13-Year-Old Password Security Bug Fixed 130
arglebargle_xiv writes "In a sign that many eyes don't really make (security) bugs shallow, a thirteen-year-old password-hashing bug that affects (at least) PHP, some Linux distros (Owl, ALT Linux, SUSE), and a variety of other apps has just been patched. This problem had been present in widely-used code since 1998 without anyone noticing it." Better late than never; reader Trailrunner7 points to this article outlining the dangers of old exploits, given old code for them to toy with.
At least it was fixed (Score:3, Interesting)
How many bugs are there in commercial software that we don't know?
What we do know is that there are many exploits for commercial software. The vendors claim that such exploits only exist because that software is more popular, but this does not explain why Apache doesn't have four times more exploits than IIS [netcraft.com]
Not unprecedented (Score:3, Interesting)
http://www.osnews.com/story/19731/The-25-Year-Old-UNIX-Bug [osnews.com]
These kinds of stories make me nervous, because I always assume that crackers know about these and are using them secretly.
Though this is obviously not a OSS issue. Were this Windows, it might not have been found at all.
Umm, It's not an official fix (Score:5, Interesting)
"I am going to provide an official fix for crypt_blowfish (likely the one-liner plus added tests). I thought I'd bring the issue up on oss-security sooner rather than later."
So, the bug appears to have been found today and the developer has a one liner solution but hasn't released a patch. I think the summary did a piss poor job talking about what is affected by the problem too... specifically crypt_blowfish, which i know my company uses for a few things. It is interesting to know that this hash is now far weaker than originally thought until it gets patched (which will prolly take a long time to make it into major distros).
Anyway, i'm done bitching, definitely a story worthy of
Re:At least it was fixed (Score:1, Interesting)
Does it matter? Being open source is NOT what makes something secure. Following proper coding practices and being properly configured make a program secure. Open source *may* help a project follow better coding practices... or it may hinder a project by having too many chefs in the kitchen... hard to know.
But I do know that I'm not going to run some software merely because it is open source. I am going to run it because it has demonstrated security in the past.
In other words, I go with what has been proven more secure, based upon vulnerability disclosures and compromises, not based upon misplaced trust in strangers auditing open source code for me.
Re:At least it was fixed (Score:4, Interesting)
In all fairness, software is only as secure as the culture behind it. Everybody using PHP knew of this bug for ages, just, nobody gave a damn. Except those who didn't know that also didn't give a damn.
PHP has never been crazy about security, what else do you expect from a runtime that once let you insert arbitrary variables into the script namespace?
The few people using PHP who care about security that much are using DIY password management anyway.