Well, I would hardly expect him to blog about it, if the outcome would have been in favour of the other side of the software industry.
Still, this is FUD. Why? because you can’t just compare security leaks waiting to be fixed. It’s like counting dents on one car, and comparing it to a seriously shot up Hummer from Iraq, and then saying that the Hummer is badly manufactured, because the other car only has some dents, while the Hummer has holes. The same deal just about applies to security issues.
One security issue that needs to be fixed within hours of discovery, for example, is an issue that is remote exploitable. Say you (for some dark reason) have an Oracle box connected to the internet, without any firewalling (this happens more often then people would like to know or admit to). This Oracle instance is listening on a certain TCP port, so application can make a connection to the Oracle server, and fire off some queries. Then, someone discovers that there is a buffer overflow in the networking code of Oracle, which can result in the same privileges as the user Oracle is running under, including shell access, which could be used to further advance privileges.
Fine, I think we can all agree on that. (note: it’s still hypothetical – nobody runs Oracle like that).
Now, say we have an issue with a buffer overflow inside one of the command-line tools Oracle provides. This tool is only accessible from the system the tool is installed on, it does not open any network connections, other then a link to the socket Oracle is listening on. With some specialy crafted commands, you can trigger the buffer overflow and gain privileges. But(!) you already have those privileges. Otherwise you wouldn’t be able to execute the binary. There would however be a danger, if the binary would be installed setgid, or setuid, or run through sudo. But in such case, if the problem is announced, a sysadmin can take away those rights.
Not so hypothetical that one. Happens quite a lot.
Now, from a security officer standpoint, the second issue really doesn’t bother me that much. The system is behind a firewall, and almost nobody has actual access to the box.
Jeff Jones however, sees those two as equals, and states that the second issue is much a big deal as the first. While anyone can tell you the second issue isn’t much of a big deal. Unix land does not feel much urgency to fix that issue, there are more important issues to deal with. (like the one in the first example).
So, once again, it’s a matter of personal perception. In the case of Jeff Jones, this perception is dictated by corporate policy. That makes this whole research report flaky at best, and downright biased at worst. And that my dear readers, makes it FUD.
War on FUD is a series of blog posts I have made, concerning all manner of FUD and why inteligent lifeforms should not pay attention to it.