, Newsbytes 2002-02-12
Network administrators are being urged to fix -- or at least shield from attackers -- a veritable laundry-list of Internet-connected equipment that may be vulnerable because of flaws in software that helps control them.
Expand all |
Post comment
All the SPG group at Oulu has done is create a systematic black-box software testing suite that can demonstrate something that we already knew, namely, that all software programs have bugs that could *potentially* lead to security vulnerabilities? We've known that for years. A similar stink was made several months ago when this same group published a test suite for LDAP servers showing that virtually all the major LDAP products behave erratically when you throw malformed LDAP packets at them. Ooh, big surprise! Have we seen any devastating LDAP exploits or worms since then? I might have missed them, but I doubt it. Why haven't we seen such exploits? Because it takes much more than black-box testing to actually find an exploitable condition and develop an exploit for it. Good guys and bad guys alike already knew that the bugs are there to be found...does this black-box testing suite change that? No. Will it increase the likelihood that the next Code Red will be an SNMP worm? I doubt it; just because the bugs are there doesn't mean that they will definitely be exploited.
The SPG group at Oulu University is to be commended for their fine work in developing such a comprehensive testing suite, as it has the potential to become a very powerful tool in the battle against security bugs. I just wish people would stop screaming about the sky falling when the only thing that has been demonstrated is something that should have surprised no one. Take their results for what they are...an confirmation that software has bugs that can potentially cause security vulnerabilities.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/articles/328/10500#10500