While Mark Karpeles has insisted the Bitcoin protocol has a flow that can wound the system, but the society has called him incompetent, some hackers and IT specialists succeeded to determine a real drawback of the code. It is a vulnerability in Linux gnuTLS package, capable to reduce the level of security and affect stored online coins. It does not harm the Bitcoin daemon or wallet software, but can influence third-party applications connected to the cryptocoin as they might be built on the mentioned package.
The gnuTLS is an openssl library commonly used for socket encryption. Almost all Linux distributions that use the package are more or less vulnerable as MacOS was open to the Pony botnet recently. This leakage has allowed obtaining numerous login data and more than 200000 dollars. The Linux weak point might bring to similar loses if no action is going to be performed.
Ubuntu Security Notices revealed the name of the discoverer of the fault and published a statement:
“Nikos Mavrogiannopoulos discovered that GnuTLS incorrectly handled certificate verification functions. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited with specially crafted certificates to view sensitive information. CVE-2014-0092.”
Prescriptions for the Infected
The discovery is only a part of recovery; some actions have to be completed to restore the safe working mode of the machines. The analysis has shown that this weak link of Linux is the biggest ever determined. However, some solutions can already be found on the network.
Let us simplify the task and sum up the advice generated by advanced developers:
Upgrade all packages of Linux, You have to be sure nothing obsolete has been left.
In case some of them cannot be upgraded, due to missing support, do not perform transactions from the wounded machine.
Manually upgrade to gnutls 3.2.12.
Take in account that the basic principles of Linux mean the requirement of some extra time to implement the fixes in all packages and repositories by the maintainers.
Users in Safety
Speaking plain on the matter – the operating systems like Microsoft Windows and Google Android are unharmed. The standard set of them does not include gnuTLS by default, but be sure that there are no applications that were added on your own running such packages. In case some are determined the security might be weakened.