Business Standard

Saturday, January 18, 2025 | 10:51 PM ISTEN Hindi

Notification Icon
userprofile IconSearch

Devangshu Datta: Open season on day-zero

OVERVIEW

Image

Devangshu Datta New Delhi
The software industry is divided over the pros and cons of open-source versus proprietory "closed-source". Closed-source advocates say that it offers more secure platforms, cleaner applications and products. It also offers higher financial incentives to the charmed circle of developers with access to the code.
 
Open-source advocates say it offers more secure platforms, helps develop more and cleaner apps, and offers financial incentives to a larger base of developers. Bugs get patched quicker again because of the larger population of developers.
 
What works better in terms of marketshare and profitability? The closed-source Apple platform has few users and much fewer apps than the "semi-open" Windows. Microsoft has consistently generated far higher revenues and profitability than Apple. One reason is that MS simply makes it easier for third-party developers.
 
But totally free, open-source platforms such as Linux (and the free, open-source Firefox browser) have won marketshare off Windows (and IE). Many apps (both free and paid) have been developed for Linux. A multitude of Firefox plug-ins combined to better security has made it the browser of choice for many.
 
Bug-discovery and fixes are the most critical aspect of the debate for users. A bug is discovered; it is patched. From day-zero, when the bug is discovered to the day it's patched, it's open season for crackers.
 
Do open-source bugs get patched quicker? The jury's out. But it does seem full disclosure accelerates the patching process. If you discover a bug in some software you use, it's better not to complain privately to the vendor. Scream loudly about it in every Web forum you can access.
 
Last year, Microsoft issued about 55 critical patches for Windows XP. According to the Washington Post, it reacts very significantly quicker on public complaints. On average, MS took 134 days to patch privately-reported vulnerabilities whereas it responded inside 46 days for publicly-reported bugs.
 
Oracle (which works off open-source platforms) issued over 80 patches in 2005. That suggests that, even if open-source has more bugs, those bugs are also addressed efficiently. Apple has taken much more time than either Oracle or MS in addressing known issues in the QuickTime player.
 
MS took just 10 days to patch a very serious flaw in the Windows Meta File (WMF) that was flagged in late December. That's commendably quick by corporate standards. But it's glacially slow in the context of the Web. By the time the official MS patch arrived, independent security consultants had written "hot-fixes"; the crackers had written new malware and antivirus vendors had updated signatures to deal with new malware.
 
The urgency was because unpatched Windows systems are exposed every time an image file is viewed. There is a way to get WMF to run code off a remote location by simply clicking on a picture sent by e-mail or placed on a website. Hundreds of these "poisoned" images are now floating around.
 
The amazing thing is that WMF flaw has been there for at least five years. It's embedded in every MS operating system since Win2000. Several other flaws and vulnerabilities in WMF have been picked up earlier.
 
There must have been a collective blindness across the computer security industry for this to stay under the radar so long. The flaw is so basic, it's sparked off a debate as to whether it was deliberate.
 
Steve Gibson (writer of the popular SpinRite and Shields up! utilities) suggested that it was a backdoor written into the system by MS. Mark Russinovitch of Sysinternals, (the man who flagged the Sony rootkit) thinks WMF code wasn't deliberately written as a backdoor.
 
Windows isn't open-source but it's close to it because there are millions of beta-testers and people with access to the software development kit (quite a few of whom have demonstrably malicious intent). So this is a peculiar test-case for the debate. Would a completely open-source OS have triggered quicker discovery and patching? Would a totally closed-source OS have left the problem undiscovered and hence, unexploited?

 
 

Disclaimer: These are personal views of the writer. They do not necessarily reflect the opinion of www.business-standard.com or the Business Standard newspaper

Don't miss the most important news and views of the day. Get them on our Telegram channel

First Published: Jan 21 2006 | 12:00 AM IST

Explore News