Quality, Vulnerability, Viruses, Malware

“Daddy, why is the computer on fire?”

Open Source Software and Viruses/Malware

As said in previous posts, free software on the Internet has earned a bad reputation, especially with the early generation of internet users (people born before 1990). Shareware or freeware, as it used to be known, quickly developed a reputation for being badly built, sometimes embedded with programs you didn’t want to install (the kind that make pornographic ads pop up when your kid is researching a school project)

Maturity is a primary indicator of the vulnerability that might be associated with any given Open Source solution. Additionally, the sources adherence to various quality assurance processes and standards is helpful. A key metric is how many bugs have been discovered, what the impact was, and how quickly the source responds to those vulnerabilities. The Open Source development model has some advantages in this regard.

Here is a longer discussion of Security Concerns for Enterprise Deployment of Open Source Solutions from 2003 - and as you will note the question is taken seriously. Enterprise in this context really conceives of the operation as a large business, however, it is worth reading.

Open Office, a widely distributed and installed OSS offering can certainly be vulnerable to threats. Some of these arise in connection with foundation libraries, code that has been salvaged from older products in the public domain. For example ….
Others are vulnerabilities targeting macros in OO Draw

The question is, how is this discovered, how does the issuer respond, and what level does the attack target.
Here is an Open Office example.

A buffer overflow vulnerability was discovered on March 31st of 2005, and fixed and distributed on April 12, 2005

There is a need for constant upgrading as vulnerabilities are discovered and patched. Microsoft provides a never ending stream of patches to fix security holes. The Open Source movement patches their software as well. Who responds faster, and is more open to admitting and fixing the problem? When your shares trade on capital markets, and product flaws are exposed, there is the risk of financial consequences to investors. This puts pressure on the software issuer to manage the bad news - sometimes leading to what critics call denial, obfuscation, and shrugging off of responsibility. This is not in users’ bests interest.

So is Microsoft a safer bet? Well, that would be a no
Look at the number of times that Microsoft appears on the IT Locksmith’s blog about security flaws and deficits - in fact, Microsoft is a preferred target precisely because of its enormous install base. There have been 69 security bulletins from Microsoft in 2007 at time of writing.

Here are the security problems encountered by Microsoft Office 2000, from 2004 through to present. Note that 11% are not fixed, that 27% were critical, and that 10% were vulnerable to Denial of Service attacks. This is not to say that Microsoft Office 2000 is a bad product - it isn’t. And the 11% that are unfixed are probably not critical bugs. The point is that software is enormously complex, the potential entry points for bugs astronomical, and the probability of bug-free software close to zero. What matters is how the flaws are addressed.

People track this stuff, and are trying to provide a rapid response and advisory service. There are also organisations in academia that work on these issues.

Here is a report on Open Office, showing that of seven advisories that have been issued - none are unpatched by the vendor.

Europe in some ways is taking the lead on issues of security and quality assurance. This is driven by their deployment rate of Open Source software, in part to avoid contributing to Microsoft’s (American) success.

” In most open source projects we can also access their version control system, mailing lists and issue databases. We can use these data sources to extract quality indicators through techniques, such as data mining. ”

Note : Open Office’s version control system, their mailing list, and their issue database, in this case for the Calc subproject.

The Software Quality Observatory for Open Source Software or SQO-OSS project is designed to address these issues.

Open Source - Not Freeware, Not Shareware

Freeware, and shareware were small programs generally that were written by tiny development teams – often just one person – and the poorer efforts warned the user community away from the idea of free quality. Notice that freeware and shareware were NOT Open Source – the code base was never published for public examination. Nor were they sponsored by IBM, or Sun Microsystems, who would never allow their name to be connected with such products.

Open Source is not the same animal. It is not freeware or shareware, the community has seen the code and reviewed it. It does not embed and distribute malware or spyware. It does not corrupt your system. In many ways, the Open Source movement maintains higher quality standards that many commercial software houses. Perfect- no. Invulnerable to attack – no. If we wait for software like that, we will never touch a keyboard again.

Trust us on this…

This entry was written by snowyriver and posted on Sun Nov 25/ 2007 at 2:07 pm MST and filed under Software. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

Post a Comment

Your email is never published nor shared.

*
To prove that you're not a bot, enter this code
Anti-Spam Image