Proprietary Insecurity


Nonfree (proprietary) software is very often malware (designed to mistreat the user). Nonfree software is controlled by its developers, which puts them in a position of power over the users; that is the basic injustice. The developers and manufacturers often exercise that power to the detriment of the users they ought to serve.

This typically takes the form of malicious functionalities.


This page lists clearly established cases of insecurity in proprietary software that has grave consequences or is otherwise noteworthy. Even though most of these security flaws are unintentional, thus are not malicious functionalities in a strict sense, we report them to show that proprietary software is not as secure as mainstream media may say.

This doesn't imply that free software is immune to bugs or insecurities. The difference between free and proprietary software in this respect is the handling of the bugs: free software users are able to study the program and/or fix the bugs they find, often in communities as they are able to share the program, while proprietary program users are forced to rely on the program's developer for fixes.

If the developer does not care to fix the problem — often the case for embedded software and old releases — the users are sunk. But if the developer does send a corrected version, it may contain new malicious functionalities as well as bug fixes.

If you know of an example that ought to be in this page but isn't here, please write to <webmasters@gnu.org> to inform us. Please include the URL of a trustworthy reference or two to serve as specific substantiation.

UEFI-induced vulnerability

UEFI makes computers vulnerable to advanced persistent threats that are almost impossible to detect once installed. Here are technical details.

Kaspersky discovered this example by chance, but is unable to check in general for the presence of such rootkits in computers.

Nonfree software does not make your computer secure—it does the opposite: it prevents you from trying to secure it. UEFI is a nonfree program required for booting which is impossible to replace; in effect, a low-level rootkit. All the things that Intel has done to make its power over you secure against you also protect UEFI-level rootkits against you.

Instead of allowing Intel, AMD, Apple and perhaps ARM to impose security through tyranny, we should legislate to require them to allow users to install their choice of startup software, and make available the information needed to develop such. Think of this as right-to-repair at the initialization stage.