Security experts find open-source flaws
Although Microsoft Windows vulnerabilities get most of the headlines, researchers this week identified vulnerabilities in two commonly used open-source software products.
The more serious of the vulnerabilities affects Sendmail, an open-source program for managing e-mail. The vulnerability lies in the way the e-mail server software parses e-mail headers, said Dan Ingevaldson, engineering manager for Internet Security Systems in Atlanta.
"It's an extremely serious vulnerability," Ingevaldson said, adding that computer attackers could probably exploit it. It is less clear, he said, whether a separate flaw in OpenSSH, also discovered this week, can be exploited.
 | ||||
| | | ||
| Get Up to Speed on... Enterprise security  Get the latest headlines and company-specific news in our expanded GUTS section. | | ||
| ||||
| ||||
"It may remain theoretical, it might prove to be exploitable," he said of the flaw in OpenSSH, which is used by network managers to log in remotely and gain encrypted access to computers and other networked devices.
Although it is not clear whether the OpenSSH vulnerability is exploitable, it would be serious if it were. The flaw occurs before authentication, meaning a user would not need privileges to log on to the machine to run the exploit, said Jason Rafail, an Internet security analyst with Carnegie Mellon University's CERT Coordination Center.
CERT issued an advisory on Tuesday for the OpenSSH vulnerability and another on Thursday for the Sendmail flaw.
The OpenSSH issue affects versions before 3.7.1 and occurs as a problem in the way the software stores chunks of data using storage areas called buffers. Cisco said it has products that are affected, while Red Hat, Sun Microsystems and IBM's AIX Toolbox for Linux all use versions of OpenSSH that could be vulnerable.
The Sendmail flaw affects versions before 8.12.10. HP, IBM and Red Hat are among the software makers that use Sendmail and whose products could be affected.
Both pieces of software are commonly used at large companies, making them an attractive target to hackers, Ingevaldson said. "Hackers like to attack high-value targets," he said.
Word of these flaws come amid concern that virus writers may create new bugs based on Windows vulnerabilities disclosed last week.
The latest flaws add to the debate over which is more secure--commercial software, such as that from Microsoft, or open-source software, such as Linux.
"In any given year there have been just as many vulnerabilities in the open-source community as there have been with Microsoft," Ingevaldson said.
It is difficult to compare the two, he said, but he noted that developers of both use similar tools to write their software and face similar challenges in dealing with hundreds of thousands or millions of lines of code.
With companies blocking all but a handful of the 65,000 available network ports, Ingevaldson said that hackers tend to target the infrastructure for things like e-mail and Web pages, which are allowed to enter a network.
"The open-source guys and the big commercial vendors are dealing with the same problem," Ingevaldson said.