Experts from Rostelecom- Solar conducted a study of the security of popular user applications with open source code for PCs. An analysis of 10 open-source programs showed that a number of discovered vulnerabilities, if successfully exploited by cybercriminals, open access to all user data stored on computers in unencrypted form. At the same time, the vast majority of people do not encrypt their data on a PC.
The open source software market is booming. Since 2014, the community has seen an annual intensive influx of participants: in 2019 alone, more than 1.3 million new authors joined the open source community. Since 2018, global IT giants like Microsoft have stopped fighting open source software and have begun to contribute to the development of the industry. According to forecasts of world experts, by the end of 2021, the volume of use of open source products in companies will grow by 77% compared to the same period of the current year.
open source vulnerabilities
Due to the growing popularity of open source applications in both corporate and consumer environments, Rostelecom-Solar specialists decided to test the security level of the most popular free software for PCs in the most popular categories using the Solar appScreener tool . Applications were selected in the categories “browsers”, “office suites”, “graphic editors”, “text editors”, “data recovery programs”, “diagram editors”, “programs for advanced search for files and folders in Windows”, “programs for cleaning computer “and” video game emulators “. Thus, the research involved the applications Brave browser, LibreOffice, Krita, Notepad ++, TestDisk & PhotoRec, GIMP, Dia, Search Everything, BleachBit and RetroArch.
According to the results of automated scanning, TestDisk & PhotoRec data recovery software is the leader in the security rating of open source PC applications. It does not contain critical vulnerabilities in the code and at the same time has the minimum number of average-level vulnerabilities among all the applications studied. A slightly larger number of medium-severity vulnerabilities are contained in the free analogue of Adobe Photoshop – the GIMP application. Solar appScreener rated the security level of both programs at 4.2 points.
The unexpectedly weak results – 1.3 points out of 5.0 – were demonstrated by the popular open source browser Brave Browser, which as of June 2020 has 15 million monthly users and up to 5 million daily users. In the scanned browser kernel, critical vulnerabilities in the code are encountered 15 times, which exceeds the maximum allowable indicator of 5 units, so as not to fall below the market average overall level of security. This circumstance does not allow us to consider this application safe for use.
However, the popular open source PC video game emulator RetroArch has the lowest security scores (0.8 points out of 5.0). The program has the largest number of occurrences of critical vulnerabilities.
“The studied free software is characterized by such serious flaws as empty encryption keys specified in the source code, empty passwords, and explicitly specified confidential data. These vulnerabilities pose a serious threat to user data on the computers on which the software is installed. In general, the test results clearly demonstrate which applications are actively using parts of the code borrowed from third-party libraries, and which programs are written by developers as much as possible on their own. In the latter case, the number of vulnerabilities and NDVs in the code is noticeably lower, and, accordingly, the security of user data to which the application has access is higher, ”said Daniil Chernov, director of the Rostelecom-Solar software security solutions center.
The analysis services were selected according to the positions in the survey “ 11 best open source software in 2020 ”, as well as based on the number of downloads of mobile versions of these applications in Google Play and the App Store. In their research, Rostelecom-Solar experts included 10 applications out of 11 presented in this review, bypassing the Stud.io program for creating digital Lego models due to the specificity of its use by a narrow audience.
Application code security analysis was carried out automatically using Solar appScreener, a Russian software product for checking application security. The solution uses methods of static, dynamic and interactive analysis.