Open Source is NOT Bug Free

November 10, 2017 CyberCecurity Leave a comment

Linux

There are those in the open source software fan world that suggest that open source (and typically free) software is best because since the source code is available, people can look for bugs and fix them, resulting is bug free software.

The reality is not quite so simple.

While this statement is technically true, it is not true in practice. Time and time again we run into very popular open source software with bugs – software like Open SSL which is installed on millions of computers.

That also does not mean that open source software is bad or overly buggy. It just means that it is software and all software needs to be validated.

AND, it also means that even if software is tested, it is not bug free.

OK, with that preamble, what are we dealing with today?

Google has an internal hacking team called Project Zero and they try to hack all kinds of software – including but not limited to Google’s own software. This week team member Andrey Konovalov was playing with the USB drivers in the Linux kernel.

When someone mentions the words BUG and KERNEL in the same sentence, it should get your attention. The kernel is the most privileged and most sensitive part of any operating system.

Andrey identified 14 bugs in the USB drivers that have been assigned bug ID numbers so far. He has also requested another 7 numbers for additional vulnerabilities that he has identified. On top of this, he says there are probably another 20 that have not been fully researched yet. That puts the number of likely bugs in a very sensitive part of the Linux OS at around 40.

And remember, this is just in one part of the operating system.

So the next time someone tells you that open source means bug free, you can pull out a copy of this post.

Also, it is important to remember that Linux is an INCREDIBLY popular piece of open source software, used by hundreds of millions of people (It is the core of all Android phones). If it is not bug free, is it reasonable to think that some other piece of open source software used by 10s of people IS bug free? I don’t think so.

So, like with everything else, Caveat Emptor is appropriate response.

Information for this post came from Bleeping Computer and The Register.