Not to mention the fact that a lot of the exploits that are discovered in open source software may well have a directly comparable exploit in closed source software if the mechanism of failure is a non-obvious one in an otherwise typical code construct.
Since most of the bug reports for open source software are easily accessible on the web, that probably makes it easier to design exploit attempts for closed source software. Spike Jon Austin wrote: > Well, the Linux kernel for one is pretty heavily peer-reviewed. And > thats even before it gets committed to the source tree, which largely > is a final process overseen by Linus. So the kernel code is VERY > heavily reviewed. > > Look at the bugtraq mailing list. There are tonnes of people who are > > a) discovering a flaw in an open source package, either by installing > and mucking around, or testing it specifically for vulnerabilities > (passing some sort of internal QA procedures). > > b) reporting the flaws to the package authors, sometimes including a patch! > > c) the author releases a fix before the vulnerability has been > exploited in the wild and the discoverer gets to claim some "street > cred" for finding it. > > In the last 24-48 hours.. > > http://securitytracker.com/alerts/2005/Feb/1013078.html > ht://dig has a cross site scripting hole from unfiltered input. > > http://archives.postgresql.org/pgsql-committers/2005-02/msg00049.php > pgSQL has multiple buffer overruns. This was discovered by a fellow > developer, unfortunately after the code had been released. > > https://bugzilla.mozilla.org/show_bug.cgi?id=280664 > Malicios code can meddle with your Firefox settings. See the work-flow > here how a patch was submitted, it was reviewed, "super-reviewed" then > approved. Then someone checked it into the various branches of the > project, make it a retrospective fix? > > It is virtually impossible to write 100% flawless software on a > project of considerable size. I would however, have the code out there > for the world to see and have independent objective reviews of it. > > Regards, > > Jon > > > On Tue, 15 Feb 2005 00:40:40 +0100, Jochem van Dieten > <[EMAIL PROTECTED]> wrote: > >>Do you know anyone that analyzes the quality of other peoples >>open source code? Anyone? > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:194625 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
