SCO Issues OpenSSL Patch, 10 Months Late

While The SCO Group has become famed for its Linux-related lawsuits, its corporate motto continues to be "The Power of Unix."; but SCO customers might be forgiven for thinking that it should be "The Power of Unpatched Unix."

On Thursday SCO issued a security advisory announcing the release of UnixWare patches for flaws in OpenSSL that could leave secure servers open to denial of service attacks. The only problem is that the flaw was made public more than 10 months ago.

OpenSSL is an open source toolkit implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, and is used in many security products. The flaw in OpenSSL was announced on March 17 of last year. That same day, security updates were released by Unix vendors OpenBSD and FreeBSD and most Linux distributions, including Red Hat, SUSE, Slackware, Mandrake and Gentoo, among others.

While it touts the inclusion of OpenSSL as part of UnixWare's "enhanced security services," SCO didn't address the denial of service issue until the release of UnixWare 7.1.4 on June 15, nearly three months later. No patches were issued for earlier versions of the software. Apparently not all UnixWare customers have upgraded to 7.1.4, leading to Thursday's release of the belated patches for UnixWare 7.1.3 and 7.1.1.

The lapse didn't present any widespread security threat due to the limited use of SCO's software on secure sites. Our January Secure Server Survey found only 70 SSL-enabled sites running on SCO Unix. The availability of patches doesn't always lead to prompt upgrades; indeed, SSL security vulnerabilities have previously remain unpatched for a long time after fixes were available.

The Netcraft Secure Server Survey provides detailed information about encrypted transactions and e-commerce, including the growth rate for SSL-enabled sites, and which operating systems, server software and certificates are most widely used on these sites.