Updated: May 26, 2010
Sometime last year, when an 8-year-old vulnerability was found in the Linux kernel, Microsoft fans were having a party. They called Linux insecure and whatnot, spewing fire and accusations left and right. Forget for a moment the fact it was only a local privilege escalation thingie, hardly something to fuss about it. It was a golden moment for any anti-Linux lobbyist worldwide.
Alas, the world of geeks is a cruel one. The tables turn before you can say Ivanov Ivanov Fardjev graph. Lo and behold, not that long ago, a 17-year old vulnerability was found in Windows. Yup. Not just mere eight years. We're talking almost two full decades. And to make it all that much sweeter, the vulnerability is as valid for Microsoft's latest darling Windows 7 as it is for the now extinct Windows 3.1. It was time for Linux geeks and anti-Microsoft fans to go wild with cruel glee.
I say, what not up the ante? Why not make it all more interesting? Well, what are you proposing, oh humble and wise Dedoimedo, you may ask. And I will tell you.
Let's declare a vulnerability contest!
The goal of the contest is not have the most secure, bug-free operating system. Far from it. Your aim is to have the operating system with a vulnerability that goes so far back you will need the original, pen-written blueprints just to be able to read the code.
The obvious choice is UNIX, since it has been around much before Windows or Linux. UNIX provides with a unique opportunity to go down into code originally written for PDP7. While the latest Microsoft vulnerability is really tough to be beat, we can still try.
For instance, we might want to go for 8-bit legacy, not just the ultra-modern 16-bit emulation. Or maybe 4-bit legacy. There ought to be bugs deep, deep down there somewhere. I'm disappointed that no one really looks.
So what do we do in the Contest?
Well, we look for vulnerabilities and score them, say once a month. Then, the operating system that has the oldest one wins the scorn and contempt of the rest of the community.
Let's be serious for a moment. Vulnerabilities will always be part of the software development. Only maybe the most basic programs like Hello World!, with no input or output could be foolproof, and even then, it's not forever.
The question is, how should one react to these findings. What does it mean? Should you be worried about century-old issues being dug up?
I answer thusly
I think these vulnerabilities are a good sign. First, they tell me that software companies take their work seriously. Backward compatibility is important. And while the average desktop jockey might not care what happened last month, think about big corporations, financial institutions, medical industry, military. Think about software development. Deep down, chip architecture goes back to first microprocessors. You cannot possibly change those without a major revolution. This is why DOS will still be relevant 10 years from now.
Then, there's the issue of true backward compatibility. You cannot expect antiqued missile systems, medical appliances or maybe titanic accounting software to just cut loose the decade of historical records and start afresh. It's simply impossible. No one dares do that.
Old vulnerabilities are bad from the development point of view, but they are good from the customer point of view. This means that customers can expect support for their old software, 10 or maybe 15 years from now, because money matters.
As to gloating ...
Ah yes! Fanboys on both sides must really be annoyed. At the moment, Linux fans are gaining the upper hand, after being severely snubbed the last summer. And they will probably win, because Windows legacy code is older than Linux.
But it really shows that the whole security thingie is overplayed. People spend so much time focusing on would be zero-day problems and issues, when fundamentally, little has changed in the past decade or two. The basic rules remain the same.
Relax and enjoy your operating system. There's no reason for panic, hasty decisions, doomsday declarations, switching over to other platforms, or anything alike. And enjoy the show, as more and more ancient bugs are found and dinosaur problems excavated.
This article has no dramatic punchline. It's just a lukewarm rant, with a cynical note over how tremendously overestimated the whole security scene is. It's a charade really. And it just proves that you really should not be wasting your brain cycles on worry, when you can enjoy yourself. Security is not something that can be solved, not while humans write code anyway.
But you can have a security strategy that eclipses all programming languages, interfaces and operating systems. And it will serve you well, whether you're working on a 64-bit machine or dabbling in 16-bit code.
Some articles that may interest you:
A few older ones:
Now, off you go, start debugging the PDP7 system calls. By the way, did it have any?