While I am not a Linux user personally, I am a big fan of it. However, I am not delusional enough to think that just because a piece of software is open source, it is secure and bug free.
Anyone who thought that should have had those delusions ripped away when the Heartbleed bug was publicized. For those readers not familiar with Heartbleed, Heartbleed is the name given to the bug that affected the wildly popular open source software that implements SSL or HTTPS, the protocol used to protect secure many web sites.
It was thought that the bug affected around a half million to one million ecommerce web sites, many of which still have not been fixed 18 months later.
As popular as this software is, many, many people looked at it and even made contributions to it. Still, this bug lived in the software from December 31, 2011 until a fix was released (but of course released does not mean that people have integrated into software that used the flawed version) on April 7, 2014.
To me, this proves that open source software, no matter the goals and desires of developers, may have security holes in it.
Fast forward to this week.
All versions of Linux released since Kernel version 3.8 (released in early 2013 -about 3 years ago) have a bug in the OS keyring, where encryption keys, security tokens and other sensitive security data is stored.
Whether hackers and foreign intelligence agents knew about this over the last few years or not is unknown, but we expect many Linux variants will release a patch this week.
More importantly, at least some versions of Android, which is based on Linux, also have this bug. The researchers who found the bug said it affected tens of millions of Linux PCs and servers and 66% of all Android phones and tablets.
Google says that it does not think that Android devices are vulnerable to this bug being exploited by third parties and the total number of devices impacted is significantly smaller than the researchers though. In this case, I trust Google researchers. Google will have a patch available within 60 days, but getting that patch through the phone carrier release process could take a while. I call this patch process TOTALLY BROKEN. The only phones that we know will be patched quickly will be Google Nexus phones because Google releases those patches directly.
So, one more time, a major and highly visible piece of open source software is found to have a significant security hole for years. This post talks about two examples, but there are many, many others.
If open source software as popular as Linux and OpenSSL has security holes, imagine the holes that MIGHT live in other, less popular open source software. Some open source software might only be used by tens of people and only be looked at by one person.
The moral of this story is NOT that you should not use open source software; it is no less or more risky than closed source software. The moral is that you should ALWAYS consider the potential risks in using software and to the maximum degree possible, test for and mitigate potential security bugs. And be ready to deal with the new ones when they are found.
Information on the OS Keyring bug can be found here.
Information on Heartbleed can be found here.