET developers install the ASP.NET and .NET SDK runtimes from Ubuntu 22.04 LTS with a single “apt install” command.
Check out the full details here and watch this short video for updates:
Microsoft reverses open-source app sales ban
In what could be the latest case of Microsoft opening its marketing mouth to stumbling blocks, the company recently rattled software developers by banning the sale of open-source software in its App Store. Microsoft has since reversed that decision.
Microsoft had announced new terms for its App Store, effective July 16. The new terms state that not all pricing may attempt to profit from open source or other software that is otherwise generally available at no cost. Many software developers and re-distributors of free- and open-source software (FOSS) sell installable versions of their products at the Microsoft Store.
Redmond said the new restrictions would address the problem of “misleading listings”. Microsoft claimed that FOSS licenses allow anyone to post a version of a FOSS program written by others.
However, the developers pushed back, noting that the problem is easily solved in the same way regular stores solve it – through trademarked names. Consumers may disclose the actual sources of the Software Products from third-party re-packers with pre-existing trademark rules.
Microsoft has since accepted and removed references to open-source pricing restrictions in its store policies. The company clarified that the previous policy was intended to “help protect customers from misleading product listings”.
More information is available in the Microsoft Store Policies document.