Linux expert warns of open source's growing appeal to hackers

by John McCormick | Oct 30, 2006 10:14:00 PM

Tags: UNIX, Patches, Operating systems, Hacking, John McCormick, Linux, Zeroday Emergency Response Team, SQO-OSS, open source, hacker, security, Linux expert, IT Locksmith Newsletter

Takeaway: Alan Cox, a well-respected Linux developer, warned attendees of London's LinuxWorld that open source software is becoming more attractive to commercial hackers. In this edition of the IT Locksmith, John McCormick fills you in on Cox's statement and tells you about a new organization aiming to stop zero-day exploits.

A Linux guru cautions that open source's growing popularity is attracting the unwanted attention of more hackers. Meanwhile, a new organization aims to stop zero-day exploits by making patches available sooner.

Details

Linux expert Alan Cox warned attendees of London's LinuxWorld conference last week that hackers were putting a lot of money and effort into cracking Linux and other open source projects. Cox, who works for Red Hat, was especially critical of uninformed media statements about how open source software is more secure and reliable. While some well-known open source projects are quite secure, the same doesn't hold true for lesser known projects.

The veteran developer also took a shot at the European Commission's Software Quality Observatory for Open Source Software (SQO-OSS). The newly launched project aims to monitor the quality of open source development. It will release the core code under the BSD license.

Several observers say that SQO-OSS, which boasts a 2.47 million Euro budget, focuses on the wrong metrics of quality and security, particularly by counting all bugs as equal. The overall goal of SQO-OSS is to improve the acceptance and competitiveness of EU software development projects by demonstrating their security. For a list of the project's goals, check out this fact sheet.

Less than zero?

Becoming increasingly more concerned about businesses that are ignoring cyberattacks until they reach the point of wide exploitation, security experts have coined a new term—the "less than zero-day" attack. Zero-day attacks are ones that take place between the time of an exploit's publication and the release of the initial patch or antivirus/malware signature.

But rather than waiting until "official" vendor patches become available, a new online organization—the Zeroday Emergency Response Team (ZERT)—aims to respond to release reliable non-vendor "emergency" patches for exploits as soon as they appear to pose a serious risk of exploitation. Of special interest to many users may be the ZProtector framework for patching zero-day vulnerabilities for Windows—beginning with Windows 95! As you probably know, this range includes a number of platforms no longer supported by Microsoft.

Although ZERT works with a number of security tool vendors, the organization has no direct affiliation with any particular vendor. To see how ZERT approaches emergency patching of zero-day threats as compared to the official Microsoft patches, check out this ZERT analysis PDF document of the recently patched CVE-2006-4868 vulnerability.

Final word

It should be obvious that the growing adoption of Linux by many businesses and government organizations means a lot of serious commercial hackers will be turning their attention to exploiting any flaws they can locate. However, it will likely take a number of public statements from respected Linux developers to really draw attention to this fact.

And speaking of obvious, it should go without saying that cyberthreats are most dangerous before an official patch is available. Unfortunately, many network managers aren't paying enough attention to this reality—even though their networks are the ones most at risk. I like the idea behind ZERT, but the project is in its infancy. Only time will tell if ZERT really has the solution.

---

Also watch for…

• Microsoft has announced plans to delay the much-needed Windows XP update (Service Pack 3) until the first half of 2008. In other Microsoft news, two new vulnerabilities have surfaced in the newly released Internet Explorer 7: a spoofing flaw and a pop-up window flaw.
• Secunia has announced that it's now translating security advisories into German for German and Danish customers. (What about the Swiss and Austrians?) While computer security has traditionally been an all-English profession regardless of users' native languages, this security company has recognized that advisories are more accessible to more people when available in more languages. Secunia will continue to publish advisories in English first.

---

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Print/View all Posts Comments on this article

what does your company do about zero day? Tech Locksmith | 10/31/06

Educate SCSIcat | 10/31/06

ZERT MUST PROVE ITSELF Tech Locksmith | 10/31/06

Amen to Educate. asotelo@... | 11/07/06

We Wait and Educate rickk@... | 11/02/06

Definition of Redundant; see redundent Neon Samurai | 03/08/07