Docker’s container tech has been hit by more security woes, with the revelation that an earlier security patch has led to a brand new vulnerability being discovered in the software.

Docker rolled out version 1.3.2 last month in order to patch a bug that allowed rogue programs to break out of their containers and access image files on the host operating system. But this update has now been supplanted by Docker 1.3.3, and users are being urged to update as soon as possible.

Once again the new flaw was discovered by the security researcher Tõnis Tiigi. Writing in a blog post, he explained Docker 1.3.2 added a new “chroot” sandboxing feature that closed off a vulnerability that could be exploited when uncompressing Docker images. However, the new version introduced another vulnerability that attackers can exploit by including malicious .xz binaries in image files. This means attackers could potentially execute malicious code by using root-user privileges on affected systems.

Security is unfortunately beginning to become a bit of a sore point for Docker, which has risen to prominence as a simpler alternative to virtualization, especially in the cloud.

Docker has also come under attack from its new rival CoreOS, which builds a lightweight Linux distro designed with containers in mind, and recently introduced its own, alternative container technology. Alex Polvi, CEO of CoreOS, claimed that Docker’s security model was “broken”, and that its “Docker-as-a-platform” design was “fundamentally flawed”. As a result, CoreOS is now building its own container technology called Rocket.

Naturally Docker has brushed off these criticisms, insisting that security is of “paramount importance” as it rolled out two new versions of its software last week. As well as version 1.3.3, it simultaneously introduced Docker version 1.4.0, which contained more than 180 bug fixes.

“In the future, we expect new execution engine plugins to offer more choice and greater granularity for our security-focused users,” said Docker’s Marianna Tessel in a blog post.

According to Tessel, Docker 1.3.3 introduces signed images into its repositories to guard against malicious attacks. Meanwhile, she also proposed a new ‘trust system’ to help customers ensure any images they download are legitimate.

photo credit: Ingrid Taylar via photopin cc