LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for December 4, 2008

KSM runs into patent trouble

Tux3: the other next-generation filesystem

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

One thing we truly do better

[Posted February 12, 2004 by corbet]

This EEYE alert describes what looks like a fairly run-of-the-mill Microsoft vulnerability. It is a buffer overflow in the ASN.1 library; the list of software affected includes a few small things like NT 4.0, Windows 2000, Windows XP, Internet Explorer, Outlook, IIS, etc. It is said to be difficult to exploit, but that is not a statement that will bring comfort to many.

The interesting thing is that EEYE claims to have reported this vulnerability to Microsoft in July, 2003. Microsoft has only now responded with a fix. In other words, the company left its customers open to a known security bug for a good six months.

Free software suffers from far too many security vulnerabilities as well. Some of them are truly serious. Many of them are embarrassing. But it is rare indeed for a hole to remain unclosed for such a long time. Free software developers will, almost without exception, respond to problems much more quickly than that. They know that, should they fail to respond, the community will simply fix the problem for them. We have a lot of ground to cover before our security is even remotely good enough, but that should not stop us from taking some pride in the things we do right.

(Log in to post comments)

One thing we truly do better

Posted Feb 12, 2004 7:46 UTC (Thu) by error27 (subscriber, #8346) [Link]

>> It is said to be difficult to exploit

Everyone says that about any buffer overflows in their code. :P

One thing we truly do better

Posted Feb 12, 2004 10:09 UTC (Thu) by olf (guest, #2126) [Link]

When was the last time MSFT claimed to fix security holes faster than the OSS community?

One thing we truly do better

Posted Feb 12, 2004 16:43 UTC (Thu) by bjn (guest, #2179) [Link]

Free software developers will, almost without exception, respond to problems much more quickly than that.

What's very interesting in this case is that the ASN.1 vulnerability is the same one that Unix and Linux OSes already worked through... about four months ago. Everyone is sharing the same buggy ASN.1 reference implementation, including Microsoft. See:

RHSA-2003-292

This is about the best apples-to-apples comparison of open source to Microsoft we're going to get on a security issue, and yes, open source had it fixed many months before Microsoft did.

ASN.1 problems

Posted Feb 13, 2004 15:34 UTC (Fri) by pflugstad (subscriber, #224) [Link]

And that's actually only the latest in a long string of ASN.1 problems. SNMP uses ASN.1 and a whole series of problems with ASN.1/SNMP parsing came up back in early 2002:

http://www.kb.cert.org/vuls/id/107186
http://www.kb.cert.org/vuls/id/854306

One thing we truly do better

Posted Feb 18, 2004 20:46 UTC (Wed) by crouchet (guest, #1084) [Link]

I don't know if anyone has done any comparison where the bugs/holes were broken down by severity but I maintain both sorts of systems and I feel that I see high percentage of "a legitimate user can use this to escalate his privileges" type of holes in Linux and a lot more "a stranger can use this to take total control of your system" type holes in Windows.

I realize both are serious and on multiuser systems the internal attacker can be a big threat but it seems to me that leaving a system open to the script kiddies, worm writers and other attackers on the internet is the bigger problem.

JC

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds