SAN FRANCISCO, May 2 /PRNewswire/ -- Coverity, Inc., makers of the
world's most advanced and scalable source code analysis solution, today
announced that as a result of their contract with US Department of Homeland
Security (DHS), the biggest X Window System security vulnerability of the
last six years was identified and fixed.
Using Coverity Prevent, developers tracked down a critical security
vulnerability in the X Window System, a graphical interface used in
millions of computers, including most UNIX and Linux systems. The X Window
System also ships as an optional GUI with Macintosh computers from Apple.
According to Daniel Stone, a release manager for the X.Org Foundation,
the vulnerability was one of the most significant vulnerabilities
discovered in recent memory, "something that we find once every three to
six years and is very close to X's worst case scenarios in terms of
security. Coverity exposed vulnerabilities in our code that likely wouldn't
have been spotted with human eyes. Its attention to subtle detail
throughout the entire codebase -- even parts you wouldn't normally examine
manually -- makes it a very valuable tool in checking your codebase, and
has been of definite benefit to X.Org."
The vulnerability was found in versions X11R6.9.0 and X11R7.0.0 during
a security analysis of 31 major open source projects that Coverity
undertook as part of a DHS initiative. This pair of X Window System
versions marked a major milestone when released in December of 2005, as
they were the first major updates to the X Window System in more than a
decade. After the X.Org development team received the results of the
analysis, the vulnerability was fixed within a week. The security hole
resulted from a missing parenthesis on a small piece of the program that
checked the ID of the user. This flaw, caused by something as seemingly
harmless as a missing closing parenthesis, allowed local users to execute
code with root privileges, giving them the ability to overwrite system
files or initiate denial of service attacks.
"Coverity Prevent is designed to help computer programmers
automatically detect and remove software defects such as security
vulnerabilities as the software is being built," said Ben Chelf, CTO of
Coverity. "We've implemented a system to analyze the X Window System on a
continuous basis to help prevent new defects from entering into the
project. In my experience, the X.Org team responded to defects extremely
quickly to make their high quality software even better."
Coverity (www.coverity.com), makers of the world's most advanced and
scalable source code analysis solution for pinpointing software defects and
security vulnerabilities, is a privately-held company headquartered in San
Francisco. Coverity was founded in 2002 by leading Stanford University
computer scientists whose four-year research project resulted in a
breakthrough technique to address the costliest problem in the software
industry. That research breakthrough allows developers to quickly and
precisely eliminate software defects and security vulnerabilities in tens
of millions of lines of new or legacy code. Today, Coverity's solution is
used by more than 100 leading companies to significantly improve the
quality and security of their software, including Juniper Networks,
Symantec/VERITAS, McAfee, Synopsys, NASA, PalmOne, Sun Microsystems and
NOTE: Coverity is a registered trademark, and Coverity Extend and
Coverity Prevent are trademarks of Coverity, Inc. All other company and
product names are the property of their respective owners.
Page One PR for Coverity
Director, Corporate Marketing
SOURCE Coverity, Inc.