2 Decade Old Bug Found in Android Phones, Curiosity Rover

This past weekend, the original creator and coder of the Lempel-Ziv-Oberhumer data compression algorithm Markus Oberhumer revealed that his 20-year old coding project would be receiving a long-awaited update to version 2.07.


Photo: ChromaWise / Shutterstock

The reason for Oberhumer’s sudden announcement is unclear, although he was quick to note a recent discovery of corrupted code within the algorithm could potentially put millions of machines at risk if sysadmins aren’t quick enough to update their files on-site.

The bug first found its way into systems when the LZO was created back in 1994, and apparently laid dormant inside the code for years before anyone discovered a viable way to monetize the exploit and distribute it to underground networks for use on a widespread scale.

“We are talking about code that has existed in the wild for two decades,” Bailey wrote. “The scope of this algorithm touches everything from embedded micro controllers on the Mars Rover, mainframe operating systems, modern day desktops, and mobile phones.”

Programs at the highest risk for infection through the cracked code include media viewing platforms such as VLC player and Handbrake, as well as lesser-known alternatives which utilize similar display codecs such as FFmpeg and Libav.

Other concerning leaks include several exploit paths present in the OpenVPN architecture, as well as Linux microcontrollers which are used on everything from SCADA infrastructure systems to the electronic components inside your car.

The dysfunctional code affects possibly the widest range of devices and digital applications that we’ve seen to date, leaving everything from the phone in your pocket to the Mars Curiosity Rover vulnerable to being compromised through a custom-built backdoor.

The possible attack vectors tied to the hole include denial of service attacks, buffer overflows, and remote code execution exploits which could cripple a system if the default security systems aren’t designed or instructed to keep an eye out for trouble from this particular net-born nasty.

“RCE is possible on multiple architectures and platforms, but absolutely not all. Denial of service is possible on most implementations, but not all. Adjacent object over-write is possible on many architectures.”

Oberhumer was quick to satiate concerns that this could be as big of a problem as it sounds on paper, reassuring reporters that it would take a hefty amount of processing power to first decompress code far enough that it could be take advantage of, and even more on top of that to actually execute an attack and see it through successfully.

Don Bailey from Security Mouse backed this sentiment up, claiming that because the bug has existed for as long as it has and hasn’t been used by anyone of noteworthy value, users shouldn’t be concerned that trouble could show up on their doorstep tomorrow as a result of the new update.

And however unlikely it may be that we’ll see anyone hijacking the controls on interplanetary robots anytime soon, the exploit exemplifies the fact that even the most secure environments and developments processes on Earth can still be vulnerable to basic attacks as long as human error is still an integral part of the overall equation.