May 3, 2006 12:52 PM PDT
Open-source hunt digs up more flaws
Several bugs were found in Ethereal, which is used by network administrators and hackers alike. The latest version, released last week, includes fixes for a host of security holes, including several that were identified in the scan. These flaws could allow a full compromise of a system running the vulnerable software, Coverity said. Security monitoring company Secunia deems the Ethereal issues "highly critical."
"Many of these are remotely exploitable," Andy Chou, Coverity's chief scientist, said in an interview on Wednesday. "You can send data packets, exploit it and get whatever access Ethereal is running at."
The flaw identified in X could allow a local, nonprivileged user to gain full, root-level access to a vulnerable computer, Coverity noted. The flaw, for which a patch has been available since March, is rated "less critical" by Secunia.
The bug hunt is part of a three-year "Open Source Hardening Project," dedicated to helping make such software as secure as possible. In January, the U.S. Department of Homeland Security awarded $1.24 million to Stanford University, Coverity and Symantec to find vulnerabilities in open-source projects.
Developers have been quick to fix many bugs found as part of the program. More than 900 flaws were repaired in the two weeks after Coverity announced the results of its first scan of 32 open-source projects.