Technology Review
A new analysis suggests that attackers exploit open-source software flaws faster and more effectively.
The ability to access the code of open-source applications may give attackers an edge in developing exploits for the software, according to a paper analyzing two years' worth of attack data.
The paper, to be presented this week at the Workshop on the Economics of Information Security, correlated 400 million alerts from intrusion detection systems with known attributes of the targeted software and vulnerabilities. The data supports the assertion that flaws in open-source software tend to be attacked more quickly and more often than vulnerabilities in closed-source software, says Sam Ransbotham, assistant professor at Boston College's Carroll School of Management and the author of the paper.
Using nonlinear regression and other models, Ransbotham found that attacks on vulnerabilities in open-source software occurred three days sooner and with nearly 50 percent greater frequency. Ransbotham argues that knowledge of how to exploit a particular vulnerability spreads similar to the diffusion of technological innovation.
"If you think about this whole thing as a game between the good guys and the bad guys, by reducing the effort for the bad guys, there is much greater incentive for them to exploit targets earlier and hit more firms," says Ransbotham.
The paper will likely rekindle a debate between advocates of open-source and closed-source development models, who argue whether the open-source operating system Linux is more secure than Windows or whether Mozilla's open-source Firefox browser is more secure than Microsoft's Internet Explorer. Supporters of open-source argue that the accessibility of the code allows the good guys to find bugs faster, while critics argue that more attackers than defenders are poking through the code, so the net effect is worse security.
The research used alert data culled from intrusion-detection systems managed on behalf of 960 companies by security service provider SecureWorks. Ransbotham correlated the alerts with specific vulnerabilities in the National Vulnerability Database (NVD), a large collection of information on software flaws managed by the National Institute of Standards and Technology. While the NVD lists vulnerabilities in more than 13,000 software products for 2006 and 2007, the two years from which alert data was used, only half of the products could be classified as either open- or closed-source, Ransbotham says.
By linking that data to the intrusion detection systems' ability to recognize an attack on a vulnerable system, Ransbotham compiled a list of 883 vulnerabilities in confirmed open- or closed-source software on which attacks could be recognized. He also classified the vulnerabilities by other attributes, such as how complex it would be for attackers to exploit the flaw and whether there was a signature available for the intrusion detection systems at the time the vulnerability was reported.
In the end, only 97 of the 883 vulnerabilities were targeted by attackers during the two-year period. However, this accounts for 111 million, or about a quarter, of the alerts. The remaining alerts could be attributed to attacks on software that could not be classified as open- or closed-source, attacks on vulnerabilities that did not have an identifying attribute, or false positives.
The move comes in protest after a Harvard researcher was arrested this week, and intensifies a fight over open access to scientific records.
Google is developing a new computing platform equal to the Internet era. Should Microsoft be worried?
How Paid Studies Reflect Desires of Those Who Pay
Paid studies are all notorious for proving that the sponsor of a study can usually get findings that support their desired outcome. Since this study is funded primarily by Microsoft, then the results should not be surprising. The article is not based on any outright deception or lies, simply on two levels of ignorance. First, the naivete and lack of programming expertise of the general audience who might accept these findings -- a response that no credible or responsible programmer would support, unless he or she also were a partisan MS loyalist. One must only read the weekly threat announcements of critical vulnerabilities in Microsoft and Adobe products, for example to realize that nothing could be more vulnerable than these highly vaunted proprietary products. The second level of ignorance relates to intrinsic security permissions in most UNIX/LINUX operating systems versus that of Microsoft Windows, including Windows Seven. Most of the worlds secure servers are all running on some UNIX based OS, not Windows, for matters of security and reliability -- they are running Solaris, UNIX, or some flavor of LINUX. And this has everything to do with inherent security permissions for the Root user account, versus the "administrative permissions" in Windows that always leave a number of little windows, shutters, back doors and ports wide open to attack, and ability to modify critical registry entries in the Windows OS. There is no "registry" to attack in UNIX, Solaris or LINUX, and nothing can modify a Root file unless it is a live password protected Root User. Autorun scripts and VBS scripts cannot exploit these systems at all.
That being said, no system is invulnerable even if it is very very secure. But the vulnerabilities being reported here are on Windows OS systems, not on Open Source OS, and so if these are "Open Source" Applications trying to live in a vulnerable environment like MS Windows, then they are as vulnerable (but not more so, please see prior reader comments on reporting of issues) than any other application.
The big difference is that under the GNU Open Source license, these applications are free! Yes, I know, that old cliche of "follow the money" comes into stark relief again. Issue a frightening report on the vulnerabilities and lack of safety of "free" versus overpriced software in order to keep the paying patrons happy and fat. Wise up people, there are motivations at work here that have nothing in the world to do with making your computing experiences safer...just a lot more expensive!
The advertisement for this article is for Microsoft Server.
Coincidence?
I think not.
:-)
It says "A new analysis suggests that attackers exploit open-source software flaws faster and more effectively."
True the software flaws are revealed faster in open source software and kept secret in closed door software! Hence they can be exploited...or indeed fixed faster.
Whether an exploit is effected effectively or not is not really answering anything. Clearly the exploit is effecting something or you wouldnt be exploiting it, so by definition it is effective. What does more effectively mean? its done faster?....again answered by point 1. Perhaps it means more concise code is generated to exploit the vulnerability...does it matter how concise the code is if the vulnerability is indeed exploited?
Another example of academia whoring itself out to the highest bidder
Peek under the covers and realize that the study was funded by monied interests. Enjoy your riches. The corporate fearmongers won't pay your bills anymore once they've accomplished their goals.
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
This document is part of the “How-To Guide for Most Common Measurements” centralized resource portal. This tutorial provides a detailed guide for measurement and device considerations to take temperature measurements using thermocouples. Get an introduction to thermocouples, which are inexpensive sensing devices widely used with PC-based data acquisition systems. Also review some specific thermocouple examples and learn how thermocouples work and ways to integrate them into a data acquisition measurement system.
View full PDF >
Listen to story > 
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
jjs
81 Comments
NVD & flaws
One issue is the reporting - Open Source software flaws are reported as soon as they are discovered, while those in closed-source software may not be reported until the company has a fix. That doesn't mean the vulnerability isn't there, just that the vulnerability isn't reported.
Another issue is fix time - with Open Source, anyone can read the code and submit a patch. In particular, those with the most interest in fixing the flaw (those who may be broken into because of it) can either build the patch or pay someone to do the analysis patch. With closed source, only the source code owner (company) has that ability. Even if they're a good company, if they don't have the resources, they can't build the patch.
Finally, Apache. Back a number of years ago when I tracked it, apache had twice the market of IIS. Yet, it was IIS that was attacked and broken.
Reply