Remote Exploit Discovered for OpenBSD

An anonymous reader writes "OpenBSD is known for its security policies, and for its boast of "only one remote exploit in over 10 years". Well, make that two, because Core Security has found a remotely exploitable buffer overflow in the OpenBSD kernel. Upgrade your firewalls as soon as possible."

Sure it is

[Sycraft-fu]

In fact Microsoft has an OS that has zero remote exploits in a default install: DOS. No remote access (net support wasn't a part of a default install), therefore no remote exploits. OpenBSD likes to wave their cocks around about it a whole lot but what it comes down to is the OS isn't really comparable to most default Linux or Windows installs. It does the "everything is off by default" tactic. Ok, fair enough, but that doesn't really mean anything. After all one could say virtually any OS that has a firewall that blocks all inbound traffic has no remote exploits by default since there is no remote access by default.

The real question isn't how many exploits there are in a default install, it is how many there are in a well maintained install in a particular environment. When you have a bunch of services opened up and running how well does something do?

I'm not knocking OpenBSD on the security front, I am just saying that their security claim isn't a real meaningful one in terms of overall secure design. It is just proof of the statement "If there is no service, there can be no denial."