Tag Archives: open source

Open Source is NOT Bug Free

Linux

There are those in the open source software fan world that suggest that open source (and typically free) software is best because since the source code is available, people can look for bugs and fix them, resulting is bug free software.

The reality is not quite so simple.

While this statement is technically true, it is not true in practice.  Time and time again we run into very popular open source software with bugs – software like Open SSL which is installed on millions of computers.

That also does not mean that open source software is bad or overly buggy. It just means that it is software and all software needs to be validated.

AND, it also means that even if software is tested, it is not bug free.

OK, with that preamble, what are we dealing with today?

Google has an internal hacking team called Project Zero and they try to hack all kinds of software – including but not limited to Google’s own software.  This week team member Andrey Konovalov was playing with the USB drivers in the Linux kernel.

When someone mentions the words BUG and KERNEL in the same sentence, it should get your attention.  The kernel is the most privileged and most sensitive part of any operating system.

Andrey identified 14 bugs in the USB drivers that have been assigned bug ID numbers so far.  He has also requested another 7 numbers for additional vulnerabilities that he has identified.  On top of this, he says there are probably another 20 that have not been fully researched yet.  That puts the number of likely bugs in a very sensitive part of the Linux OS at around 40.

And remember, this is just in one part of the operating system.

So the next time someone tells you that open source means bug free, you can pull out a copy of this post.

Also, it is important to remember that Linux is an INCREDIBLY popular piece of open source software, used by hundreds of millions of people (It is the core of all Android phones).  If it is not bug free, is it reasonable to think that some other piece of open source software used by 10s of people IS bug free?  I don’t think so.

So, like with everything else, Caveat Emptor is appropriate response.

Information for this post came from Bleeping Computer and The Register.

Facebooktwitterredditlinkedinmailby feather

OpenSSL: Here We Go Again

UPDATE:  The details are out.  The issue is that under certain circumstances, a hacker could get OpenSSL to accept an HTTPS certificate that is fraudulent.  This does not affect the major browsers, but rather the second and third tier software that uses SSL behind the scenes.  Likely, you don’t even know all the places that OpenSSL is used in your company.  For more information on OpenSSL’s somewhat checkered past (Heartbleed, Poodle, Freak, etc.), read this Symantec post.

OpenSSL, the open source toolkit that allows developers to support HTTPS and which is used in millions of pieces of software has announced that they are releasing a patch on Thursday.

The rather cryptic announcement, which is the way that OpenSSL works, just says that they are releasing a fix that corrects a single flaw and that flaw is classified as “high severity”.

OpenSSL has had a string of bug fixes over the last year.  The most well known of which, Heartbleed, is still being fixed by developers.  After Heartbleed, more people started looking at the code and found more bugs – some of which had been lurking there for 15 years.

While we won’t know the impact of this bug until Thursday, it raises the point that we should not assume that any given piece of open source software (or closed source software either) has been critically examined by millions of eyeballs.

In fact, until Heartbleed exploded, OpenSSL had exactly one full time employee shepherding it.  Of course, there were many other contributors to the project, but their level of participation is unknown.

After Heartbleed, the Linux Foundation (Linux uses OpenSSL), decided it was in their own self interest to fund  staff for OpenSSL.  Their funding allowed openSSL to add two more full time developers.  In addition, the Linux Foundation funded the Open Crypto Audit Project to do an audit of OpenSSL.

How long the Linux Foundation will fund these positions and whether the patch coming out Thursday was a result of the audit is unknown.

What we do know is that businesses need to understand their software supply chain (i.e. that they do use products that rely on OpenSSL, which products those are, whether the vulnerabilities are great enough that they need to mitigate the threat immediately – which may include shutting down systems like the OPM did last week with their eQIP system – not clear if there is any relation between these two events) and how they plan to fix the bug.

Since most open source software does not have dedicated development teams pushing out patches, businesses need to “fend for themselves”.  This is the downside of open source.  Most of the time all that means is that you may or may not get a new feature at a particular time.  In this case, it may be more serious.

This does not mean that you should not use open source.  It  is, however, a reminder to organizations that you  need to manage your software supply chain.  How well do you manage your software supply chain?

Source material for this article came from Infoworld and Networkworld.

Facebooktwitterredditlinkedinmailby feather