[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Retiring ksensors, possibly id3lib as well?



Lyos Gemini Norezel wrote:
> Don't security risks grow exponentially as software 'bit rots'?

If someone finds and publishes a security hole, and no one tries to fix it, then 
the risk increases dramatically. If no holes are published and the software 
doesn't change, then I'd say the risk is fairly constant.

There is always the possibility that some bad guy finds a hole that the good 
guys haven't found and fixed yet. The bad guy can then use the hole in a few 
directed attacks against selected targets. (In the case of id3lib he could for 
example send a malformed MP3 file to the victim by email.) In that case you're 
at risk only if you are the bad guy's target. He can also use the hole in a 
large-scale attack against the entire userbase (for example publish a 
malformed MP3 file on some popular file sharing networks), but only once, 
because then the hole will become publicly known and presumably fixed, and 
after that the risk is the same as for any other published hole. All of this 
is true both for stable software and for software in active development, and 
although the developers in an active project may occasionally find a hole and 
fix it, they may also introduce a new hole at any time.

I'm much more nervous over programs like Squirrelmail, Firefox and 
Thunderbird, for which there is a steady stream of security fixes, because it 
indicates that the code is of low quality or that the design is fundamentally 
flawed.

Björn Persson

Attachment: signature.asc
Description: This is a digitally signed message part.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]