Slashdot Mirror

← Back to Stories (view on slashdot.org)

2014: The Year We Learned How Vulnerable Third-Party Code Libraries Are

Posted by timothy on from the creative-misinterpretation dept.

jfruh writes Heartbleed, Shellshock, Poodle — all high-profile vulnerabilities in widely used libraries that rocked the software industry in 2014. Sadly, experts are now beginning to believe that these aren't the only bugs lurking out there in widely used open source code, just the ones that grabbed the most attention. It's beginning to look like one of the foundation concepts of open source — that with enough eyes, all bugs are shallow — is a myth. Of course, probably no one believes that all bugs are instantly shallow, no matter how open is the source, or that open source software is immune from bugs -- particularly ESR, coiner of the phrase.

4 of 255 comments (clear)

  1. But *are* there enough eyes? by tj2 · · Score: 5, Insightful

    The phrase might be true, but we're seeing the effects of insufficient eyes. In reality, how many sets of eyes are actually reviewing these libraries at a source code level? I rather strongly suspect that in most cases they are simply used under the assumption that "well, everyone uses it, it must be okay".

    1. Re:But *are* there enough eyes? by tj2 · · Score: 5, Insightful

      This is just FUD. Whatever the number of the eyes, they are certainly far more than open source. I have already contributed many bug reports and often fixes, would you care to elaborate how I would do that in a closed source model? Because I am *very* curious.

      FUD? Sure, there are *more* eyes in open source than closed source: that's not the point. Are there *enough* eyes to prevent potentially catastrophic bugs from being exploited? I'd submit that we're seeing that there isn't. I'm not suggesting that closed source is superior, but let's not confuse some sort of moral superiority being attributed to open source as being equivalent to automatic technical superiority. In most cases, I'd agree that open source has technical superiority, but it's not automatic.

    2. Re:But *are* there enough eyes? by rapiddescent · · Score: 5, Interesting

      one of the issues is that there are indeed *more eyes* but they are incentivised to look for exploits and sell them to the bug-buyers rather than report or fix them. I did a hands up poll (buyer beware) at our local OWASP chapter and over half had sold a bug to such an organisation. pretty shocking.

      certainly, one of the first moderately important bugs I found, I was daft and got in touch with the software vendor and then faced legal action from them which luckily they saw sense and dropped. So many people nowadays just can't be bothered with that problem and can make a fast and low risk buck by selling the 0-day.

  2. Magic ball prediction - 2015 by sinij · · Score: 5, Informative

    My magic 8 ball tells me that in 2015 we will learn that proprietary and embedded software is even more vulnerable. My Tarot Card deck tell me that we will see a lot of hacked car wrecks in 2015, now that Volvo released the demon by putting a web browser into in-dash system. Rest of the lemmings are sure to follow. Not that you really need a browser to pwn a car, with Bluetooth-to-CAN-BUS exploits shutting down cars demonstrated as early as 2012.