I know it's not quite that simple but isn't OpenSSL exactly an example of how a bug in open source software was found and fixed? Of course it took a while and the software was already extremely widely used at that point but bugs happen and at least it's not just lying around unfixed. I can't remember bugs in closed software getting the same kind of exposure.
the typical buffer overflow would have been caught by OpenBSD's protective malloc.
> [...] OpenSSL adds a wrapper around malloc & free so
that the library will cache memory on it's own, and not free it to the protective malloc. [...] So then a bug shows up which leaks the content of memory mishandled by
that layer. [...]
I don’t think the vulnerability was in malloced memory, it was some buffer on the stack. I’ve actually patched OpenSSL to stop heart bleed as an excersice and iirc the fix was in fact just preventing a typical buffer overflow.
I've always thought of buffer overflow as writing beyond the intended bounds of the buffer.
Heartbleed is reading beyond the intended bounds remotely. I don't think there were similar attacks before hand, but I could be wrong. I only have a base level knowledge here.
Plus. many companies, Microsoft included, open up their source code to partners.
The openness of source code has little correlation to its security.