Open Source Sorftware Security

[Charleybriz]

Hi all,
As a matter of curiosity. Has anyone heard of, or been a victim of malicious software introduced through use of open source software? Do the open source programmers introduce security into the applications? Recently I had my printer software corrupted in the registry. I run XP pro. I have very good security software too. It took a lot of trial and error to find the culprit. Foxit PDF reader was the vehicle, but I believe it was a PDF document itself that was opened through Foxit and not the application, but I am not positive. I have gone back to using "registered" bought software I had prior for now. So I await response of the community. Thank you all.

[Jimdoria]

It's hard to tell from this post exactly what happened to you. Your printer software experienced some registry corruption, and you think Foxit PDF reader is to blame? More to the point, you think Foxit intentionally introduced some bad agent into your system whose purpose was to cause this registry corruption?

I'd be interested to find out how you came to this conclusion. Registry corruption occurs all the time and for a variety of reasons. Generally there's no way to tell how it happened, so if you've found a way to audit registry changes and trace them to individual programs, that would be news in itself! 

If you think the damage was caused by a corrupt PDF opened in Foxit, I'd say that's more an issue of where you are getting your PDFs from than a Foxit problem. No software - commercial or open source - is immune to security holes. That's why Adobe and MS release so many patches, and release them so regularly. OSS does the same. The issue is more about keeping current on your applications and using common sense about downloading and opening files.

In some sense (theoretically) OSS should be more secure, because when security holes in OSS are found, they can be patched and released as quickly as the community finds out about them. Exploits in commercial software have to be reported, then the fix may wait for the marketing team and the legal team to weigh in, then it will be scoped into the development schedule and at some point - only if it's economically justifiable, of course - a patch might be issued. Or the decision might be made to roll the fix into the next scheduled release, still X months away and costing Y dollars for the upgrade.

But still - without knowing more it's hard to tell if your conclusions are correct: that this was a deliberate attack on your system, and that Foxit was really the vector for the attack.

P.S. - Printer vendors are not generally known for the high quality of their software.  In my experience, printer software ranges from moderately OK to unbelievably awful. It's typically buggy, intrusive, and rude. Another reason I'd like to know more about the incident.

[Lashiec]

BTW, Foxit is closed source, despite being free. I'd say that open source software is as or more secure than its commercial counterparts, look no further than Firefox (if you don't compare it with IE, that is), and the most important enterprises in the world use OSS for their needs, ranging from typical consumer software, to much more complex software like the Apache Web Server, MySQL or the same Linux.

Of course, people has suffered from malware using open source software, but most of the times that happens because the usual defenses are not in place, that includes unpatched software, lack of practise with skeptical computing (first section), not having basic security software, etc. The same thing happens everyday with closed source software.

[housetier]

I'd be interested in more details too: what was corrupted, how sure are you it was one program and not the other?

This is interesting

[f0dder]

Hm, I don't know if there has been exploits for Foxit Reader (or Sumatra, which is both freeware and open-source) - but Acrobat Reader has had security hole(s) that were exploitable by maliciously crafted .pdf files.

Whether open-source software is more or less secure than closed-source software is hard to answer, imho. One advantage is that once an exploit is publically found, a patch can typically be released pretty fast (partially because to FOSS community doesn't do/has to do the same level of compatibility testing as some commercial vendors).

There's also the theoretical advantage that "because the code is there, everybody can audit it[/i] - problem is that this doesn't happen automatically, and exploitable bugs like the "Transfer-Encoding: chunked" apache bug was iirc present for several years before it was discovered (publically...) and patched.

The openness of FOSS can also be a problem. Even though there's some interesting binary analysis tools available, it's easier to audit source code than executable files. If blackhats manage to find a relatively obscure bug and keep it to themselves, they have an attack vector that could go undetected for quite a while. And keep in mind that it's not just the big projects (which usually have code reviews) that can have interesting attack vectors.

[cmpm]

Where the program is downloaded from makes a difference in security sometimes.
There are some sites I don't trust, though they have programs I do trust.

[Ehtyar]

Hm, I don't know if there has been exploits for Foxit Reader (or Sumatra, which is both freeware and open-source) - but Acrobat Reader has had security hole(s) that were exploitable by maliciously crafted .pdf files.

-f0dder (March 25, 2008, 09:07 AM)

Presumably you're referring to the JavaScript exploit found last year, in which case no, Sumatra and Foxit were not found to be vulnerable.

Ehtyar.