Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Shellshock proves open source's 'many eyes' can't see straight

Roger A. Grimes | Oct. 2, 2014
With so many people looking at open source code, its security flaws should be stopped dead -- but it doesn't work that way.

Eye looking at data and analytics
Credit: Thinkstock

Can we do it? Can we once and for all declare the "many eyes" theory dead?

I'm a huge fan of open source. I have been since the days we called it freeware. I run OpenBSD and many other specialized open source distros, and I couldn't do my job as a computer security consultant without a small arsenal of open source tools.

That said, I've always called BS on the idea that the ability for anyone to review open source code means it will always be more secure than closed source software. Even before the latest contrarian example of the Bash Shellshock vulnerability, the idea of "many eyes" was fatally flawed.

In a nutshell: Just because something can be done doesn't mean it will be done.

Hiding in plain sight

Let's start with the security hole du jour. Bash was released in 1989, and the recently discovered vulnerability has been around since the beginning. We're talking an easy-to-see, easy-to-exploit bug in software that has been used by millions of people -- one that's kicked around for two-plus decades without detection.

The Bash shell is present on nearly every Linux, Unix, and BSD distribution. Even if you've applied the most recent Bash patches (released on Sept. 25) meant to close the Shellshock vulnerability, you're still vulnerable.

Some people, including InfoWorld's Paul Venezia, are declaring Shellshock to be far worse than the last "big one," the April 2014 OpenSSL Heartbleed vulnerability. Heartbleed was around for about 2.5 years before anyone noticed.

Heartbleed was bad, but Shellshock is vastly worse. Bash is installed and active on more systems than Heartbleed's OpenSSL, and Shellshock can do far more to vulnerable systems (remote execution versus information disclosure).

The real risk is in the number of systems that are remotely exploitable by unauthenticated users. Already tens of millions of Internet-facing servers have been probed for the vulnerability, and by many estimates, Shellshock is on 30 to 50 percent of all Web servers worldwide. A Web developer at one large company told me that Shellshock was easily remotely exploitable on nearly 100 percent of his servers. Ouch!

Who has time to review code?
The "many eyes" theory should have died a long time ago. Literally hundreds of open source bugs have been found years to decades after they were coded into popular open source software. The theory doesn't work because security code review is hard, mostly boring work. Those who do it well are probably being paid to do it for a living, and they don't have time to peruse every bit of open source code on the Internet.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.