Most commercial software comes with obsolete open-source software

This isn’t much of a surprise for anyone that manually updates all the SSL libs scattered around the drive, or keeps up-to-date with the latest codec builds.

Generally speaking dependency management is tricky business. We have services that are scanning our dependencies for known vulnerable versions like white source but even when a vulnerability is discovered it can take a while for it to be replaced with a secure version.

Even when that happens if the new version of the product requires a new payment then the user might not upgrade.

In thinking about this (having not yet read the linked articles) I think obsolete software is only a problem if it has a way to DIRECTLY interact with the user or the outside world. So for example it has to display an image from the users content and that image could be malicious and cause the program to misbehave. The lesson, then, as a software developer, is to absolutely limit unsanitized input (from the user or from the network) getting directly into borrowed code (code you didn’t personally write.) That, and having a plan to maintain your code, and ultimately to inform the user when you’ve stopped maintaining it and it’s become a hazard to them.

Yes, but most of the software is internet facing stuff, like SSL. That is its primary job and if that has problems, like downgrade attacks or stack overflow problems then these are critical elements.

I used to use Secunia PSI (another important free security tool taken away from the public) to scan my system regularly as it would find various DLLs and EXEs I never thought to look for, because I didn’t know they were installed with something else.
I didn’t know i had nodejs or that it was outdated.
OpenSSL I know to look for as it is omnipresent in so many folders over the years.

Unlike the Amiga OS other lesser OSs never seemed to grasp the idea of shared Libs living in a Libs folder and reducing pointless replication.

Due to the way Windows software often adds its own location as a PATH this makes the location searchable without trying, so you could easily write a piece of software that uses old OpenSSL exploits and not supply it with the lib, so it will load the first it finds in the ENV paths.

Few authors push a new build of their software when the crypto lib it uses gets an update. They wait until they have their own updates to push.

Even when the open-source code is still being maintained it is all too common to see it ignored when an update of the main software happens.
A shinnig example of that is NCH software. They produce front-ends for open-source code but reuse the same core components they first get, meaning they now still supply brand new commercial software with openSSL and Lame encoder from 2005, and other equally crusty files.
Their support page of downloads for the components is like a walk through an old cover CD for a PC magazine.
Some of the projects use builds new enough you can manually update the old files, but often they are so old you have to find the last supported build that the software will actually load. Bad news for the OpenSSL libs as the last version of 0.9.x is exploitable, but not so bad for the codecs.

Trillian used to use its’s own update system to update the individual libs as and when new versions came online.
I don’t understand why this is not seen as the standard way to get updates.
Downloading huge distros just because a few components have been changed is insanity in my opinion. We used to see hotfixes as a fairly common thing in the days of modems and pay-as-you-go internet, so it is not a radical new idea.

1 Like

There’s nothing wrong with borrowing code, quite the opposite when it’s good. But you have to do it right and maintain it properly, either by fixing it yourself or relying on the third-party’s updates, which, unfortunately, might break your product.

It’s not easy, however, if you’ve decided this is the way to go, you need to consider all the costs. Unless all you wanna do is save money and time by neglecting the included code base. Well, it will backfire sooner or later. And I doubt you’d communicate that fact to your users.