ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

Security management Toolkit

Open source renders patching a problem

Mike Mullins

Published: 17 Nov 2005 12:10 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

According to Internet services company Netcraft's latest poll, open source Web sites dominate the Web site market. The November 2005 survey found that Apache Web servers run on 70 percent of all Web sites. In addition, almost every reputable site that asks you for any personal information will do so using the Secure Sockets Layer (SSL) protocol.

The overwhelming number of open source Web sites and the widespread use of OpenSSL to secure connections create a tremendous problem when vulnerabilities emerge. For example, in October 2005, the OpenSSL.org Project released a patch to fix a vulnerability in all previously released versions of OpenSSL (i.e., all versions up to 0.9.7h and 0.9.8a). For more details about this vulnerability, see the Secunia advisory.

The vulnerability involves a problem with the use of the SSL_OP_MSIE_SSLV2_RSA_PADDING configuration option. Using the SSL_OP_ALL option automatically enables this other option by default.

The SSL_OP_MSIE_SSLV2_RSA_PADDING option is a common configuration workaround that disables a verification step in the SSL 2.0 server, which supposedly prevents active protocol-version rollback attacks. That means an attacker acting as a "man in the middle" can't force a client and server to negotiate the SSL 2.0 protocol, even if these parties both support SSL 3.0 or TLS 1.0. This is intentional due to previously discovered cryptographic weaknesses in SSL 2.0.

This workaround's original purpose was to address interoperability issues between Web servers and the secure applications they serve. This is a classic case of two open source vendors trying to support every conceivable function that a Webmaster might enable on a Web site.

However, in this case, the lack of any application standards has led to a vulnerability that affects roughly three-quarters of all Web sites and comes preinstalled on Red Hat Linux. The OpenSSL Project has published a new version to address this issue and recommends immediate deployment. A patch is also available for those sites that can't upgrade due to interoperability problems with served applications.

While the issue of a newly discovered vulnerability that affects a large percentage of the computers running on the Internet has become quite common, the problem goes much deeper. One of the most persistent problems with software is patch management — and the larger the enterprise, the larger the problem.

Microsoft has taken steps to address this issue with Automatic Updates service. In my opinion, the software company has done a good job of notifying users of available patches and updates.

On the other hand, the open source community continues to struggle with developing an integrated patch management solution. Most administrators have little time to check for patches or read vulnerability notices — if they've even signed up to receive them. That's why it's essential to know exactly what you've deployed on your systems and to check regularly for updates for that software.

Final thoughts
Before you start posting angry comments in this article's discussion, let me stress that I am not advocating dumping open source in favour of Microsoft. Rather, I am campaigning for the open source market to address the problem of patch management and to integrate third-party software into its solution.

If you run a system that connects to the Internet, it's imperative that you know what software is on that system — and keep it up to date. If you don't patch the holes in your system, it's only a matter of time before someone else exploits them.

  • Email
  • Trackback
  • Clip Link
  • Print friendly Print with HP

Did you find this article useful?
96 out of 182 people found this useful



Company/Topic Alerts

Create a new alert from the list below:









Related Jobs

Jnr Fix Protocol Contractor - London - Finance

Jnr Fix Protocol Contractor - London - Finance A financial institution in the centre of London is seeking a fix protocol engineer to join thier team. ...

C#, VB.Net Web sites / applications. ASP.Net, Flash, AJAX. to 34,000

ASP.Net developer with Flash, Flex or Silverlight is required by niche software consultancy, that develop a unique web base software application ...

Fix Protocol Analyst - Contract - London City & NY

Fix Protocol Analyst - Contract - London City & NY A contract role with a consultancy within a financial institution. The successful candidate will ...

Sentry Posts Blog

Mobile Linux Better For Mobile Busines...

Mobile Linux Better For Mobile Business Apps? Author: Eric Everson, MyMobiSafe.com As mobile Linux is carving it’s footprint on the future of mobile application development, the... More

Post a comment

DWP downplays security breach

The Department for Work and Pensions (DWP) has admitted that some of its staff have been forwarding passwords with password protected material. An email that was leaked on the 'Dizzy... More

Post a comment

How many headshots does one chairperso...

We got a strange request last week from the head of PR from Russian security experts Kaspersky. It seems although the company was very happy with the interview we recently carried with... More

Post a comment

Featured Talkback

It seems to me this is a burden being placed on the wrong shoulders. There is not an It system in the world that can stop an individual taking information in their heads and spewing out at the nearest undesirable third party.

By: RonaldWilkins

Read full story:
Deloitte: People are still weakest security link

DOWNLOAD

Security Essentials

Security Downloads

There are masses of security suites out there for small businesses. Here's a selection to get you started

Editor’s Rating
1 Norton 360™
2 AVG Anti-Virus Free Edition Rating: 10
3 PC Tools AntiVirus Free Edition
4 Kaspersky Internet Security

See All Software

In association with Symantec