GHOST coding mistake: 5 reasons to take notice

When I hear about another software bug, I’m tempted to shrug.  Big deal.  Another bug in software.  It happens.
But there are some things about this coding mistake which are interesting:
 

1. This is a security bug, which can be exploited locally and remotely.  That’s interesting because modern OS protections like ASLR, NX, and safe malloc were supposed to limit the exploitation of this type of bug (a small heap buffer overflow).  (And those protections did succeed in making the finders work harder to write a working exploit.)

2. The bug is in a core library which is broadly used.  Which means countless machines could be affected.

3. The bug is in open source code.  For a time there was a group of folks that believed open source software was fundamentally more secure, when compared to closed source code.  After a number of big name bugs in open source like Heartbleed,  Shellshock, and now Ghost – I’d say we can finally put that theory to rest.

4. The finders took the time to give the bug a name, a logo, and plenty of press.  I’m not sure if this is good or bad.  Good, because the fix will hit quicker due to awareness.  Bad, because the potential exists that now only properly hyped bugs will receive due notice.  (This same effect can happen, btw, even inside closed software development programs, where only the bugs with proper manager awareness get attention.)

5. The bug is in a low level code (C language).  There will continue to be a need for high-performance components to be written in low level code, but everything else should be written in a memory safe(r) language where possible.  This should be commonly understood, but I’m not sure that it is.

 
At the end of the day, we see that software quality has improved.  And so have built in OS protections.  But the complexity of software, the dependence on library code, and the cost of a major security breach have all increased at an even greater rate.  Therefore we can expect a continued dependence on novel security products and services to help protect our computers.
 
 
Jared DeMott is a security researcher at Bromium Labs