Recently discovered security holes in Samba were serious threats to companies using the popular freeware, which
enables end users to access and use files, printers and other commonly shared resources on a company's network or via the Internet.
But they also demonstrated how the code-review process among those in the open-source community can ferret out vulnerabilities and how developers have adopted a new mindset, one in which secure coding is often seen as paramount over features and functionality.
Security holes in open-source applications and systems have been making news in the last 12 months, with highly publicized flubs in Sendmail, Snort, Apache and PHP grabbing headlines. Samba joined that group with separate security warnings on March 14 and April 7. The first warned of a flaw in Samba's main SMBD code which could allow an external attacker to remotely and anonymously gain root privileges on a server running a Samba server. SMBD is the server daemon that provides file-sharing and printing services to Windows clients. The second was a buffer overflow flaw that could also enable an attacker to remotely hijack a Samba server.
Both struck deeply at the heart of developer Jeremy Allison, who wrote the original code in both instances.
"We try to meet the highest standards. This is the third or fourth remote hole, which is not great, but it's not bad when you consider we've been going 11 years," Allison said. "We were not as security conscious as we are now. Originally, interoperability was the main goal. I did a lot of soul-searching on this. How did this happen? This is a personal embarrassment. The only explanation is that when I was writing the code way back when, we were concerned about making it work with Microsoft clients.
"We were not thinking about security. We were not paranoid enough. The good thing about the open-source community is that someone comes along eventually who is."
That's the beauty of the open-source community, Allison said. For example, SuSE Linux AG, a Nuremberg, Germany, Linux distributor, discovered the SMBD flaw in Samba during an audit of the Samba code. It's rare that the Samba team would audit its own code, Allison said, especially in a feature like SMBD, which has worked without fault for years.
The second flub was found by a San Antonio-based security firm known as Digital Defense. Digital Defense was alerted to the vulnerability when it captured an exploit in a honeypot it was hosting. It notified the Samba team, then published a security advisory warning users. Someone, however, inadvertently attached the exploit code to the security advisory and essentially exposed the exploit on a wide scale.
"They turned something dangerous into something potentially catastrophic," Allison said. "They allowed the script kiddies access to a pre-canned exploit code. We were very cross, and they apologized. I don't know why it happened. My personal feeling is that someone there made a horrible mistake."
Security by obscurity is a charge that Microsoft and other vendors of proprietary software hear often. Essentially, when researchers or users stumble upon a vulnerability, protocol deems that they inform the vendor and give the company adequate time to examine the security hole and prepare and test a patch before releasing it to users. In the meantime, fingers are crossed that an attacker does not stumble across the same information and use it to create and circulate an exploit.
"We are in close contact with Microsoft because we work so closely with their stuff," said Allison, who added that Samba is probably not high on Microsoft's hit parade. "We are not Microsoft's favorite people, I'm sure. Because for every Samba server that is sold, that is one less Windows 2000 server that is going to be sold by them. But there is a matter of professional respect. We treat vendors like we would like them to treat us."
Allison said Samba's recent security woes are prime examples of the benefits of open-source.
"I much prefer the way the open-source community deals with it. Unquestionably, it's better," Allison said, "simply because we have no secrets. Proprietary software reminds me of ancient alchemists who told people there was only one truth and it was secret and you had to get it from them.
"The open-source community says 'Here's the code. Do with it what you will.' I liken it to the scientific method, which is why I believe open-source will dominate ultimately."
FOR MORE INFORMATION:
- FEEDBACK: What's your stand on the disclosure of security vulnerabilities?
Send your feedback to the SearchEnterpriseLinux.com news team.