Pervasive 'rot' in shared code, or proof we're finally taking open source security seriously?
The last six months haven't been kind to users of popular open source packages with the recently disclosed flaws found in GNU's Wget and Binutils. First, researchers disclosed "Heartbleed," an exploitable vulnerability in the ubiquitous OpenSSL software package. That was followed by a string of other disclosures: "Shellshock," a 22 year-old, exploitable hole in the GNU BASH (Bourne Again Shell) and – forced untold numbers of software vendors and online service providers to push updates to their customers.
Last month brought more bad news. Google researcher Michal Zalewski issued a warning on October 24 about exploitable vulnerabilities in libbfd, an oft-used open source component that is part of GNU Binutils. A favorite of security vulnerability researchers, Binutils includes tools that help understand the structure of executable files. The vulnerability Zalewski discovered created the possibility that a favorite tool of bug hunters could – under certain circumstances - be used against them.
Then, last week, there were revelations about more exploitable security holes in common utilities. HD Moore of Metasploit and the firm Rapid7 disclosed one such vulnerability in Wget, a command-line utility that can download files using a number of different methods like HTTP and FTP. The vulnerability Moore discovered would allow a malicious operator with control of an FTP server to create arbitrary files and directories, as well as overwrite files on a vulnerable system – all tools that could give a remote attacker access to the entire file system.
Also last week, a patch was issued for a previously undisclosed vulnerability in Tnftp, the default FTP (File Transfer Protocol) client in a wide range of Unix and Linux distributions including Apple's Mac OS X. If left unpatched, that vulnerability would give a malicious actor the ability to use a compromised server to send and execute arbitrary commands on the Tnftp user's system, according to reports.
On one hand, these vulnerabilities aren't so surprising. There's been a growing awareness since the Heartbleed revelation that some of the open source and third party software we rely on harbors serious software flaws. In fact, Heartbleed spawned the Core Infrastructure Initiative, a collaborative effort to vet open source components that was funded by donations from leading tech firms. The latest disclosures may just be evidence that this effort is bearing fruit.
On the other hand, components like Bash, Binutils, Wget and Tnftp further highlight the distressing degree to which our software supply chain is populated by suspect products. There are many reasons for this. As Veracode researcher Melissa Elliott noted in a blog post in September, tools like Bash express the needs and assumptions of a now-distant era in computing "where infrastructure was built up very quickly without much idea of what the long-term consequences would be." These days, we're all stuck with what Elliot called the "technical debt" of those decisions.
The fact that tools like Bash and Wget are adopted by succeeding generations of technologists shouldn't surprise us. We use them because they're there and they work. For modern tech workers like Elliott, the tools may even be older than the worker using them. Worrying about their security is akin to wondering if the bridge you drive over to get to work every day might collapse beneath you. It's a reasonable, but troubling question to ask. And asking it tends to invite other, troubling questions.
Still – those are the questions that need to be asked if we're going to continue to build up edifices on the foundation of open source code and shared components. In the short term, the course we're on will bring lots of pain. Namely: more disclosures of vulnerabilities in popular tools and shared components that past generations have considered "tried and true." Eventually, however, our willingness to scrutinize the software we all rely on, make repairs and, when necessary, jettison outdated or insecure code, will pay dividends.