[Cryptography] It's GnuTLS's turn: "Critical new bug in crypto library leaves Linux, apps open to drive-by attacks"

Jerry Leichter leichter at lrw.com
Tue Jun 3 13:57:17 EDT 2014


"A recently discovered bug in the GnuTLS cryptographic code library puts users of Linux and hundreds of other open source packages at risk of surreptitious malware attacks until they incorporate a fix developers quietly pushed out late last week."

http://arstechnica.com/security/2014/06/critical-new-bug-in-crypto-library-leaves-linux-apps-open-to-drive-by-attacks/

It's a buffer overflow induced by sending an overly long session ID.  Allegedly code execution has already been demonstrated.

So now we've had serious attacks on Apple's private SSL implementation, OpenSSL,  and now GnuTLS.  Is anything left standing?  What does Windows use for its SSL implementation?

If this isn't the death of "it's open source, any bugs will be found quickly", I don't know what will be.  But it really is way past time to get beyond that, and  every other technique we're currently using.  They ain't working.  We have new tools - better languages, better analyzers, better ways of managing sensitive code bases.  Maybe they're better, maybe they aren't - but we'll never find out because we aren't using any of them.

But that's all just whistling into a hurricane.  The economics say "use the free code, ship first and worry about security later" - the long, all-too-familiar list of reasons not to do the right thing.

                                                        -- Jerry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140603/e17e5000/attachment.bin>


More information about the cryptography mailing list