To explore the response to the recently-disclosed Git security vulnerability (which we wrote about here) and to provide some context for it in a world of imperfect code, The New Stack Founder Alex Williams called upon Tal Klein of Adallom and Bryan Helmkamp, CEO and Founder of Code Climate, for this episode of The New Stack Analysts.

Bryan refreshes us on the nature of the Git vulnerability: “It allows an attacker who has control of a Git repository to execute arbitrary code on the client machine of anybody connecting to that Git repository with a vulnerable version of the Git client.”

Tal is not at all surprised by this news: “Vulnerabilities are going to happen; there’s no such thing as perfect code,” he says. “Git was another popular attack vector for the Shellshock vulnerability,” says Tal, describing Git as the perfect candidate through which to attempt to obtain privileges to escalation. “It’s actually the second scenario in which Git itself becomes an attack vector,” he says.

Most importantly, this vulnerability appears to have been discovered before it could be exploited in the wild. “I’m always relieved when the CVE is published by researchers rather than after a breach,” says Tal, meaning the good guys got to it first.

Bryan agrees on the importance of this up-side. “GitHub actually ran some analysis of all of the source code repositories that they host, and my understanding of their conclusion was that they have no evidence of any malicious Git repositories on GitHub at this time, and they've also added protections so that nobody could plant a malicious repository on GitHub,” says Bryan, calling this a good indication that the problem was identified and that fixes could be implemented before exploits resulted.

Alex asks, “What are the sources of these vulnerabilities? Are these just gaps that no one has ever seen before, or are they gaps that are created?”

“In this case, it was effectively an interaction between two behaviors: the behavior of the Git program, and the behavior of case-insensitive file systems,” says Bryan. “Most Linux developers,” Bryan continues, “use case-sensitive file systems. However, most Macs and many Windows machines do use case-insensitive file systems.”

“The vulnerability may be much less obvious to somebody who’s developing on Linux, and that is the primary operating system used by the Git core team. But there’s subtle behavioral interplay between the underlying file system and the program itself.”

Bryan expects to see a string of follow-on, ripple disclosures and patches. “I usually recommend people keep their ear pretty close to the ground for a few weeks after something like this for any additional patches.”

Alex then asks Tal to provide Adallom’s perspective on the science of vulnerabilities.

“It’s important work,” says Tal. “I think GitHub should reward their researcher who discovered this. I think they've done a great service to the community. We’re very supportive of it and we think that this needs to be a standardized process where people should not only feel supported by the community to reveal these kind of things, but are actually financially rewarded for doing so.”

“It’s better when a zero-day stops being a zero-day as a result of research rather than as a result of threat actors,” says Tal. “This is the system at work. From our perspective, the more people pay attention to the underlying behavior of code, especially code that’s so vastly popular and utilized, the healthier everybody is.”