5 Sep
2018
5 Sep
'18
6:55 p.m.
On 9/5/2018 2:31 AM, Gilles Gravier wrote:
It's the common example that I use to tell people
that opensourcing
software makes it more secure because the good guys have access to the
source code at the same time as the bad guys, which gives them a fair
chance to fix bugs before the bad guys use them.
Bash/Shellshock kinda proves that premise incorrect, although it's
pretty much the worst-case example, but still... ;)
Announced in 2014, it goes back to September 1989 (according to a
wikipedia article, so I'm not sure about that date's accuracy).
https://en.wikipedia.org/wiki/Shellshock_(software_bug)
https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33
https://www.cvedetails.com/product/17/IBM-AIX.html?vendor_id=14
https://www.cvedetails.com/product/20/HP-Hp-ux.html?vendor_id=10
https://www.cvedetails.com/product/19755/Oracle-Solaris.html?vendor_id=93
It could be argued that the above CVE results are either under-reported
(closed-source), or over-reported (open-source). Or vice-versa ;)
ak