Beneath all the noise generated by the latest security holes in Microsoft’s Windows operating system, experts have warned of two open-source security flaws that could allow intruders to corrupt memory, take control of systems and launch a denial-of-service (DoS) attack.
Software affected by the most serious flaw includes releases of the widely used Sendmail software, a mail transfer agent (MTA) used in many Unix and Linux systems for processing and managing e-mail. The less serious of the two flaws affects computer systems running OpenSSH versions prior to 3.7.1, according to Carnegie Mellon University’s CERT Coordination Center, a security division of the Software Engineering Institute.
While the security issues are considered significant and could be exploited by remote attackers, they do not garner as much attention as Windows vulnerabilities because of a false, underlying belief that open-source software is more secure, Aberdeen vice president Jim Hurley told TechNewsWorld.
“On the face of it, that’s a sophist argument,” Hurley said. “I can’t gauge the veracity of that.”
CERT Internet security analyst Jason Rafail told TechNewsWorld that the more serious Sendmail vulnerability has been proven to be exploitable and will be harder to mitigate than the OpenSSH vulnerability, which also should be addressed because it could allow execution of arbitrary code.
“This is really just a crafted e-mail message, and there just is not a good way to block an e-mail message,” Rafail said of the Sendmail hole. He added that Sendmail software is widely used, making it a large target, but also pointed out that there have not been any reports of attacks that exploit the flaw.
CERT advised users to upgrade to newer versions of the software or patch older versions to address the issues.
Blind Trust in Unix
Rafail, who said neither open source nor proprietary software is more secure than the other, indicated that both communities are “quite aware of the issues.”
Hurley, who reported harsh criticism of his findings that half of last year’s security advisories and bulletins were open-source flaws while only a quarter were Windows-related, said an assumption that Unix or other open-source software is more secure is invalid.
“People are just naturally falling into this mindset that says we don’t have to worry about it because it’s Unix,” Hurley told TechNewsWorld, alluding to the widely held belief that open-source software is much more secure than proprietary software. “The noise from Windows is interesting to see. I’m sure everybody’s products are under siege as well, [but non-Windows software flaws] just [go] unreported.”
Hurley said Windows is probably the primary target of software attacks, but he added that most of those efforts are attempts by attackers to draw attention to themselves. He said a more sinister category of attacks involves quiet computer crimes, in which the software or technology platform that is targeted is irrelevant.
“There’s a lot that occurs underneath the radar screen,” Hurley said. “These are things like industrial espionage. It’s rarely discovered, rarely reported and is probably very lucrative to criminal mobs and others.”
Security analysts often have referred to the biggest Windows security breaches — including the computer worms that wreaked havoc last month — as wake-up calls for home and corporate users, but there has been less attention given to open-source attacks.
Still, CERT’s Rafail said there have been some severe vulnerabilities in open-source software that have increased awareness and tightened security. Hurley, who referred to his own November 2002 report as somewhat of a wake-up call for open-source security, disagreed. “I think we’re still waiting for the big problem to hit,” he said.
The open source community is and has always been aware of bugs in their software and has never denied there are any. This is software, software has bugs. Security is not only about NOT having bugs but about the way and the speed the users are informed about them and the speed and the quality of _fixes_. Microsoft has been known for being extremely lazy and careless about fixing (and introducing) bugs in their software – some of them have been left untouched for years before a patch appeared. Add to this arrogance of this company which has the guts to inform their users that the software they vend is secure. As you say, there exists a notion (a legend) in the community that Unix is more secure but the notion is not forced upon people by any (or at least not many) Unix vendor out there, instead the Unix/OpenSource community is taking every measure to fix and inform its clientele about the security hazards in the software. Sendmail you mention as an example, has been known to be buggy for more years than the OpenSource security has existed. I would recommend reading a book titled "Coockoo’s Egg" which, among others, tells a story of the first Internet worm which was spreading all accross the Internet in the 80’s using… a flaw in sendmail. Having said that, please take a look also at another issue – flaws in the Microsoft software are much more exposed to exploitation since they are found in the very core of the MS operating systems, in the software that is ubiquitously used on every MS desktop (Outlook, Internet Explorer) which paired with the inherent insecurity of the MS OS design (there is no real separation of the userspace from the kernel space – transitions are many and insecure) leads to much graver impact of the bugs than the bugs exposed in (most) of the Open Source software. OpenSSH is a key element of the OS, but it is _not_ part of the OS core (the kernel, whatever it is – freebsd, openbsd, netbsd, linux, solaris, hp-ux etc. etc.). I’m yet to see a good analysis and comparison of the gravity of MS vs OpenSource bugs followed by the comparison of the speed the bugs are fixed in – not in the span of months but in the span of the last 10 years. I hope you will be the first person to report about such analysis. To recap – software is buggy and it will always be, but the security lies in the way the bugs are handled and in the security awareness of the software users. Training users to download patch from windows update blindly is far from educating them about the problems and hazards.