Heartbled and Shellshocked … What Can We Do?

Well, it happened again. A serious security bug was found in a piece of open-source code called Bash, which is integrated into such ubiquitous software packages as Linux, Mac OS and Apache, and potentially Android. This time the bug, which is called Shellshock, has supposedly been lurking undetected (or known by some?) inside these programs for more than two decades, as compared to some two years for Heartbleed in OpenSSL. Unfortunately, my wish that Apache did not have a major vulnerability, which was expressed in my BlogInfoSec column “My Heart-bleed[s] for Open Source and Monocultures,” posted on May 5, 2014, did not turn out to have been granted. Here is my earlier statement in the column about the dangers of the ubiquitous use of open-source and other software products:

“Another major open-source software product is Apache, which is installed on about half of all active websites according to a report at http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html Although Apache’s “market” share has been falling, it still operates on a sizable number of web servers so that, if it was shown to be vulnerable (as is OpenSSL), the impact could be enormous. So far, we have not seen a major Apache vulnerability. But that doesn’t mean one doesn’t exist.”

While we are told, in a September 26, 2014 article, “Flaw in Code Puts Millions Of Machines At Big Risk,” by Nicole Perlroth of The New York Times, that the flaw was found by Stephane Chazelas. Chazelas reported his discovery to Chet Ramey, a senior technology architect at Case Western Reserve University, who has been maintaining Bash part-time and unpaid over the last 22 years. It is incredible, but increasingly familiar, to find that software components integrated into mission-critical software are built on shaky provenance and are weakly supported. While the public has just now been informed about this bug, it has indeed existed for some 22 years or so. It is highly likely that there are governments, military, spy agencies, terrorists and others who have known about this flaw for years, if not a decade or more, and have been stealthily using it to their advantage. Now that it is public, everybody has a shot at it.

Whereas this is another example of the failure of open-source communities to assure the security quality of their products, it would be a mistake to believe that commercial software is necessarily more secure. I first wrote about software bugs in the February/March 1995 issue of the now-defunct Securities Industry Management Magazine. My column, “Running ‘Afoul of the Flaw,’” discussed the bug in an Intel Pentium microprocessor chip that calculated erroneous results.

My 1995 article concluded that “[t]he only answer is to spend the extra time and money to build in safeguards [read “security”] that will anticipate that the systems won’t work perfectly every time. It will be worth the effort.”

It certainly would have been … and still is.

Post a Comment

Your email is never published nor shared. Required fields are marked *