"The bottom line is, are there more such vulnerabilities in current Open Source software, or in the current Microsoft product?"

I'm sorry that you feel this way. I think the only bottom line is "Are customers at risk". If you're going to consider Security as a marketing tool

in some sort of competition with another company, then I want to have

nothing to do with software you write. If I installed a Linux distribution one year ago, and haven't patched it since, is my machine at risk?

Yes.

You say we've learned something from the wu-ftpd exploits. Perhaps so. But these are lessons that have been documented publicly for the last decade. And they weren't found by a proactive audit, they were found by people who were actively cracking systems, and by people whose systems were actively being cracked.

If open source is such a panacea for security, WHY IS THIS STILL HAPPENING? Why didn't this stop three years ago? Four years ago?

Five years ago? Why were there remote buffer overflows in imapd?

Proftpd? and endless succession of other mediocre opensource packages?

You look at Open Source and say "the potential for security is higher." And you're _RIGHT_. But you think that's enough, and I think that is where you fail. Until proactive positive audits of software are conducted, systems are at risk every day. And until you and your fellow developers understand that, I tread fearfully any time I depend on the security of Linux-based machine.

David Terrell

dbt (at) meat (dot) net [email concealed]

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/19/1452#1452