Home > tehsuki import > Huge Hole in Open Source Software Found, Leaves Millions Vulnerable

Huge Hole in Open Source Software Found, Leaves Millions Vulnerable

Source: Dailytech

Click on the source for the entire article.

Another reason not to use and trust this failure of an OS.
If you are interested, here’s information and tools to exploit this bug: http://metasploit.com/users/hdm/tools/debian-openssl/

A simple programming error reduced the entropy in the generated program keys created by the OpenSSL library.

Just two lines of code created crippling security holes in four different open source operating systems, 25 application programs, and millions of internet-attached computer systems.  The vulnerability was publicly discovered for the first time May 13, after having left the door open nearly two years.

The error reduced the number of keys that Linux can generate from 2^128 to approximately 2^15. Fixing the key problem is not as simple as fixing a buffer overflow vulnerability, another typical security flaw. As the keys generated our actual files, merely patching the system will not change these files. Every single key will need to be replaced in a difficult and time consuming process. Further keys need to be certified and distributed, which takes more time and is error prone.

The Valgrind code caused errors, so the programmers simply commented out all the code, including the other methods of generating randomness on accident. Only the code which utilized the process ID, an integer ranging from 0 to 32,767, remained to provide randomness.

One developer more alarmingly points out that the vulnerability has showed a perhaps fatal flaw in the state of the open source industry and in the computer security in general. One programmer can make a major change which can be blindly accepted by other developers with little understanding of the implications.

 

 

Categories: tehsuki import Tags:
  1. June 23rd, 2009 at 15:00 | #1

    The NDSi is the best handheld ever imo, I don’t care what those PSP fanboys say….

  2. brian
    June 9th, 2008 at 17:05 | #2

    Not really, more like a huge team of professional and paid developers in a supported product lead by a real company.

  3. wccrawford
    June 9th, 2008 at 17:02 | #3

    As opposed to Windows, where “One programmer can make a major change which can be blindly accepted by other developers with little understanding of the implications” and only Microsoft employees can look at the source code.

  1. No trackbacks yet.