OpenBSD patches authentication bypass, privilege escalation vulnerabilities- Comment

It has been reported that OpenBSD has patched four vulnerabilities including privilege escalation flaws and a remotely exploitable authentication bypass.

Commenting on this, Jonathan Knudsen, senior security strategist at Synopsyssaid “Eric Raymond famously said “given enough eyeballs, all bugs are shallow.” What he meant was that if you have enough developers examining your software for enough time, eventually nearly all bugs will be found and fixed. While this is probably true, it’s the enough eyeballs part that is difficult. OpenBSD is estimated to contain nearly three million lines of code. How many eyeballs do you need for that? How much time?

Using automated tools can reduce the amount of manual work that is needed to keep risk acceptably low. Techniques such as source analysis and fuzz testing assist the development team in finding and fixing bugs before release. Given the complexity of OpenBSD and many other projects, it is hardly surprising that new vulnerabilities, sometimes serious, continue to be found. The lesson to be learned is that updating your systems is critically important. When vulnerabilities like this become widely known, you must update your systems promptly, because attackers will be in just as much of a hurry to exploit the vulnerability.”

(28)

Share