Beneath all the noise generated by the latest security holes in Microsoft’s Windows operating system, experts have warned of two open-source security flaws that could allow intruders to corrupt memory, take control of systems and launch a denial-of-service (DoS) attack.
Software affected by the most serious flaw includes releases of the widely used Sendmail software, a mail transfer agent (MTA) used in many Unix and Linux systems for processing and managing e-mail. The less serious of the two flaws affects computer systems running OpenSSH versions prior to 3.7.1, according to Carnegie Mellon University’s CERT Coordination Center, a security division of the Software Engineering Institute.
While the security issues are considered significant and could be exploited by remote attackers, they do not garner as much attention as Windows vulnerabilities because of a false, underlying belief that open-source software is more secure, Aberdeen vice president Jim Hurley told TechNewsWorld.
“On the face of it, that’s a sophist argument,” Hurley said. “I can’t gauge the veracity of that.”
CERT Internet security analyst Jason Rafail told TechNewsWorld that the more serious Sendmail vulnerability has been proven to be exploitable and will be harder to mitigate than the OpenSSH vulnerability, which also should be addressed because it could allow execution of arbitrary code.
“This is really just a crafted e-mail message, and there just is not a good way to block an e-mail message,” Rafail said of the Sendmail hole. He added that Sendmail software is widely used, making it a large target, but also pointed out that there have not been any reports of attacks that exploit the flaw.
CERT advised users to upgrade to newer versions of the software or patch older versions to address the issues.
Blind Trust in Unix
Rafail, who said neither open source nor proprietary software is more secure than the other, indicated that both communities are “quite aware of the issues.”
Hurley, who reported harsh criticism of his findings that half of last year’s security advisories and bulletins were open-source flaws while only a quarter were Windows-related, said an assumption that Unix or other open-source software is more secure is invalid.
“People are just naturally falling into this mindset that says we don’t have to worry about it because it’s Unix,” Hurley told TechNewsWorld, alluding to the widely held belief that open-source software is much more secure than proprietary software. “The noise from Windows is interesting to see. I’m sure everybody’s products are under siege as well, [but non-Windows software flaws] just [go] unreported.”
Hurley said Windows is probably the primary target of software attacks, but he added that most of those efforts are attempts by attackers to draw attention to themselves. He said a more sinister category of attacks involves quiet computer crimes, in which the software or technology platform that is targeted is irrelevant.
“There’s a lot that occurs underneath the radar screen,” Hurley said. “These are things like industrial espionage. It’s rarely discovered, rarely reported and is probably very lucrative to criminal mobs and others.”
Security analysts often have referred to the biggest Windows security breaches — including the computer worms that wreaked havoc last month — as wake-up calls for home and corporate users, but there has been less attention given to open-source attacks.
Still, CERT’s Rafail said there have been some severe vulnerabilities in open-source software that have increased awareness and tightened security. Hurley, who referred to his own November 2002 report as somewhat of a wake-up call for open-source security, disagreed. “I think we’re still waiting for the big problem to hit,” he said.