Users of a number of telephone apps need to upgrade, with a security researcher publishing research identifying serious vulnerabilities in ZRTPCCP, a core security library. As ThreatPost notes, the compromised library counts PGP luminary Phil Zimmerman's SilentCircle secure comms application among its users. Researcher Mark …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Monday 1st July 2013 06:47 GMT Anonymous Coward

Usual crappy open source coding quality - that because the source code is available - anyone could have found these vulnerabilities in and kept them to themselves to exploit....

0 1
1. Monday 1st July 2013 07:41 GMT FrankAlphaXII
  
  Why does that statement make no sense? Because the source code is available someone did find a vulnerability and published it. Compared to say, a proprietary program with no available code, where that might take months to years.
  
  Plus, security through obscurity simply doesn't work.
  
  2 0
2. Monday 1st July 2013 08:52 GMT Anonymous Coward
  
  anyone could have found these vulnerabilities in and kept them to themselves to exploit....
  
  Yup, but at least you stand a chance that someone picks it up (QED). The only thing that tends to be of lesser quality in open source secure phone apps is the codecs - in my experience, the commercial ones are simply better able to cope with less than perfect throughput conditions (I've reviewed numerous ones before we contracted the one we're using now).
  
  0 0
Monday 1st July 2013 13:23 GMT Anonymous Coward

Yes, but...

Does anyone else find it surprising that the folks producing Silent Circle wouldn't be auditing a key library used to insure the security of their product? Why aren't they the ones finding these bugs?

Sure makes you question the overall security of their product/process when well-known bug types like buffer overflows are getting through unnoticed.

0 0
1. Monday 1st July 2013 14:02 GMT Anonymous Coward
  
  Re: Yes, but...
  
  Start with the basic knowledge that Silent Circle has *US* headquarters...
  
  1 0

This topic is closed for new posts.

Topics

Special Features

Vendor Voice

Resources

User topics

Article topics

User topics

Article topics

Secure phone app library vulnerable

COMMENTS

Yes, but...

Re: Yes, but...

Other stories you might like

Microsoft squashes SmartScreen security bypass bug exploited in the wild

Delinea Secret Server customers should apply latest patches

Ivanti commits to secure-by-design overhaul after vulnerability nightmare

US government excoriates Microsoft for 'avoidable errors' but keeps paying for its products

Nvidia's newborn ChatRTX bot patched for security bugs

OpenAI's GPT-4 can exploit real vulnerabilities by reading security advisories

CISA in a flap as Chirp smart door locks can be trivially unlocked remotely

Zero-day exploited right now in Palo Alto Networks' GlobalProtect gateways

Cisco creates architecture to improve security and sell you new switches

Rust rustles up fix for 10/10 critical command injection bug on Windows in std lib

Exploit code for Palo Alto Networks zero-day now public

H-1B visa fraud alive and well amid efforts to crack down on abuse

About Us

Our Websites

Your Privacy