Re: Netscape Problems.

[zen-parse <zen-parse () gmx net>]

On Tue, 26 Nov 2002, Dave Aitel wrote:

> In case you didn't notice, you're comparing a completely open process
> with one that is almost entirely closed. I.E. The total number of remote
> roots on Solaris, Windows NT, Irix, and the like is magnitudes higher
> than is actually disclosed. Whereas generally on Open Source platforms,
> you know and understand everything there is to know about each

And of course every potentially exploitable problem is labeled as such in 
open source products.

Squid DNS overflow is only a denial of service. It must be because it says 
so here:

http://www.squid-cache.org/Advisories/SQUID-2002_2.txt
...
 A malicous DNS server could craft a DNS reply that causes Squid
 to exit with a SIGSEGV.
...

Dispite there being multiple exploits in existance, this is only 
a denial of service. The exploits must be mistaken.

Maybe squid is an exception....

How about mod_throttle for apache? If you've configured this, you have a 
local root waiting to happen. Author was notified 26 Jan 2002. 

> I'll have to think more about this for mod_watch.  This change in data 
> structure for mod_throttle/3.1.2 won't be fixed.  It will have to be 
> addressed in mod_throttle/4.0 which is a complete rewrite anyways.

Oh yeah, mod_watch too. Well, maybe its just that author.

Hmm... mebe I just had bad luck...

Let's try apache....

Shared memory thing? Was notified 11 Nov 2001. Patch released when? Hmm... 
nearly 12 months?

Of course that bug is useless... except in combination with others. Who 
could've predicted the apache chunking bug or openssl bug? I mean.. the 
source is open! It'll never have a security problem.

> vulnerability. This is why on Open Source platforms (or platforms for
> which the source code is so readily available as to make it open source
> in all but name) people are now hunting down obscure integer overflows,
> and on closed source platforms fuzzers are happily picking out stack
> overflows in initial handshake messages.

It's a nice theory. 'Make the source open and people will see the bugs'. 

It's a pity it doesn't work. 

All having the source available does is make people think "Well, the
source is there, someone must've looked at it".

> Were you comparing a vendor's internal bug database to various bugzillas
> you might have a better case.

Of course, there are not, nor have there ever been bugs in bugzila that 
would let you do that comparison.

"In case people haven't noticed yet, Open Source is not more secure."

Maybe it would be better to say "Making a project Open Source does not 
make it more secure if you take forever to fix it and don't tell people 
when you do fix it". 

One hole that is exploitable means the product is insecure, so how about
"Open Source software is as secure as Closed Source."

Many eyes would make code more secure, but only if they are actually 
looking at the code.

But that does not happen. 

-- zen-parse

-- 
-------------------------------------------------------------------------
1) If this message was posted to a public forum by zen-parse () gmx net, it 
may be redistributed without modification. 
2) In any other case the contents of this message is confidential and not 
to be distributed in any form without express permission from the author.