Lyos Gemini Norezel wrote: > Don't security risks grow exponentially as software 'bit rots'? If someone finds and publishes a security hole, and no one tries to fix it, then the risk increases dramatically. If no holes are published and the software doesn't change, then I'd say the risk is fairly constant. There is always the possibility that some bad guy finds a hole that the good guys haven't found and fixed yet. The bad guy can then use the hole in a few directed attacks against selected targets. (In the case of id3lib he could for example send a malformed MP3 file to the victim by email.) In that case you're at risk only if you are the bad guy's target. He can also use the hole in a large-scale attack against the entire userbase (for example publish a malformed MP3 file on some popular file sharing networks), but only once, because then the hole will become publicly known and presumably fixed, and after that the risk is the same as for any other published hole. All of this is true both for stable software and for software in active development, and although the developers in an active project may occasionally find a hole and fix it, they may also introduce a new hole at any time. I'm much more nervous over programs like Squirrelmail, Firefox and Thunderbird, for which there is a steady stream of security fixes, because it indicates that the code is of low quality or that the design is fundamentally flawed. Björn Persson
Description: This is a digitally signed message part.