pixel_dreams - Fotolia

Commercial code riddled with open source vulnerabilities

Roundup: Customers, vendors both unaware of unpatched open source vulnerabilities in commercial software. Plus OpenSSL patches, warrantless wiretaps and more.

Commercial software vendors are increasingly adding open source code to their products -- yet they are also often failing to push security patches for open source vulnerabilities to their customers, according to new research.

While it may not be surprising that customers were unaware of the presence of unpatched open source vulnerabilities, a new report from Black Duck Software of Burlington, Mass., showed that vendors were also unaware of the open source vulnerabilities present in their own products. In a study of more than 200 commercial applications over a six-month period, Black Duck found open source code in 95% of the applications, and reported that 67% of those applications reviewed "contained security vulnerabilities in open source components."

"Our study found over 10% of the applications tested included the Heartbleed vulnerability (disclosed a minimum of 18 months prior to our analysis), and almost 10% included POODLE," Black Duck wrote. "LogJam and FREAK each affected almost 5% of the applications."

Almost 40% of the vulnerabilities discovered rated a CVSS score of 7.0 or greater -- meaning "high severity," while another 52% were of medium severity (CVSS score between 4.0 and 6.9).

Among the findings Black Duck reported in "The State of Open Source Security in Commercial Applications": The average commercial application consists of more than 35% open source software, and average applications contain over 100 unique open source components. Also, companies that listed the components they expected in their applications were "often only aware of 45% of the actual components used."

"Technology providers win or lose based on time to market, feature level and price. Security is sometimes thought about afterward, and field upgrades and patches are usually not thought about at all," Paul Vixie, CEO at Farsight Security Inc., told SearchSecurity."I think it's reasonable to assume that most bugs will live forever, somewhere."

OpenSSL patches rolled out

I think it's reasonable to assume that most bugs will live forever, somewhere.
Paul VixieCEO, Farsight Security Inc.

Meanwhile, OpenSSL rolled out patches for six vulnerabilities, including two of "high severity," though no exploits had been found in the wild for any of the vulnerabilities. The popular open source cryptographic library project gave users a one-week advance warning that the patches would be made available. The two high-severity vulnerabilities included CVE-2016-2108, which "could cause an out of bounds write leading to memory corruption," and CVE-2016-2107, a padding attack that "could be used to permit an attacker who is in a position to man-in-the-middle the session to decrypt traffic."

In other news:

  • The NSA and CIA have conducted more than twice as many warrantless searches in 2015 as they did in 2013, according to the National Intelligence Transparency Report for 2015. In 2015, 4,672 searches were made, compared to the approximately 2,100 searches reportedly made in 2013. This year's report, released by the Office of the Director of National Intelligence, includes the number of warrantless searches made concerning U.S. citizens by the CIA and NSA on the Section 702 database. These figures include only searches generated from the NSA and the CIA; a FISA court ruling gives the FBI unlimited access to the Section 702 database to search for information about U.S. citizens. The 702 database contains bulk surveillance data collected outside of the U.S. by the NSA and authorized under Section 702 of the Foreign Intelligence Surveillance Act (FISA).
  • Payroll giant ADP's customer portal was hacked and attackers gained access to "a small subset" of ADP customers' employees' W-2 data, according to security reporter Brian Krebs. The incident first came to light after U.S. Bank warned some of its employees that attackers with access to an employee's personal data -- name, date of birth and Social Security number -- could create an account on the ADP portal in the employee's name, and get access to that employee's W-2 data. With that, the attacker would be able to file a tax return and fraudulently receive the employee's tax refund.
  • Attackers have been observed exploiting holes in the Remote Desktop Protocol (RDP) to spread ransomware, according to a researcher at Dutch cybersecurity firm Fox-IT. RDP, a proprietary protocol first offered by Microsoft for use in Windows XP, is still widely used to enable remote control of Windows desktops for tech support and collaboration. Vulnerabilities in RDP have long been exploited for denial of service and remote code execution, but now attackers have been observed exploiting RDP to propagate ransomware, according to Wouter Jansen, senior forensic IT expert at Fox-IT. Reviews of log files show that the attackers are able to gain access to Internet-facing remote desktop servers by brute forcing usernames and passwords. Jansen noted that the exploits could have been thwarted by not connecting the servers to the Internet or at least using stronger authentication methods for remote access; better log monitoring would also have helped.
  • Computer scientists at the University of Michigan have discovered that Samsung SmartHome applications may not be so smart, at least from a security perspective.  Although SmartThings implements a "privilege separation model," the scientists reported that they found "two intrinsic design flaws that lead to significant overprivilege in SmartApps." More than 55% of SmartApps in the store are "overprivileged due to the capabilities being too coarse-grained." Once installed, SmartApps are granted "full access to a device even if it specifies needing only limited access to the device," according to the research team. The team also reported the SmartThings event subsystem, by which SmartThings devices are able to communicate asynchronously with SmartApps via events, "does not sufficiently protect events that carry sensitive information such as lock codes." The researchers were able to exploit the framework and build four proof-of-concept attacks that "(1) secretly planted door lock codes; (2) stole existing door lock codes; (3) disabled vacation mode of the home; and (4) induced a fake fire alarm."
  • Craig Wright dropped his campaign to prove himself the semi-legendary Bitcoin creator Satoshi Nakamoto. Just two days after blogging his initial claims, which were reported by the BBC, the Economist and GQ, Wright replaced his personal blog with a single message: Wright would not provide any further documentation of his claim because he did not have the "courage" to follow through with putting "the years of anonymity and hiding behind" him. Critics had initially been quick to point out factual discrepancies in his initial announcement, which had been intended to demonstrate his proof.

Next Steps

Read about the benefits of a vulnerability scoring system.

Learn more about how attackers -- and defenders -- have exploited Heartbleed.

Find out more about how Heartbleed changed the way open source vulnerabilities are handled.

Dig Deeper on Application and platform security