With the latest September 24th revelation of the bash bug coined “Shellshock” the question becomes: Have we turned a corner and open source software now becomes more expensive to maintain than proprietary products like Microsoft? The last two headline-inducing vulnerabilities to have been announced were both vulnerabilities developed by the open source community that many organizations use because they are embedded in Linux variants.
Heartbleed was a vulnerability in OpenSSL that affected just about any server running apache with security (https) enabled. The exploit would expose chunks of the server’s memory which could include the encryption key and other vital data. It also affected countless other applications built on the open source OpenSSL libraries.
Shellshock is the latest vulnerability to create massive headlines. It is caused by a vulnerability in the bash shell that is found in just about all Linux versions, apple products, android products and embedded devices. It can allow attackers to execute commands on the affected device and take control of it. Once again, in the first 48 hours, the primary target is apache web servers with older cgi-bin shell scripts that allow attackers to remote run these commands.
Meanwhile Microsoft, the company who used to be the butt of every bad security joke, (except the ones about Java and Adobe) has been steadily working to improve their products and their security. By the lack of headlines, it seems to be working. Even though the Microsoft user base in general is less technically inclined and far larger than that of most other platforms, we have heard surprising little about new major worms or attacks. In fact it seems most attackers have gone on to the more fruitful and lucrative tactic of phishing or ransomware.
From a corporate IT perspective, considering maintenance and patching of the server, the Microsoft solution continues to be the platform of choice, and that decision is only made easier by these headlines. With streamlined workflows, System Center auditing and unified patch management, and a decreasing number of critical headline-inducing vulnerabilities, the total cost of ownership of the entire solution is being driven down relative to an open source solution.
Since these latest vulnerabilities existed unnoticed in open sourced code for years, there is sure to be a new focus on vulnerabilities in basic Linux processes. The amount of time between introduction and detection would suggest that there are many more lurking, discovered or not. The question of what platform to invest in becomes more than just a comparison of upfront costs, because free is not really free, and security by virtue of open source is not a defensible argument.
If you are interested in having a conversation around this or other security topics, the engineers at Chi Corporation would be happy to listen and help you determine what the right fit is for your company. Chi is a Microsoft Silver partner and VMware partner that has experience in system integration. We understand that every business has a different set of pre-existing configurations and future needs. Solutions must be designed that are right for each specific business, and our focus is to help you find the solution that is right for you.
Ben Parker
Sales and Implementation Engineer
Chi Corporation
Twitter: @benparker82
