It is time, once again, to look at quick distributor response to security
holes - or the lack thereof. We could start by poking fun at the
distributors which have taken over a week to fix the latest kernel
vulnerability - but we won't. The updates probably
should have come out more
quickly, but, in the end, it was a local denial-of-service vulnerability; it
was not the top priority for a lot of administrators.
Let's look, instead, at a fix that took a little longer. Red Hat, Fedora,
and Whitebox recently sent out advisories for a buffer overrun in the
libpng library; this problem could be exploited by way of a hostile image
to run arbitrary code on a victim's system. These distributors are thus
running just a little behind Debian, which sent out its advisory on December 19, 2002.
In fact, Red Hat had issued an advisory as well. It just turns out that
the problem had not actually been fixed. As a result, Red Hat users were
vulnerable to attackers wielding evil PNG images for over two years. This
is not the quick response time that is a source of such pride for the free
software community.
Of course, one should note that, as far as anybody can tell, not a single
Red Hat user suffered any sort of compromise as a result of this unfixed
bug. It almost certainly could have remained unfixed for another two years
without ill effect. Perhaps the world isn't quite as dangerous as we
sometimes think.
The truth of the matter is that our community finds (and fixes) dozens of
vulnerabilities every year which are unlikely to ever be exploited. These
fixes add to the load of already overworked system administrators and give
ammunition to "alert counters" who like to claim that Linux is less secure
than other operating systems. Perhaps it is time to come out and admit
that many of the patches issued every year are not actually all that
important.
System administrators already prioritize updates as they come in. Remotely
exploitable holes (should) get fixed in a hurry. Vulnerabilities like this week's aspell hole - a buffer overflow
caused by words more than 256 bytes long - can be allowed to sit for a
while. It would be nice if distributors could help out by explicitly
noting the importance of every update. If the truly serious fixes came
with a bright red flag, they might stand out from the noise and be applied
more quickly.
There are some obvious problems with this idea. Some truly serious
vulnerabilities are not seen as such when they are originally fixed. In certain
litigious countries, nobody wants to be exposed to lawsuits from users who
were broken into by way of a "non-urgent" vulnerability. These issues
would need to be addressed, but the fact remains: we are not necessarily
helping ourselves by treating all updates as if they were equally important.
Comments (14 posted)
The 9th European Symposium on Research in Computer Security is happening
September 13 to 15 in Sophia Antipolis, France. The preliminary
program has been posted; click below for the details.
Full Story (comments: none)
The Seventh International Symposium on
Recent Advances in Intrusion Detection is scheduled for September 15
to 17 in Sopia Antipolis, France, immediately after ESORICS
2004. Speakers include Bruce Schneier; click below for the program.
Full Story (comments: none)
Registration is now open for the Usenix Security Symposium, happening in
San Diego on August 9 to 13.
Full Story (comments: none)
