Remote Exploit Discovered for OpenBSD

An anonymous reader writes "OpenBSD is known for its security policies, and for its boast of "only one remote exploit in over 10 years". Well, make that two, because Core Security has found a remotely exploitable buffer overflow in the OpenBSD kernel. Upgrade your firewalls as soon as possible."

Well done, the OpenBSD team.

Well done. It's not an easy feat to create an OS with so little exploits. The team and Microsoft should take a leaf out of your book.

Re:Well done, the OpenBSD team.

You think the problem is that Microsoft can't create a secure OS? You don't think the problem is all the legacy crap, and the everything under the sun and everything to everyone demands placed upon it? Not that what OpenBSD has achieved as a track record isn't impressive. But serving one master (of one's own choosing) well, it not the same thing as being the most favored servent to the most masters.

Re:Well done, the OpenBSD team.

[Kandenshi]

I heard a rumour that Microsoft did indeed look to the idea of emulating OpenBSD's security practices as a company.

Then someone pointed out the respective revenues of OpenBSD vs Microsoft, and the whole idea just seemed to evaporate.

Someone decided that people don't care enough about the number of remote exploits found in a given OS. They were probably right.

Re:Well done, the OpenBSD team.

[Richard_at_work]

The default install of OpenBSD includes (from memory, so this is not exhaustive) SSHd, bind, apache and sendmail, all of which are included in the term 'Only two remote holes in the default install' - those codebases are as rigourously audited as anything else.

Re:Well done, the OpenBSD team.

[TheRaven64]

The thing is, it doesn't matter. The OpenBSD folk treat pretty much every bug as a security hole. I heard one of them say this, which I think should be taken to heart by all software developers:

The only difference between a bug and a security hole is the intelligence of the attacker. As such, the hole was patched when they thought it was just a DoS. All escalating it does is encourage admins not to actually apply the patches.

Re:Well done, the OpenBSD team.

[Just+Some+Guy]

I heard a rumour that Microsoft did indeed look to the idea of emulating OpenBSD's security practices as a company.

Then someone pointed out the respective revenues of OpenBSD vs Microsoft, and the whole idea just seemed to evaporate.

My company makes far more than the OpenBSD team brings in, and yet we still respect them and try to emulate their practices. I'm not sure what kind of hubris it takes to dismiss someone's ideas just because you have more money.

Forced release?

[Just+Some+Guy]

FTFA:

2007-02-21: Core sends draft advisory and proof of concept code that demonstrates remote kernel panic.
2007-02-26: OpenBSD team develops a fix and commits it to the HEAD branch of source tree.
[...]
2007-03-05: OpenBSD team notified of PoC availability.
2007-03-07: OpenBSD team commits fix to OpenBSD 4.0 and 3.9 source tree branches and releases a "reliability fix" notice on the project's website.
[...]
2007-03-13: Core releases this advisory.
Release Mode: FORCED RELEASE

Kudos to Core Security for finding an exploit in OpenBSD code. Seriously, that's impressive. However, it sounds like they're a little too pleased with themselves. "Forced release"? I guess that's technically true, in the sense that a feather exerts a gravitational force on the Earth.

In a nutshell, they reported a problem and OpenBSD fixed it. Then they demonstrated that it was a more serious problem, and OpenBSD backported the fix to the current releases and announced it on their website. After reading the whole timeline, I'm not sure what else they were supposed to have done so that Core wouldn't be "forced" to announce the vulnerability that OpenBSD publicized on their own site as a "security fix" three days earlier.