lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.63.0509190831330.31032@forced.attrition.org>
Date: Mon Sep 19 14:52:33 2005
From: jericho at attrition.org (security curmudgeon)
Subject: OSS means slower patches


: http://australianit.news.com.au/articles/0,7204,16650762%5E15306%5E%5Enbv%5E,00.html

The obvious criticism:

"The Mozilla family of browsers had the highest number of vulnerabilities 
during the first six months of 2005, with 25," the Symantec report says. 
"Eighteen of these, or 72 per cent, were rated as high severity. Microsoft 
Internet Explorer had 13 vendor confirmed vulnerabilities, of which eight, 
or 62 per cent, were considered high severity."

Microsoft IE had at least 19 vulnerabilities from 2005-01-01 to 
2005-06-30. Why does Symantec make the distinction of "X vulnerabilities 
in Mozilla" vs "MSIE had X *vendor confirmed vulnerabilities*"? This all 
to conveniently allows the silently patched vulnerabilities to slip 
through the cracks of our statistics. Does Mozilla's honesty in 
acknowledging vulnerabilities come back to bite them in the ass?

Mozilla browsers had more than 25, but are 72 per cent really "high 
severity"? Download information spoofing x2, File extension spoofing, URL 
restriction bypass, DoS x2, redirect spoofing, XSS, link status bar 
spoofing, Dialog overlapping, URL Wrap Obfuscation.. are all of these 
really "high severity"? Is that theoretical, practical, or hype?

Now, the media/symantec driven propoganda (for lack of better word?):
 
  THE growing popularity of open-source browsers and software may be 
  responsible for the increasing gap between the exposure of a 
  vulnerability and the provision of patch to fix it, security software 
  vendor Symantec has said.

  Mr Sykes said the increasing popularity of open source software, such as 
  the Mozilla Foundation's Firefox browser, could be part of the reason 
  for the increase in the gap between vulnerability and patch, with the 
  open source development model itself part of the problem. "It is 
  relying on the goodwill and best efforts of many people, and that 
  doesn't have the same commercial imperative," he said. "I'm sure that is 
  part of what is causing the blow-out in the patch window."

  The growth in Firefox vulnerability reports coincides with its 
  increasing popularity with users. "It is very clear that Firefox is 
  gaining acceptance and I would therefore expect to see it targeted," Mr 
  Sykes said. "People don't attack browsers and systems per se, they 
  attack the people that use them," he said. "As soon as large banks 
  started using Linux, Linux vulnerabilities started to get exploited."

The premise of this article is open source software is to blame for longer 
vendor response times. In laymen's terms, blame vendors like Mozilla for 
having vulnerabilities patched slower? Err, compared to what? This shallow 
article doesn't even qualify that statement! Slower than previous 
vulnerabilities? Slower than non open source? Given the article directly 
compares Mozilla browsers to Microsoft IE, it is trivial to assume the 
claim is made in relation to closed source vendors such as Microsoft. So 
then what .. 30 days "blown out" to 54 days is some huge time gap compared 
to Microsoft IE patches? What clueless *moron* really believes this crap 
they are shovelling? Is it Symantec or Chris Jenkins or Australian IT?

Given that Symantec won't even quote previous statistics: "Symantec had 
not published previously statistics on the average time required to 
produce patches, but Mr Sykes said data showed the lag had previously been 
about 30 days." Given that Jenkins/AusIT/Symantec won't give us any 
statistics (even questionable ones) regarding MSIE patches, we're supposed 
to take this at face value? It is *well documented* that Microsoft takes 
well over 30 days to patch vulnerabilities. It is also becoming crystal 
clear that Microsoft is hiding behind their "30 day patch cycle" to imply 
that is the longest they go before patching a vulnerability, when it 
simply is not the case. Taking a look at a *single vendor* [1] and their 
experience with reporting vulnerabilities to Microsoft, we see that they 
give MS a 60 day window to patch vulnerabilities, and are consistantly 
overdue. As of this mail, the worse is *ONLY* 114 days past due (we've 
seen it closer to 250 days before). So again, where are these implications 
coming from? Where does this statement/conclusion/observation that "OSS 
causes slower patches" come from exactly?


[1] http://www.eeye.com/html/research/upcoming/index.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ