Jochem van Dieten wrote: > Spike wrote: > >>Not to mention the fact that a lot of the exploits that are discovered >>in open source software may well have a directly comparable exploit in >>closed source software if the mechanism of failure is a non-obvious one >>in an otherwise typical code construct. > > > You mean like the integer overflows that made non priviledge > separated OpenSSH rootable a few years ago. Sure, the patch was > out before the exploit was out. But did anybody take a step back, > said "wow, this is a whole new type of overflow" and then audited > the entire codebase for that type of overflow?
That's exactly my point. Almost certainly nobody audited their codebase for either closed or open source projects, but anyone who wanted to craft an exploit could have easily added it to their box of tricks. If the exploit was discovered in a closed source project, that information may very well have never made it outside the confines of the project. Spike -- -------------------------------------------- Stephen Milligan Code poet for hire http://www.spike.org.uk Do you cfeclipse? http://cfeclipse.tigris.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:194753 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
