Google Employees to the Rescue with Operation Rosehub

It’s nice to see people coming together to work on a project that will clearly help protect millions if not billions of consumers worldwide. And that’s exactly what we observed last year with Google employees and Operation Rosehub. Some workers dedicated up to 20 percent of their work day helping to patch a critical remote code execution vulnerability, dubbed the “Mad Gadget Vulnerability” that was potentially going to affect thousands of Open Source Projects on Github.

This bug is one that consists of a remote code execution that would allow a hacker a way into the Apache Commons Collection (ACC) library and potentially destroy all that was there. Because the ACC Library is used across several Java applications, all a hacker would need to do is to attack just one system that used it to cause havoc to them all. This same Mad Gadget bug was used to attack more than 2,000 computers used to control the Muni Metro System in San Francisco.

Once the Mad Gadget bug had been disclosed publicly, several companies admitted to having been affected by it and had now patched it into their software. Among these businesses were IBM, Adobe, Oracle, HP, Cisco, Intel, Jenkins, VMWare, SolarWinds, and HP. But, even after it had been patched, one eagle-eyed Google employee spotted that several open source libraries were still using the vulnerable versions of the ACC library. “We recognized that the industry best practices had failed. An action was needed to keep the open source community safe. So rather than simply posting a security advisory asking everyone to address the vulnerability, we formed a task force to update their code for them. That initiative was called Operation Rosehub,” states software engineer, Justine Tunney.

One thing to note also is that according to Open Source Blog, one of the reasons why the Muni Metro System was compromised s down to the fact that their system isn’t open source. If it had of been, Google engineers could have got in and patched it for them and no one would have been none the wiser.

More News To Read