Bad for OSS/FS? Certainly no evidence that proprietary will save us!
Posted Sep 17, 2003 18:31 UTC (Wed) by dwheeler
Parent article: Remotely exploitable sendmail vulnerability
Any vulnerability in an OSS/FS product - or a proprietary product -
is too many.
I hope that some day such reports will be rare.
However, that day is not now, and I think you're failing to
keep things in perspective when comparing the security
problems of OSS/FS programs with proprietary programs.
Yes, these remote vulnerabilities in Sendmail and OpenSSH are bad.
However, neither are mandatory system services, they're easy to
stop/patch/restart without rebooting, and in many distributions
(such as Red Hat's) neither are enabled by default.
Compare this with the proprietary world:
nearly EVERY recent Windows system is vulnerable to the RPC vulnerabilities, and after all the effort to patch it, another
set was found in essentially the same subsystem.
And how about the mega-viruses?
Microsoft still enables unnecessary services, fails
to firewall each system by default, still sends around
salt-less passwords, and so on, so that they're "insecure by default".
And we all pay for it.
Take a look at
the Qualsys Vulnerability RV10 (Real-Time Top Ten Vulnerabilities)
On September 17, 2003 it reports these as the
Microsoft IIS CGI Filename Decode Error Vulnerability CVE-2001-0333
Microsoft Index Server and Indexing Service ISAPI
Extension Buffer Overflow Vulnerability CVE-2001-0500
Microsoft IIS Malformed HTR Request Buffer Overflow Vulnerability CVE-2002-0071
Apache Chunked-Encoding Memory Corruption Vulnerability CVE-2002-0392
Microsoft Windows DCOM RPCSS Service Vulnerabilities CAN-2003-0528
Microsoft Windows 2000 IIS WebDAV Buffer Overflow Vulnerability CAN-2003-0109
Sendmail Address Prescan Possible Memory Corruption Vulnerability CAN-2003-0161
Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability CAN-2003-0352
SSL Server Has SSLv2 Enabled Vulnerability No CVE assigned
Writeable SNMP Information No CVE assigned
The last 2 don't seem to be specific to OSS/FS or proprietary programs.
6 of the remaining 8 are unique to Microsoft (proprietary).
Heck, 4 are specific to IIS, and Apache has twice the market penetration in the same market according to Netcraft statistics.
And that's not including the many viruses that are endemic
to Microsoft Outlook users.
Only 2 of the 8 are OSS/FS (Apache and Sendmail).
Yes, this is just a snapshot, and really slightly delayed because
it takes time to write detectors for new problems.
But I think there's good evidence that this week is not
a worse week for OSS/FS compared to proprietary.
Indeed, it looks like proprietary's doing worse this week.
Yes, the OSS/FS vulnerabilities announced are bad.. but it's not
like you can run to the #1 proprietary vendor (Microsoft) for cover.
And I hate to say it, but Sendmail has an abysmal security record.
I recommend that people switch to something else for a while
for security reasons, until we can be more confident in it.
Postfix is a popular (and good) OSS/FS alternative, with a better record.
Indeed, there are lots of MTA alternatives, which is good -
as long as you're not relying on proprietary extensions, you can
quickly switch to a more secure product.
Being able to switch away from a product is a good thing.
The notion that a particular development approach makes developers
immune from flaws is absurd.
But it's certainly worthwhile looking at a particular product's
track record and saying, "is this worth depending on? what are
There's an old joke: 2 men in the woods are surprised by an
attacking bear. One ties his shoes, and the other says,
"Why bother? The bear can outrun us!". The first man says,
"I don't have to outrun the bear - I just have to outrun you."
I would like all software developers (OSS/FS and proprietary)
to think about trying to "outrun the other guy" in terms of their
Our world would quickly become a more secure place.
to post comments)