Slashdot Mirror
Serious Network Function Vulnerability Found In Glibc
An anonymous reader writes: A very serious security problem has been found and patched in the GNU C Library (Glibc). A heap-based buffer overflow was found in __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() function calls. A remote attacker able to make an application call to either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the program. The vulnerability is easy to trigger as gethostbyname() can be called remotely for applications that do any kind of DNS resolving within the code. Qualys, who discovered the vulnerability (nicknamed "Ghost") during a code audit, wrote a mailing list entry with more details, including in-depth analysis and exploit vectors.
I don't get it. Proprietary software has all sorts of serious vulnerabilities. Why is it that when a vulnerability is found in FOSS, you people all come out and mock it while ignoring all the incompetence of proprietary software?
FOSS *is* more secure, and that's true even with the occasional vulnerability. You're extremely illogical to point to some vulnerabilities and conclude that it isn't more secure. How many vulnerabilities are not known about because no one can look at the source code?
So long as we're writing in C, this kind of thing (buffer overflows in particular) will probably continue.
(Lest I start a flame-war: C is awesome in its way, but more than almost any other language, it really does make it easy to miss things like this.)
How many years was Heartbleed around before anyone noticed? Apparently "many eyes" were not reading that bit of code.
Only the State obtains its revenue by coercion. - Murray Rothbard
I am suspicious of any C coder (myself included) who does not acknowledge this basic problem ^_^
In case you're unaware, "bugs are shallow" doesn't mean they don't exist.
ESRs complete sentence is:
"given enough eyeballs, all bugs are shallow; or more formally: Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix will be obvious to someone."
In other words, someone will quickly quote Adam Savage and say "THERE'S your problem!". :)
The difference between a deep bug and a shallow bug is is what happens after you notice a problem. A shallow bug is right there, at the surface. Function foo() is supposed to return x, but instead it returns x -1, and there is the line of the code that's the problem.
A deep bug is one where you look at function foo(), which creates an instance of class Bar, which is subclassed from IEParser, which calls friend class HTML4Lexer, which has function TagAtrribute() - but TagAtrribute() returns the correct value, so how the heck is it wrong in Bar? Then when you found out WHY it's wrong, you can't come up with any way of fixing it without rewriting the HTML specification.
Heartbleed is actually a great example. Many people looked at it right away and within an hour or so there was a patch available. Those may people discussed the three or four proposed long-term solutions and in about 24 hours we agreed on that Florian's solution was best. Florian was one of the many eyes, and the bug was shallow to him - "he fix will be obvious to someone", and that someone was Florian.
"You people"?
Gee a little insecure are we? News flash software is software and has bugs. It doesn't matter which license it is under. It still is software and no being from Microsoft doesn't make it insecure by default anymore than being GNU makes it more secure.
Yes Apple, Google, and Microsoft are mentioned here when a serious flaw is discovered. Why should Linux or anything GNU get a free pass?
http://saveie6.com/
It's because we've put up with 30 years of FOSS community trumpeting the fact that Linux isn't hacked, only Microsoft needs anti-virus, Open Source means that "something like this will never happen".
If a community spends decades puffing its chest and talking shit it's going to get 10x the scorn when it's revealed to be as vulnerable as the next guy. The fact is that all software can be hacked. And at any given time there is a zero day exploit that can probably penetrate any system. Commercial tools used to be the target of this research and and attack and now that open source is gaining traction it's getting the same scrutiny--and similarly failing.
Managed languages (like Java and C#) give you a "secure-by-default" memory and execution model that's a lot harder to accidentally mess up.
If you think managed languages will prevent you from leaving security vulnerabilities, you are either not writing significant server software, or your software has vulnerabilities.
.Net is especially bad in this regard, not because C# is inherently more insecure, but because the community applauds and encourages ignorance, and even makes people feel bad for knowing things. See this presentation for an example. Notice (for example) his micro-agressions against people who understand garbage collection. The implication is you don't need to think about it, C# will take care of memory.......which if you take seriously, means you'll be leaking crap all over the place and someone like me will have to come clean it up for you.
The hardest security problems to solve aren't the overflows, it's the features given to users. Think of VB macro viruses, that spread wildly in a managed language. Wordpress is another example of software written in a managed language with tons of exploits.
There are so many examples of exploits in managed systems that it's a display of ignorance to claim otherwise.
"First they came for the slanderers and i said nothing."