In the advisory, Red Hat warned that hackers had somehow taken control of its systems by tampering with code. The attack was discovered last week. The intrusion was not systemic and didn't affect the company's content distribution programs. Consequently, malicious code was not uploaded to users of Red Hat's products.
There were early indications that something might be awry on the week of August 12, when scattered reports indicated that Red Hat's flagship Fedora OS was rebooting continually, causing intermittent outages. The culprits have yet to be identified.
The hackers got hold of a small number of OpenSSH packages relating only to Red Hat Enterprise Linux. OpenSSH, or Open Source Secure shell, is a set of programs that provide encrypted code transference over a network using secure shell protocol. OpenSSH is a free software alternative to a commercial solution produced by Finish IT company SSH Communication Security, which patented the SSH protocol technology.
Security experts say that this hack has lasting implications for the Linux movement and open source security.
"It's true that hackers can and will take advantage of a development and distribution program that's not like Windows," said Reuben Davis, a consultant for Affiliated Computer Services, a large IT services outsourcer. "Intruders capitalize on the geek factor of Linux and there are no licensing restrictions or elaborate security programs backed by big R&D teams; it's an anonymous community."
Microsoft Security Engineer Robert Hensing weighed in on the Red Hat security problem in his blog on Friday.
Hensing said he couldn't "imagine what the fallout would be" if programs such as Windows Update and Automatic Update servers "got pwnd [owned] like [RedHat]."
"It's like the package signing server and stuff….[Red Hat] seems to be doing the right thing and are going to issue new signing keys etc. and will hopefully revoke the old ones," he added.
DSA 1576-2: New openssh packages fix predictable randomness
Word 2002 SP3 Subject to Remote Attacks
Tuesday Patch Cycles To Include Risk Assessments