Open Source security flaws transcend personal biases

Call it equal-opportunity vulnerability: In recent months, open source software has faced a growing number of security threats, in the form of hacks, cracks, viruses and worms. It seems like no network or server is safe any more, regardless of their use of proprietary or more open-ended applications.

Debates

have raged over the extent of these threats, as well as who is ultimately responsible for them, I’ve seen a lot of conspiracy theorists blame Microsoft Corp. for playing things up, while others pronounce the death of Linux . However I believe that in some ways, this growing insecurity is also a sign of the strength of Open Source.

It’s a bit like what sometimes happens in Hollywood: the more popular you are, the more of a target you become. One technology administrator I spoke with recently described how upgrading to Windows NT left his network more prone to attack in some ways, since no one had ever written a virus for his organization’s previous (and archaic) platform.

Still, open source offerings have taken a firm hold in the enterprise, and it’s important that organizations be adequately prepared for threats big and small.

Forrester Research Inc. claims that while the number of Global 3,500 companies implementing Linux this year has “”hardly increased”” from 2001, nearly 10 per cent of them use the operating system.

Apache, the public-domain Web server, has a much stronger presence. In June, nearly 60 per cent of the top servers were running the open source app, compared with about 29 per cent running Microsoft products. That figure was up by more than three per cent from May and occurred at Microsoft’s expense, according to Netcraft.

In the face of these statistics, enterprise IT managers would be wise to keep tabs on the growing risks:

  • Microlink Systems recently identified a new worm threatening servers running the FreeBSD OS and Apache Web software, but infection rates have been minimal, due to its limited scope, as well as upgrades by network managers;
  • This spring, Internet Security Systems outlined how denial-of-service attacks could be launched from Apache Web servers, garnering widespread complaints that the company hadn’t given the Apache Foundation enough time to develop a patch before going public;
  • Earlier this month, researchers announced that two types of Sharp’s Zaraus Linux handhelds were vulnerable to attacks that would let intruders take over the devices’ file systems;
  • The latest variant of the Simile.D virus can apparently infect desktop PCs running either Windows or Linux, although the overall threat is low; and
  • British firm MI2G claims that while attacks on Web servers running Microsoft apps have dropped from last year, attacks on Linux systems over the past six months have already surpassed totals for 2001.

None of this is to say that Open Source apps are worse than proprietary software in terms of security. Most of the threats outlined above pale in comparison to the litany of woes that Microsoft’s Internet Information Server has seen over the years.

But rather than bashing or praising specific products based on a preference for one camp or another, it’s far more worthwhile to balance potential risks with available resources. Since most organizations use a mix of software applications, this means keeping personal biases in check — and making security a non-denominational concern.

johnsaunders@sympatico.ca

Share on LinkedIn Share with Google+