back to article Secure phone app library vulnerable

Users of a number of telephone apps need to upgrade, with a security researcher publishing research identifying serious vulnerabilities in ZRTPCCP, a core security library. As ThreatPost notes, the compromised library counts PGP luminary Phil Zimmerman's SilentCircle secure comms application among its users. Researcher Mark …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Usual crappy open source coding quality - that because the source code is available - anyone could have found these vulnerabilities in and kept them to themselves to exploit....

0
1
Bronze badge

Why does that statement make no sense? Because the source code is available someone did find a vulnerability and published it. Compared to say, a proprietary program with no available code, where that might take months to years.

Plus, security through obscurity simply doesn't work.

2
0
Anonymous Coward

anyone could have found these vulnerabilities in and kept them to themselves to exploit....

Yup, but at least you stand a chance that someone picks it up (QED). The only thing that tends to be of lesser quality in open source secure phone apps is the codecs - in my experience, the commercial ones are simply better able to cope with less than perfect throughput conditions (I've reviewed numerous ones before we contracted the one we're using now).

0
0
Anonymous Coward

Yes, but...

Does anyone else find it surprising that the folks producing Silent Circle wouldn't be auditing a key library used to insure the security of their product? Why aren't they the ones finding these bugs?

Sure makes you question the overall security of their product/process when well-known bug types like buffer overflows are getting through unnoticed.

0
0
Anonymous Coward

Re: Yes, but...

Start with the basic knowledge that Silent Circle has *US* headquarters...

1
0
This topic is closed for new posts.

Forums