| |||||||||||||
Bad for OSS/FS? Certainly no evidence that proprietary will save us!Bad for OSS/FS? Certainly no evidence that proprietary will save us!Posted Sep 17, 2003 18:31 UTC (Wed) by dwheeler (guest, #1216)Parent article: Remotely exploitable sendmail vulnerability Any vulnerability in an OSS/FS product - or a proprietary product - is too many. I hope that some day such reports will be rare. However, that day is not now, and I think you're failing to keep things in perspective when comparing the security problems of OSS/FS programs with proprietary programs. Yes, these remote vulnerabilities in Sendmail and OpenSSH are bad. However, neither are mandatory system services, they're easy to stop/patch/restart without rebooting, and in many distributions (such as Red Hat's) neither are enabled by default. Compare this with the proprietary world: nearly EVERY recent Windows system is vulnerable to the RPC vulnerabilities, and after all the effort to patch it, another set was found in essentially the same subsystem. And how about the mega-viruses? Microsoft still enables unnecessary services, fails to firewall each system by default, still sends around salt-less passwords, and so on, so that they're "insecure by default". And we all pay for it. Take a look at the Qualsys Vulnerability RV10 (Real-Time Top Ten Vulnerabilities) . On September 17, 2003 it reports these as the top vulnerabilities:
Microsoft IIS CGI Filename Decode Error Vulnerability CVE-2001-0333
Microsoft Index Server and Indexing Service ISAPI
Extension Buffer Overflow Vulnerability CVE-2001-0500
Microsoft IIS Malformed HTR Request Buffer Overflow Vulnerability CVE-2002-0071
Apache Chunked-Encoding Memory Corruption Vulnerability CVE-2002-0392
Microsoft Windows DCOM RPCSS Service Vulnerabilities CAN-2003-0528
Microsoft Windows 2000 IIS WebDAV Buffer Overflow Vulnerability CAN-2003-0109
Sendmail Address Prescan Possible Memory Corruption Vulnerability CAN-2003-0161
Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability CAN-2003-0352
SSL Server Has SSLv2 Enabled Vulnerability No CVE assigned
Writeable SNMP Information No CVE assigned
The last 2 don't seem to be specific to OSS/FS or proprietary programs. 6 of the remaining 8 are unique to Microsoft (proprietary). Heck, 4 are specific to IIS, and Apache has twice the market penetration in the same market according to Netcraft statistics. And that's not including the many viruses that are endemic to Microsoft Outlook users. Only 2 of the 8 are OSS/FS (Apache and Sendmail). Yes, this is just a snapshot, and really slightly delayed because it takes time to write detectors for new problems. But I think there's good evidence that this week is not a worse week for OSS/FS compared to proprietary. Indeed, it looks like proprietary's doing worse this week. Yes, the OSS/FS vulnerabilities announced are bad.. but it's not like you can run to the #1 proprietary vendor (Microsoft) for cover. And I hate to say it, but Sendmail has an abysmal security record. I recommend that people switch to something else for a while for security reasons, until we can be more confident in it. Postfix is a popular (and good) OSS/FS alternative, with a better record. Indeed, there are lots of MTA alternatives, which is good - as long as you're not relying on proprietary extensions, you can quickly switch to a more secure product. Being able to switch away from a product is a good thing. The notion that a particular development approach makes developers immune from flaws is absurd. But it's certainly worthwhile looking at a particular product's track record and saying, "is this worth depending on? what are my alternatives?" There's an old joke: 2 men in the woods are surprised by an attacking bear. One ties his shoes, and the other says, "Why bother? The bear can outrun us!". The first man says, "I don't have to outrun the bear - I just have to outrun you." I would like all software developers (OSS/FS and proprietary) to think about trying to "outrun the other guy" in terms of their security. Our world would quickly become a more secure place.
(Log in to post comments)
Bad for OSS/FS? Certainly no evidence that proprietary will save us! Posted Sep 17, 2003 19:50 UTC (Wed) by chip (subscriber, #8258) [Link] I think you're being too gentle. Any system of any worth for intruders is likely to run ssh. And sendmail is still the most popular MTA (which mystifies me no end).
Bad for OSS/FS? Certainly no evidence that proprietary will save us! Posted Sep 17, 2003 21:08 UTC (Wed) by ksmathers (guest, #2353) [Link] I think you're being too gentle. Any system of any worth for intruders is likely to run ssh. And sendmail is still the most popular MTA (which mystifies me no end).Ahhh, sendmail. Sendmail is most popular because a) that is what the distributions ship, b) it has been around the longest, and c) it is more flexible than anything else you can imagine. As a rule-based progamming language in its own right, Sendmail can be distorted into all kinds of bizarre uses, with the result that it is unfortunately very difficult to get rid of. Now please excuse me while I go patch my mailserver.
Bad for OSS/FS? Certainly no evidence that proprietary will save us! Posted Sep 17, 2003 20:38 UTC (Wed) by proski (subscriber, #104) [Link] The notion that a particular development approach makes developers immune from flaws is absurd.It's an absurd to make such blanket statements. There are methods for formal software verification of software against the specification. They may be time consuming and impractical for today's real life projects, but the progress is being made. When it comes to software like ssh and mail software, there is so much at stake that I expect some of those methods to be used in the near futue if they are not being used already. Software used on life support systems or power plants doesn't just need to be "best in class", it needs to meet the specification. Some attackers are not as stupid as a bear from your story. They aim at most protected systems to maximize damage, not at the easiest system to break into.
Bad for OSS/FS? Certainly no evidence that proprietary will save us! Posted Sep 18, 2003 1:41 UTC (Thu) by jtc (subscriber, #6246) [Link] There are methods for formal software verification of software against the specification. And there are languages that provide advanced features to support formal verification, such as Eiffel, with its unique programming-by-contract mechanism. Unfortunately, most developers, even very skilled and talented ones, tend to be set in their ways and would often rather stick with the tools they're used to rather than look for something that may be more effective for the job at hand.
Bad for OSS/FS? Certainly no evidence that proprietary will save us! Posted Sep 18, 2003 3:03 UTC (Thu) by arcticwolf (guest, #8341) [Link] Unfortunately, though, verifying (and proving) that the source code of a program is correct is not enough, though; you also need to verify both the source *and* the machine code of the compiler being used if you definitely want to be on the safe side. There was an interesting demonstration of this a couple of years ago; I don't recall who it did anymore right now, but with a bit of Googling, it should be possible to find out.
Bad for OSS/FS? Certainly no evidence that proprietary will save us! Posted Sep 18, 2003 15:31 UTC (Thu) by proski (subscriber, #104) [Link] True, but that's the easier part. Verification of logic is much harder than checks to prevent deliberate contamination of the toolchain.
|
|||||||||||||