Usual crappy open source coding quality - that because the source code is available - anyone could have found these vulnerabilities in and kept them to themselves to exploit....
Secure phone app library vulnerable
Users of a number of telephone apps need to upgrade, with a security researcher publishing research identifying serious vulnerabilities in ZRTPCCP, a core security library. As ThreatPost notes, the compromised library counts PGP luminary Phil Zimmerman's SilentCircle secure comms application among its users. Researcher Mark …
-
-
Monday 1st July 2013 08:52 GMT Anonymous Coward
anyone could have found these vulnerabilities in and kept them to themselves to exploit....
Yup, but at least you stand a chance that someone picks it up (QED). The only thing that tends to be of lesser quality in open source secure phone apps is the codecs - in my experience, the commercial ones are simply better able to cope with less than perfect throughput conditions (I've reviewed numerous ones before we contracted the one we're using now).
-
Monday 1st July 2013 13:23 GMT Anonymous Coward
Yes, but...
Does anyone else find it surprising that the folks producing Silent Circle wouldn't be auditing a key library used to insure the security of their product? Why aren't they the ones finding these bugs?
Sure makes you question the overall security of their product/process when well-known bug types like buffer overflows are getting through unnoticed.