14 DAY TRIAL // Details about a GLIBC vulnerability were published a couple of days ago by a company called Qualys, and the distributions using it have already received patches. Now, it seems that Google knew about this problem, patched it in ChromeOS a year ago, and forgot to say anything to anyone.
Things are pretty clear in the open source world. When someone finds a vulnerability, exploit, or any kind of issues, that person or entity usually informs everyone else about it. That's the reason why CVE (Common Vulnerabilities and Exposures) exists so that everyone can patch their systems accordingly and keep their systems safe.
All kinds of problems are found almost on a daily basis. Users don't usually hear about them because they are not major issues and they are patched very quickly. This happens in the open source world, with Linux systems and alike. There is a completely different ball game with proprietary software.
From time to time, a big one is found and everyone knows about it. Many of you have heard of Heartbleed or Shellshock. This is a general rule, although it's not always true. If you hear about it, then it's probably important. Which brings us to GHOST, a GLIBC vulnerability. Despite what you might think, it's not a really big deal, but that's not the issue here.
Google knew about it since 2014
As usual, Reddit is here to the rescue. A user noticed that a patch for this problem was already present in Chrome OS back in 2014, which begs the question: why are the rest of us just hearing about this now?
Moreover, a German website, heise.de, proved that Chrome OS had the patch since April 2014, which is actually a problem because it didn't spread any farther than that.
"The comit message clearly states they were aware of the vulnerability nature of this fix: 'glibc: backport an nss overflow patch. This beckports a patch to fix a nss vulnerability inside glibc. I'm CC-ing the committer. Maybe we can shed some light on this. Two people having fixed this in different places without crying alarm - it's worrying," wrote journalist Hanno Böck on a security-related mailing list.
Most likely, this is just a mistake and Google didn't do this on purpose, but it does raise another question. How many more of these unreported and solved problems are there?
This is just breaking and Google has yet to say anything. Stay tuned, we might have some more information about this subject soon.