September 19, 2003 3:34 PM PDT
Security experts find open-source flaws
The more serious of the vulnerabilities affects Sendmail, an open-source program for managing e-mail. The vulnerability lies in the way the e-mail server software parses e-mail headers, said Dan Ingevaldson, engineering manager for Internet Security Systems in Atlanta.
"It's an extremely serious vulnerability," Ingevaldson said, adding that computer attackers could probably exploit it. It is less clear, he said, whether a separate flaw in OpenSSH, also discovered this week, can be exploited.
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
"It may remain theoretical, it might prove to be exploitable," he said of the flaw in OpenSSH, which is used by network managers to log in remotely and gain encrypted access to computers and other networked devices.
Although it is not clear whether the OpenSSH vulnerability is exploitable, it would be serious if it were. The flaw occurs before authentication, meaning a user would not need privileges to log on to the machine to run the exploit, said Jason Rafail, an Internet security analyst with Carnegie Mellon University's CERT Coordination Center.
The OpenSSH issue affects versions before 3.7.1 and occurs as a problem in the way the software stores chunks of data using storage areas called buffers. Cisco said it has products that are affected, while Red Hat, Sun Microsystems and IBM's AIX Toolbox for Linux all use versions of OpenSSH that could be vulnerable.
The Sendmail flaw affects versions before 8.12.10. HP, IBM and Red Hat are among the software makers that use Sendmail and whose products could be affected.
Both pieces of software are commonly used at large companies, making them an attractive target to hackers, Ingevaldson said. "Hackers like to attack high-value targets," he said.
The latest flaws add to the debate over which is more secure--commercial software, such as that from Microsoft, or open-source software, such as Linux.
"In any given year there have been just as many vulnerabilities in the open-source community as there have been with Microsoft," Ingevaldson said.
It is difficult to compare the two, he said, but he noted that developers of both use similar tools to write their software and face similar challenges in dealing with hundreds of thousands or millions of lines of code.
With companies blocking all but a handful of the 65,000 available network ports, Ingevaldson said that hackers tend to target the infrastructure for things like e-mail and Web pages, which are allowed to enter a network.
"The open-source guys and the big commercial vendors are dealing with the same problem," Ingevaldson said.