The open source Berkeley Software Distribution (BSD) versions of UNIX suffer from a lack of eyeballs on their code, and that hurts their security, Ilja van Sprundel, director of penetration testing at IOActive, told an audience at 34c3 in Leipzig, Germany at the end of December.
van Sprundel says he easily found around 115 kernel bugs across the three BSDs, including 30 for FreeBSD, 25 for OpenBSD, and 60 for NetBSD. Many of these bugs he called “low-hanging fruit.” He promptly reported all the bugs, but six months later, at the time of his talk, many remained unpatched.
“By and large, most security flaws in the Linux kernel don’t have a long lifetime. They get found pretty fast,” van Sprundel says. “On the BSD side, that isn’t always true. I found a bunch of bugs that have been around a very long time.” Many of them have been present in code for a decade or more.