Open source security flaws alert

NEWS Although Microsoft Windows vulnerabilities get most of the headlines, researchers have identified vulnerabilities in two commonly used open-source software products. The more serious of the vulnerabilities affects Sendmail, an open-source program for managing email. The vulnerability lies in the way the email server software parses email headers. Dan Ingevaldson, engineering manager for Internet Security Systems, said: "It's an extremely serious vulnerability." He said it is less clear whether a separate flaw in OpenSSH, which is used by network managers to log in remotely and gain encrypted access to computers and other networked devices, can be exploited. "It may remain theoretical, it might prove to be exploitable," he said. Jason Rafail, an Internet security analyst with Carnegie Mellon University's CERT Coordination Center, said although it is not clear whether the OpenSSH vulnerability is exploitable, it would be serious if it were. The flaw occurs before authentication, meaning a user would not need privileges to log on to the machine to run the exploit. CERT has issued advisories for the OpenSSH and Sendmail flaws. The OpenSSH issue affects versions before 3.7.1 and occurs as a problem in the way the software stores chunks of data using storage areas called buffers. Cisco said it has products that are affected, while Red Hat, Sun Microsystems and IBM's AIX Toolbox for Linux all use versions of OpenSSH that could be vulnerable. The Sendmail flaw affects versions before 8.12.10. HP, IBM and Red Hat are among the software makers that use Sendmail and whose products could be affected. Both pieces of software are commonly used at large companies, making them an attractive target to hackers, Ingevaldson said. "Hackers like to attack high-value targets," he said. Word of these flaws comes amid concern that virus writers may create new bugs based on Windows vulnerabilities disclosed last week. The latest flaws add to the debate over which is more secure - commercial software, such as that from Microsoft, or open-source software, such as Linux. Ingevaldson said: "In any given year there have been just as many vulnerabilities in the open-source community as there have been with Microsoft." It is difficult to compare the two, he said, but he noted that developers of both use similar tools to write their software and face similar challenges in dealing with hundreds of thousands or millions of lines of code. With companies blocking all but a handful of the 65,000 available network ports, Ingevaldson said that hackers tend to target the infrastructure for things like email and web pages, which are allowed to enter a network. Ingevaldson said: "The open-source guys and the big commercial vendors are dealing with the same problem." Ina Fried writes for CNET News.com