/>
X
Innovation

Secure open source at least a year away

"In terms of improving the advisory process, that will get worse before it gets better. After you find a bug you have to patch it, and that takes a lot of time. People are vulnerable while the bug is out there."
Written by Dana Blankenhorn, Inactive on
Following Coverity's announcement yesterday that their Prevent system had caught a very dangerous bug in X Windows, I was given the chance to talk with their chief scientist, Andy Chou.

The news he had was bad or good, depending on how you look at it. It will take over a year to make major open source projects secure, and meantime each unpatched bug will present real danger to users.

The company has a running total of bugs found in its Open Source Project. At last count that stood at 3,163. That is in roughly five weeks' work.

The specific bug in this case was pretty simple -- a case of some missing parentheses. But this was in the section of X Windows that checks a user's identity. If exploited, it would have "allowed local users to execute code with root privileges, giving them the ability to overwrite system files or initiate denial of service attacks."

This does not just impact Linux, of course. X Windows also ships as an optional user interface on Macintosh OS X systems.

Coverity's system runs through entire programs, checking every line for proper programming. Chou is proud of the work so far.

"I think we’re already making an impact. The fact we’ve found so many defects in a short amount of time proves this can be a valuable technique."

But getting bug fixes through the patching process means vulnerabilities remain. "In terms of improving the advisory process, that will get worse before it gets better. After you find a bug you have to patch it, and that takes a lot of time. People are vulnerable while the bug is out there."

This one is WAY out there. Patch your system today.

Editorial standards